pwnedpasschecks for pwned passwords from haveibeenpwned.com v2 API by using the pwnedpasswords library.
How to use:
python pwnedpasscheck.py -h
usage: pwnedpasscheck.py [-h] [-p PASSWORD] [-f FILE]
optional arguments:
-h, --help show this help message and exit
-p PASSWORD, --password PASSWORD
The password you want to test
-f FILE, --file FILE Load a file with multiple passwords to check
Installation
# Install pwnedpasswords library
$ pip install pwnedpasswords
# Download the file (without git installed)
$ wget https://github.com/XarisA/pwnedpasscheck/archive/master.zip -O pwnedpasscheck.zip
# Extract it and clean up
$ unzip pwnedpasscheck.zip -d pwnedpasscheck
$ mv pwnedpasscheck/pwnedpasscheck-master/* pwnedpasscheck && rm -rf pwnedpasscheck/pwnedpasscheck-master && rm pwnedpasscheck.zip
# Download the file (with git)
$ git clone https://github.com/XarisA/pwnedpasscheck.git
# Make it executable
$ cd pwnedpasscheck
$ chmod +x pwnedpasscheck.py
# Run the program
$ ./pwnedpasscheck.py
Examples
Option 1: Call the interpreter
Option 2: Let the script call the interpreter (linux only)
Security Note from lionheart/pwnedpasswords
No plaintext passwords ever leave your machine using pwnedpasswords. How does that work? Well, the Pwned Passwords v2 API has a pretty cool k-anonymity implementation.
From https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/:
Formally, a data set can be said to hold the property of k-anonymity, if for every record in a released table, there are k − 1 other records identical to it.
This allows us to only provide the first 5 characters of the SHA-1 hash of the password in question. The API then responds with a list of SHA-1 hash suffixes with that prefix. On average, that list contains 478 results. People smarter than I am have used math to prove that 5-character prefixes are sufficient to maintain k-anonymity for this database.
In short: your plaintext passwords are protected if you use this library. You won’t leak enough data to identity which passwords you’re searching for.