Check generated passphrases againsts list of leaked passwords. #59
Comments
|
Hey, just jumping in here for a hot second, though if I have time I may contribute to this project since I've been messing with Diceware CLI solutions myself on and off for a few years (I have a Nim implementation which compiles to C and then to a binary) I think that this could be addressed with a little bit of clever documentation since it's my understanding (tbh, I haven't used this project yet) that the output is just the password and can thus be piped to another command. This article discusses the method you're talking about and offers a way to use a command line one-liner to check a password against the password. Someone with a little bit more *nix-foo than I possess could probably adapt that to a one-liner that outputs the passphrase while also piping the output of the diceware command into a curl to that API. If that was added that to the documentation then you could avoid adding it as bloat to the actual script. I only say bloat because I would bet $100 that if that 1M diceware passphrases were generated and tested against the Pwned Passwords API that you would have 0 hits. |
|
In case it helps, here's a little Python3 script that'll check a string against the haveibeenpwned API (couldn't attach because GitHub doesn't accept #!/usr/bin/python3
import hashlib
import requests
class PwnedPassphraseException(Exception):
pass
def check_pwned(passphrase):
'''
Check passphrase against the pwnedpasswords API.
'''
h = hashlib.sha1(passphrase.encode()).hexdigest().upper()
response = requests.get(f'https://api.pwnedpasswords.com/range/{h[0:5]}')
pwned = map(lambda i: i.split(':'), response.text.split())
mypwn = [i for i in filter(lambda e: e[0] == h[5:], pwned)]
if len(mypwn) == 1:
n = mypwn[0][1]
raise PwnedPassphraseException(n)
if __name__ == '__main__':
import argparse
import sys
parser = argparse.ArgumentParser(description='Check if your passphrase is listed in the haveibeenpwned.com dataset.')
parser.add_argument('passphrase')
parser.add_argument('-q', '--quiet', action='store_true', help='Do not print a joyful message.')
args = parser.parse_args()
try:
check_pwned(args.passphrase)
if not args.quiet:
print('Congrats! This passphrase has not been pwned (yet).')
except PwnedPassphraseException as e:
if not args.quiet:
print(f'Oh, no! This passphrase appears {e.args[0]} times in the haveibeenpwned.com dataset.')
sys.exit(1) |
It would be nice to have the option to check generated passphrases against the list of leaked passwords from sources like Pwned Passwords which contains list of more than half a billion passwords which have previously been exposed in data breaches.
Pwned Passwords also implements a k-Anonymity model that allows a password to be searched for by partial hash.
If the user opts for checking the passphrases against the Pwned Passwords and it is found in the list then a new password should be generated for the user. This issue is inspired by the a Computerphile video.
The text was updated successfully, but these errors were encountered: