Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can search by password here: https://haveibeenpwned.com/Passwords

If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.

For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".

---------

Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.



I wrote a Ruby script to check passwords back when the Pwned Passwords V2 API was introduced. I've added a second script to check a bulk list of passwords in a plain-text file.

https://gist.github.com/schmich/aeaffac922271a11b70e9a79a5fe...


Troy Hunt explained how to find out if your password is pwned using the API in a comment [0]:

You need to look at the request being generated. Here's how to do it:

1) The SHA-1 of P@ssw0rd is 21BD12DC183F740EE76F27B78EB39C8AD972A757: https://passwordsgenerator.net/sha1-hash-generator/

2) Pass the first 5 chars to the API here: https://api.pwnedpasswords.com/range/21BD1

3) Find the suffix in the response and it has the count next to it: 2DC183F740EE76F27B78EB39C8AD972A757:51259

[0]: https://www.troyhunt.com/the-773-million-record-collection-1...


Weird, I don't see any entries for password or password1 in there.


I get this when I try 'password':

Oh no — pwned! This password has been seen 3,645,804 times before


I assume he was sending in the SHA-1s. And yeah, it looks like he (Troy Hunt / site operator) disabled the direct search by SHA-1 now that he's enabled the k-anonymity API. Was able to edit and update my original post to reflect this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: