Making it dead simple to implement @haveibeenpwnd in your applications, including strength warning if found in @troyhunt’s password collection.
Posted by jpluimers on 2020/12/02
I wasn’t aware that Troy Hunt created an API [WayBack] for [WayBack] Have I Been Pwned: Check if your email has been compromised in a data breach.
He did, as I noticed through [WayBack] Michelangelo van Dam on Twitter: “Making it dead simple to implement @haveibeenpwnd in my applications, including strength warning if found in @troyhunt’s password collection. Check out to try it out yourself. #ImproveSecurity #haveibeenpwnd”.
There are in fact plenty of other packages, web-sites and apps using the API as seen on [WayBack] Have I Been Pwned: API consumers.
Many people ask “if it is safe” (often assuming passwords are sent in clear, or hashes are sent in full; my fear is that those people implement security somewhere).
It is safe:
- [WayBack] Have I Been Pwned: Privacy
- [WayBack] Michelangelo van Dam on Twitter: “Simply put: you enter password, I sha1 hash it and send the first 5 chars of that hash to hibp. Then I get list of hashes and counts that begin with those 5 chars and I perform lookup for the full hashed pwd and return the count. Lookup runs on my server where you entered pwd.”
- [WayBack] Michelangelo van Dam on Twitter: “HIBP returns me a list of hashes that all begin with those first 5 chars I sent to the service, including a count of how many times this hash was found in breaches. On my server I match the entered pwd hash against that list and when found I return the count. See my git repo.”
- [WayBack] Michelangelo van Dam on Twitter: “Just provided more context to my “dragonbe/hibp” package and how one should use #HaveIBeenPwnd service. “
PHP source is at [WayBack] GitHub – DragonBe/hibp: A composer package to verify if a password was previously used in a breach using Have I Been Pwned API.
There is also a [WayBack] composer package at [WayBack] dragonbe/hibp – Packagist.
A really cool thing on it is this:
This project was also the subject of my talk [WayBack] Mutation Testing with Infection where the code base was not only covered by unit tests, but also was subjected to Mutation Testing using [WayBack] Infection to ensure no coding mistakes could slip into the codebase.
Apart from the tests, the most important source is at [WayBack] hibp/Hibp.php at master · DragonBe/hibp · GitHub
Related:
- [WayBack] Jeroen Pluimers on Twitter: “The people asking if passwords or full hashes are being sent or handed off make me fear those same people implement security. My wish for 2019 is that I am really wrong on this assumption.”
- [WayBack] Jeroen Pluimers on Twitter: “@Bored0ne @DragonBe @troyhunt @haveibeenpwned Yes, it is.”
- Check out XposedOrNot (@XposedOrNot): https://twitter.com/XposedOrNot?s=09
–jeroen
Leave a comment