On Tue, Mar 21, 2023 at 02:28:08PM +0100, Pavel Raiskup wrote: > Hello all! > > Do we have HaveIBeenPwned database of hashes somewhere in Fedora, as a > file or service (regularly updated)? I'd prefer checking my passwords > manually, without actually giving the passwords to the > https://haveibeenpwned.com service. Speaking of that, I really dislike > that the service takes the real passwords on it's input. > > I seem I was able to reproduce the steps-to-download (currently > downloading): > https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader > But that will take quite some time... > > Has anyone planed to at least package that dotnet utility? How do you > do this? On https://haveibeenpwned.com/Passwords there's a link to the explanation on how it works: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity Summary: it hashes the password, submits the first 5 letters and then compares the rest of the hash against the returned set of possible matches. If you don't trust the website, you can do this yourself in Python with a few lines of code: ``` #!/usr/bin/env python3 import requests import hashlib pwd="P@ssw0rd" myhash = hashlib.sha1(pwd.encode("utf8")).hexdigest() r = requests.get(f"https://api.pwnedpasswords.com/range/{myhash[:5]}";) for hash in r.text.split('\r\n'): if hash.startswith(myhash[5:].upper()): print(f"Compromised: {myhash[:5].upper()}{hash}") ``` Creating a CLI for this should be trivial, packaging it too :) Cheers, Peter _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
