# Password Checker

We recently discussed the password API, which allows us to trust no one.

In [2]:
import requests

url = 'https://api.pwnedpasswords.com/range/' + 'CBFDA'
res = requests.get(url)
print(res)

<Response [200]>


That's to say that, instead of giving our entire hash to this url, we just give a snippet of it.

Ideally, we have a function and we give it the hashed version of our password.
This will be a function that will request our data and give us a response.

Next, with this response, we want to check the `pwned_api` and in here we'll give our password

In [4]:
import requests


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/rainge/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')


def pwned_api_check(password):
    # Check existence of password in API response
    pass
  
request_api_data('123')


RuntimeError: Error fetching: 404, check the API and try again

In our case, if we don't have that error in the subdirectory of the URL, we can just return the response. Calling `pwned_api_check('123')` does encode our password value as `b'123'` in utf-8.

In [9]:
import requests
import hashlib # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')
    return res

def pwned_api_check(password):
    print(password.encode('utf-8'))
    # sha1password = hashlib.sha1(password.encode('utf-8'))
    
pwned_api_check('123')


b'123'


Next, when we use the `hashlib.sha1`, if we run the following, we get the hash object.

In [10]:
import requests
import hashlib # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')
    return res

def pwned_api_check(password):
    print(hashlib.sha1(password.encode('utf-8')))
    # sha1password = hashlib.sha1(password.encode('utf-8'))
    
pwned_api_check('123')

<sha1 _hashlib.HASH object @ 0x7f5bbb8651b0>


We can now call `print(hashlib.sha1(password.encode('utf-8'))).hexdigest())` and if we run this, we get a hash, but how do we check it?

In [11]:
import requests
import hashlib # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')
    return res

def pwned_api_check(password):
    print(hashlib.sha1(password.encode('utf-8')).hexdigest())
    # sha1password = hashlib.sha1(password.encode('utf-8'))
    
pwned_api_check('123')

40bd001563085fc35165329ea1ff5c5ecbdbbeef


We can now go to `hashlib` and search for `hexdigest()`. Now we need to convert all of it to uppercase (line 13).

In [13]:
import requests
import hashlib # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')
    return res

def pwned_api_check(password):
    print(hashlib.sha1(password.encode('utf-8')).hexdigest().upper())
    # sha1password = hashlib.sha1(password.encode('utf-8'))
    
pwned_api_check('123')

40BD001563085FC35165329EA1FF5C5ECBDBBEEF


Now, everything is in uppercase as per the SHA-1 generator example. When we don't use `encode(utf-8)` in line 15:

In [14]:
import requests
import hashlib  # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
        raise RuntimeError(
            f'Error fetching: {res.status_code}, check the API and try again')
    return res


def pwned_api_check(password):
    print(hashlib.sha1(password).hexdigest().upper())


pwned_api_check('123')


TypeError: Strings must be encoded before hashing

So, yeah, we're violating how `hashlib` works, so we need to change this back.

In [None]:
import requests
import hashlib # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')
    return res

def pwned_api_check(password):
    print(hashlib.sha1(password.encode('utf-8')).hexdigest().upper())
    # sha1password = hashlib.sha1(password.encode('utf-8'))
    
pwned_api_check('123')

The point is that we need to get back a SHA-1 password that we can send.

In [15]:
import requests
import hashlib # for SHA-1 hashing


def request_api_data(query_char):
    url = 'https://api.pwnedpasswords.com/range/' + query_char
    res = requests.get(url)
    if res.status_code != 200:
      raise RuntimeError(f'Error fetching: {res.status_code}, check the API and try again')
    return res

def pwned_api_check(password):
    sha1password = hashlib.sha1(password.encode('utf-8'))
    return sha1password
    
pwned_api_check('123')

<sha1 _hashlib.HASH object @ 0x7f5bbb91b390>

Next, we'll send this password to the API and check the response.