# Check Pwned Passwords Securely

In [1]:
import requests
import hashlib
import time

In [2]:
BASE_URL = 'https://api.pwnedpasswords.com/range/'

## Unsafe API Request Through the Internet

In [3]:
def unsafe_server_request_v1():
    # an extremely insecure password that has been pwned a great number of times
    sample_password = 'password'
    url = BASE_URL + sample_password
    try:
        response = requests.get(url)
    except Exception as e:
        return e
    return response

In [4]:
response = unsafe_server_request_v1()
if not isinstance(unsafe_server_request_v1(), Exception):
    print(response)
    print(response.content)

<Response [400]>
b'The hash prefix was not in a valid format'


The request above was a bad request because the code sent the entire password through the Internet to the server. This is insecure because someone can intercept and retrieve the password. The server was smart enough to detect this is a unsafe request and refused to response. As a result, hashing the password before sending is necessary.

## Hashing the Password

In [5]:
# compilation of some popular passwords that have been pwned
passwords_list = [
    'password',
    'qwerty',
    '123456',
    '123456789',
    '0123456',
    '0123456789'
]

### SHA1

In [6]:
def hash_password_sha1(password):
    return hashlib.sha1(password.encode('utf-8')).hexdigest()

In [7]:
for password in passwords_list:
    print(hash_password_sha1(password))

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
b1b3773a05c0ed0176787a4f1574ff0075f7521e
7c4a8d09ca3762af61e59520943dc26494f8941b
f7c3bc1d808e04732adf679965ccc34ca7ae3441
b7ed088190c204b31cd71484e6a1c538986b5f77
87acec17cd9dcd20a716cc2cf67417b71c8a7016


### MD5

In [8]:
def hash_password_md5(password):
    return hashlib.md5(password.encode('utf-8')).hexdigest()

In [9]:
for password in passwords_list:
    print(hash_password_md5(password))

5f4dcc3b5aa765d61d8327deb882cf99
d8578edf8458ce06fbc5bb76a58c5ca4
e10adc3949ba59abbe56e057f20f883e
25f9e794323b453885f5181f1b624d0b
124bd1296bec0d9d93c7b52a71ad8d5b
781e5e245d69b566979b86e28d23f2c7


## Sending Request(s) to Using Hashed Password(s)

The API accepts requests of passwords that have been hashed using SHA1 and was converted to in upper-case format.

In [10]:
def hash_password_sha1(password):
    return hashlib.sha1(password.encode('utf-8')).hexdigest()

In [11]:
def unsafe_server_request_v2():
    # an extremely insecure password that has been pwned a great number of times
    sample_password = 'password'
    url = BASE_URL + hash_password_sha1(sample_password).upper()
    try:
        response = requests.get(url)
    except Exception as e:
        return e
    return response

In [12]:
response = unsafe_server_request_v2()
if not isinstance(unsafe_server_request_v2(), Exception):
    print(response)
    print(response.content)

<Response [400]>
b'The hash prefix was not in a valid format'


The server's response is still 400 because our request is still not secure enough. Even when the hashed version of the password was sent, if a hacker can intercept and get our hash, the hacker can reverse engineer the hash by looking up a table, where the key is the hash and the value is the associated sequence. Note that, when SHA1 is used, the mapping between a password and a hash is one-to-one, which means there can be only one hash for a password, and vice versa (a hash can only associated with one single password).

## K-anonymity

In [13]:
split_index = 5
for password in passwords_list:
    password_hash = hash_password_sha1(password)
    print(password_hash[:5], password_hash[5:])

5baa6 1e4c9b93f3f0682250b6cf8331b7ee68fd8
b1b37 73a05c0ed0176787a4f1574ff0075f7521e
7c4a8 d09ca3762af61e59520943dc26494f8941b
f7c3b c1d808e04732adf679965ccc34ca7ae3441
b7ed0 88190c204b31cd71484e6a1c538986b5f77
87ace c17cd9dcd20a716cc2cf67417b71c8a7016


Only sequences in the left column is sent to the server, the server will respond with data related to passwords having the sequences as prefixes. We then use the remaining sequence on the right to look-up data related to our actual password.

## Sending Request(s) using Both Hasing and K-anonymity

In [14]:
def safe_server_request():
     # an extremely insecure password that has been pwned a great number of times
    sample_password = 'password'
    sample_password_hash = hash_password_sha1(sample_password).upper()
    public_seq, private_seq = sample_password_hash[:5], sample_password_hash[5:]
    url = BASE_URL + public_seq
    try:
        response = requests.get(url)
    except Exception as e:
        return e
    return response

In [15]:
response = safe_server_request()
if not isinstance(unsafe_server_request_v2(), Exception):
    print(response)
    print(response.content)

<Response [200]>
b'003CD215739D7C1B2218670D26F81408237:1\r\n003D68EB55068C33ACE09247EE4C639306B:4\r\n012C192B2F16F82EA0EB9EF18D9D539B0DD:3\r\n01330C689E5D64F660D6947A93AD634EF8F:1\r\n0161D96B45F0098840A638034BF2A2986F7:1\r\n0198748F3315F40B1A102BF18EEA0194CD9:2\r\n01F9033B3C00C65DBFD6D1DC4D22918F5E9:4\r\n01FDF38AB1BD6F30C5302CA80C7218E9196:1\r\n02999156943A1BF69215CB0DE7582C1DA6E:1\r\n03448E0381ED757EF47BF67CC52E9EFFB06:1\r\n040BF41EC9785FBB7E3DB4AE49422A7870E:1\r\n0424DB98C7A0846D2C6C75E697092A0CC3E:7\r\n044A8FE3881EEF0DBCAE244BF261CD74DD7:2\r\n047F229A81EE2747253F9897DA38946E241:3\r\n048A3DC99E0FA445B1C94A72E8AA07FDCD8:1\r\n04A37A676E312CC7C4D236C93FBD992AA3C:10\r\n04AE045B134BDC43043B216AEF66100EE00:3\r\n04F32798194C1D127211AB0E374FF4EDE91:1\r\n0502EA98ED7A1000D932B10F7707D37FFB4:6\r\n0525D5F07ADA8526E75A3D05AD76DB1F3CA:1\r\n0539F86F519AACC7030B728CD47803E5B22:6\r\n054A0BD53E2BC83A87EFDC236E2D0498C08:4\r\n05AA835DC9423327DAEC1CBD38FA99B8834:1\r\n05CC02592061A8BBB67A6B352778D0B0C4F:1

In [37]:
for k, v in (line.split(':') for line in response.text.splitlines()):
    print(k, v)

0021B5FBB96DF89F00C3CCFB1C293D26884 8
0035E180F7E959F12592CCEBF102FE62C22 1
003E9AD30E76B22B996FABB2D8A40547C12 7
006E0FB581B7F18857CA01ABC869BB4B4BF 1
00719E1C607CBA9D7B0E8D48442F4334E40 8
00D8512463E38AE13B4649772A6CEB3B659 2
0141A406A33AAD15D9D0695849532FE074F 1
0176CDDC63B7B3E87052BA644B49B33C1A7 1
0184FDE9B989D146C383A48D279FF1BFE8F 1
01EED01793629D9A5B4455549046EF35CE0 3
0265CEA9AF0A219ED30BF4059A3706CD637 1
03302C97E805DD591D80A85CBAF25063F6C 5
03C1DD2960701854EF95D0A80DEE1FD4DA6 4
03C7A35ECF45F805721EA98B6591813578A 1
05197B53CF36AA8B4642837A5BF1173B974 1
0626FB711FC3802153D742BCF914375B695 3
063AC61EAF5ED0949AAA0C9007AF5022D2D 1
0687F0D2416BBE09C2F0B1DA8CB215610AC 2
06A5623F20AD741EF3F02016C672F35A4FF 1
06C448A60E219D812DFC0E0E9F940C32C7F 9
0744833815FCD642503B00B0C3F55DC9DCC 9
077306EDE60D1709C8541A436F87A21ACFC 1
079F6D78643006D58682F704BE44C6DC65A 1
07B9CC917BE1CE51934464DB070BB9EBAA5 76
088C0E70144D770513C7AA6FE35671EDB35 3
0899694F2A6AA52222B01667E348E5612B0 1
08A02CC1367

Our request has been processed  successfully. The rest of the work is not performing data processing on the output response string to retrieve the data related to our actual password.

## Perform Data Processing on Server Response

In [16]:
def server_request_kanonimity(password):
     # an extremely insecure password that has been pwned a great number of times
    password_hash = hash_password_sha1(password).upper()
    public_seq, private_seq = password_hash[:5], password_hash[5:]
    url = BASE_URL + public_seq
    try:
        response = requests.get(url)
    except Exception as e:
        return e
    return response, public_seq, private_seq

In [17]:
def lookup_response(response, private_seq):
    g = (line.split(':') for line in response.text.splitlines())
    for seq, pwned_count in g:
        if seq == private_seq:
            return pwned_count
    return 0

In [18]:
password = 'abc'
response, public_seq, private_seq = server_request_kanonimity(password)
print(f'Password: {password}')
print(f'Password hash: {public_seq}{private_seq}')
print(lookup_response(response, private_seq))

Password: abc
Password hash: A9993E364706816ABA3E25717850C26C9CD0D89D
225469


## Performance Evaluations

### Decorator to Check a Function's Performance

In [33]:
def performance(func):
  def wrapper_func(*args, **kwargs):
    start_time = time.time()
    result = func(*args, **kwargs)
    end_time = time.time()
    print(f'Total running time of {func.__name__} is {round(end_time - start_time, 3)} seconds.')
    return result
  return wrapper_func

### Utilizing Python's Generators

In [34]:
def server_request_kanonimity(password):
     # an extremely insecure password that has been pwned a great number of times
    password_hash = hash_password_sha1(password).upper()
    public_seq, private_seq = password_hash[:5], password_hash[5:]
    url = BASE_URL + public_seq
    try:
        response = requests.get(url)
    except Exception as e:
        return e
    return response, public_seq, private_seq

In [35]:
@performance
def lookup_response(response, private_seq):
    # using Python generator
    # generate the elements one-by-one
    g = (line.split(':') for line in response.text.splitlines())
    for seq, pwned_count in g:
        if seq == private_seq:
            return pwned_count
    return 0

response, public_seq, private_seq = server_request_kanonimity('abc')
print(lookup_response(response, private_seq))

Total running time of lookup_response is 0.0 seconds.
225469


In [36]:
@performance
def lookup_response(response, private_seq):
    # using Python list
    # parse all the data into a list first
    g = [line.split(':') for line in response.text.splitlines()]
    for seq, pwned_count in g:
        if seq == private_seq:
            return pwned_count
    return 0

response, public_seq, private_seq = server_request_kanonimity('abc')
print(lookup_response(response, private_seq))

Total running time of lookup_response is 0.001 seconds.
225469
