Table of contents
Check for exposed password matches inside the giant password list of haveibeenpwned.com offline on the local system.
The haveibeenpwned.com website provides a giant password list to check for exposed passwords online.
Even though, the website protects the privacy of searched passwords, some people still do not want to enter their passwords online.
Alternatively, the website used to provide the password list as a downloadable plain text file and pwned-local allows to search that list for exposed passwords offline on the local machine.
However, the password list is no longer directly downloadable as a plain text file from the website and has to be obtained another way. For details see the the password list information inside the requirements section below.
This is just a rudimentary tool which simply processes the password list line by line, which is not really performant. Furthermore, the code should be revised in general.
In order to use pwned-local, the Python framework must be installed on the system.
Depending on which version of the framework you are using:
- Python 2.x (version 2.7 or higher is recommended, may also work with earlier versions)
- Python 3.x (version 3.2 or higher is recommended, may also work with earlier versions)
The password list is no longer available as plain text file as a download directly from the website. Instead, there is the official PwnedPasswordsDownloader tool to get the password list.
However, I have not used that tool before, so I cannot tell anything about it.
You have to download the file containing the password hashes in the SHA-1 format as pwned-local only supports those.
If the requirements are met, you can check for exposed passwords. There are two modes as shown below.
First of all, there are two plain text files included with pwned-local which are pwned-passwords.txt
and my-passwords.txt
.
The file pwned-passwords.txt
just contains a very small excerpt from the original exposed passwords file provided by haveibeenpwned.com. This is suitable for usage examples, but not for practical use. Before using pwned-local productively, that file has to be replaced with the original exposed passwords file mentioned earlier.
You can check the passwords by entering them manually one after another via prompt.
In case you are using the Python 3 version the command would look like this:
$ ./pwned-py3.py -l pwned-passwords.txt -p
Another way to check the passwords is to give a plain text file which contains all passwords you want to check for.
For example, create a file (or use the included one) called my-passwords.txt
containing some passwords you would like to check (one password per line):
sample
1234
12345
foo
foobar
thisshouldnotbeinsidethepwnedfile
In case you are using the Python 3 version the command to check the passwords this way would look like this:
$ ./pwned-py3.py -l pwned-passwords.txt -i my-passwords.txt
Any suggestions, questions, bugs to report or feedback to give?
You can contact me by sending an email to dev@urbanware.org or by opening a GitHub issue (which I would prefer if you have a GitHub account).