Created
March 26, 2025 02:40
-
-
Save eileenmcnaughton/d0fd748092ab7b6492ddc2155c99d654 to your computer and use it in GitHub Desktop.
securely check a password is not in the have-i-been-pawned database
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Basic script to securely check if an entered password is in a known security breach | |
| * | |
| * Allows you to avoid sending your password data out... | |
| * https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2 | |
| * | |
| * Sample output | |
| * php pwncheck.php | |
| * enter password | |
| * passw0rd | |
| * Your sha1 is 7c6a61c68ef8b9b6b061b28c348bc1ed7921cb53 | |
| * Checking for the prefix at https://api.pwnedpasswords.com/range/7c6a6 | |
| * 1c68ef8b9b6b061b28c348bc1ed7921cb53 | |
| * ALERT Your password was found 615303 time/s | |
| */ | |
| echo "enter password\n"; | |
| $fin = fopen ("php://stdin","r"); | |
| $line = fgets($fin); | |
| $encoded = sha1(trim($line)); | |
| echo "Your sha1 is $encoded \n"; | |
| $url = "https://api.pwnedpasswords.com/range/" . substr($encoded,0,5); | |
| echo "Checking for the prefix at $url \n"; | |
| $ch = curl_init($url); | |
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
| $out = curl_exec($ch); | |
| $restOfThePass = substr($encoded, 5); | |
| echo $restOfThePass; | |
| $hashes = explode("\n", $out); | |
| foreach ($hashes as $hash) { | |
| $parts = explode(":", trim($hash)); | |
| if ($parts[0] == strtoupper($restOfThePass)) { | |
| echo "\nALERT Your password was found $parts[1] time/s \n"; | |
| exit; | |
| } | |
| } | |
| echo "\nyour password was not found\n"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment