GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → terencechow → PwnedPasswords

terencechow / PwnedPasswords

Licence: MIT license
PwnedPasswords as a Service

Programming Languages

C++
36643 projects - #6 most used programming language
python
139335 projects - #7 most used programming language
Makefile
30231 projects
javascript
184084 projects - #8 most used programming language
shell
77523 projects

Labels

password-strengthpassword-safetypasswords

Projects that are alternatives of or similar to PwnedPasswords

password-list
Password lists with top passwords to optimize bruteforce attacks
Stars: ✭ 174 (+625%)
Mutual labels:  password-strength, password-safety, passwords
Dumb Passwords
Don't let your user be a victim of their own action
Stars: ✭ 77 (+220.83%)
Mutual labels:  password-strength, password-safety, passwords
keevault
Kee Vault is a password manager for your web browser. Password databases (Vaults) are encrypted using the KeePass storage format before being sent to a remote server for synchronisation across any modern device/browser
Stars: ✭ 57 (+137.5%)
Mutual labels:  password-safety, passwords
Bewgor
Bull's Eye Wordlist Generator - Does your password rely on predictable patterns of accessible info?
Stars: ✭ 333 (+1287.5%)
Mutual labels:  password-strength, password-safety
Kaonashi
Wordlist, rules and masks from Kaonashi project (RootedCON 2019)
Stars: ✭ 353 (+1370.83%)
Mutual labels:  password-strength, password-safety
laravel-pwned-passwords
Simple Laravel validation rule that allows you to prevent or limit the re-use of passwords that are known to be pwned (unsafe). Based on TroyHunt's Have I Been Pwned (https://haveibeenpwned.com)
Stars: ✭ 67 (+179.17%)
Mutual labels:  password-safety, passwords
Fugacious
OSSSM (awesome). Open source short-term secure messaging
Stars: ✭ 100 (+316.67%)
Mutual labels:  password-safety, passwords
Pwned Passwords
🔐Go client library for checking values against compromised HIBP Pwned Passwords
Stars: ✭ 81 (+237.5%)
Mutual labels:  password-safety, passwords
Pw Pwnage Cfworker
Deploy a Cloudflare Worker to sanely score users' new passwords with zxcvbn AND check for matches against haveibeenpwned's 7.8+ billion breached accounts
Stars: ✭ 125 (+420.83%)
Mutual labels:  password-strength, passwords
Pwned Passwords Django
Utilities for working with the Pwned Passwords database from Django.
Stars: ✭ 71 (+195.83%)
Mutual labels:  password-strength, passwords
RockYou2021.txt
RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists. RockYou2021.txt DOES NOT CONTAIN USER:PASS logins!
Stars: ✭ 288 (+1100%)
Mutual labels:  password-strength, password-safety
Laravel Nist Password Rules
🔒 Laravel validation rules that follow the password related recommendations found in NIST Special Publication 800-63B section 5.
Stars: ✭ 157 (+554.17%)
Mutual labels:  password-strength, passwords
Probable Wordlists
Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
Stars: ✭ 7,312 (+30366.67%)
Mutual labels:  password-strength, password-safety
Netpwn
Tool made to automate tasks of pentesting.
Stars: ✭ 152 (+533.33%)
Mutual labels:  password-strength, password-safety
Password Strength
Angular UI library to illustrate and validate a password's strength with material design - Angular V9 supported
Stars: ✭ 186 (+675%)
Mutual labels:  password-strength, password-safety
enigmatic-mouse
The enigmatic mouse will keep your passwords safe - password manager on Android in Kotlin.
Stars: ✭ 14 (-41.67%)
Mutual labels:  passwords
keepassxc-pwned
Check your keepassxc database against previously breached haveibeenpwned passwords
Stars: ✭ 25 (+4.17%)
Mutual labels:  password-strength
weakpass generator
generates weak passwords based on current date
Stars: ✭ 36 (+50%)
Mutual labels:  passwords
Pwned
Simple CLI script to check if you have a password that has been compromised in a data breach.
Stars: ✭ 47 (+95.83%)
Mutual labels:  passwords
alfred-passwords-workflow
An Alfred 4 workflow that allows you to quickly generate strong passwords.
Stars: ✭ 42 (+75%)
Mutual labels:  passwords
View All Similar Projects ➔

PwnedPasswords as a service (aka PWNEDPAAS)

TL:DR;

This program takes the most recent (Jan 2019) pwned passwords list from haveibeenpwned.com (~24gb) and puts those hashed passwords into a bloomfilter.

Afterwards you can input a password and see if it is in the hacked passwords list. While importing the initial data requires a computer with 24gb disk space (since the password file is 24gb), once the passwords has been imported, a binary file representing the bloom filter is created that is ~1.5gb. From that point on, only the 1.5gb database file is needed to start the service. Note that importing from a text file requires at least 4.5gb RAM and 24gb hard disk. Starting with a db file requires 1.5gb of RAM and 1.5gb of hard disk (for the db file).

Bindings have been created to be able to call into this program and have a microservice that simply returns true when a password is in the hacked list and false when it is not. See bindings folder for an example.

Details

For my bloom filter I've used a probability of 1 in a million which means there will be a false positive once in a million passwords. This was arbitrarily chosen and indeed a smaller number will result in a smaller database and lower RAM / storage requirements.

Originally this program only created a bloom filter. That resulted in a size of ~2gb. In an effort to lower the storage requirements further, the bloomfilter was then separated into many sections and each section encoded as a Golomb Coding. This data structure is known as a Golomb Set.

https://en.wikipedia.org/wiki/Bloom_filter

https://en.wikipedia.org/wiki/Golomb_coding

Checking for a password takes ~ 30 microseconds or 0.03 milliseconds on my computer.

Importing the pwned passwords list uses all the threads on your computer to speed things up since it needs to process quite a large number of passwords. On my macbook i7 with 8 virtual cores, it processed the entire 550M password list in about 25 minutes. Subsequent runs will load the database file and this took approximately 22 seconds on my macbook.

If you are willing to take a higher probability of false positives you can get a smaller set and quicker access / creation times.

Build

First clone the repo and the submodules.

git clone --recurse-submodules [email protected]:terencechow/PwnedPasswords.git

You will need to have openssl on your computer. I've assumed the source is located at /usr/local/opt/openssl. If yours is not, change the OPENSSL_DIR in the makefile to point to the path to your openssl source code.

Next run the below command

make main

This will create a file main in the build directory.

Run

Before running make sure you've downloaded and extracted the pwnedpasswords to ./data/pwned-passwords-sha1-ordered-by-hash-v4.txt. Note that file is 24gb but you can delete it after the bloom filter has been created. Alternatively if you want to just test an example password dataset, you can run ./generate_sample.sh which will create a password list of 100 passwords. The passwords in this set are test1, test2, etc. up to test100 inclusive.

Now you can run with:

./build/main

This will now process the password file and turn it into the binary file.

Potential future work

  • When initializing from a text file, rather then generate a bloom filter and store 1 bit for each password, I opted to store the uint64_t index which results in 8 bytes. Hence initializing from a text file requires more than 4gb (550M uint64_t ~= 4.4 gb). This is a one time cost as initializing from a previously created db only requires 1.5gb. Using a bloom filter would lower this RAM requirement to ~2gb.

  • Writing to disk different sections of the golomb set could significantly lower ram requirements at the cost of checking password speed. However the cost might not be significant.

  • Although I switched to a golomb set to use lower ram, a bloom filter that is split into separate sections and written to disk would also significantly lower ram requirements. It's not clear whether checking inclusion of a password could be faster in this scenario because many different sections would need to be read from disk and checked, however there would be no decoding that is required with golomb sets.

Bindings

  • The bindings folder holds bindings for other languages. This allows one to start a server in Node.js (for example) and call out to the db. In this way we can have a simple pwned passwords service.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].