Password dump checking

11Jun12

Leaks of (badly secured) password files seem to be big news at the moment. In many cases people set up sites to allow you to see if your password was in the leak – but who knows whether these sites are trustworthy. That’s not a risk I’m happy to take.

Python provides a reasonably simple way to test:

>>> import hashlib
>>> h = hashlib.new(‘sha1’)
>>> h.update(‘password‘)
>>> h.hexdigest()
‘5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8’

Once you have the hash of your password then just search for it in a copy of the leaked dump (normally these spread pretty quickly and can be found easily online).

You can also use this approach to identify passwords that aren’t in such dumps (and thus likely more secure against dictionary attacks where the dictionaries are updated as a result of leaks).

NB I initially tried to use the sha1sum command on Ubuntu to do this, but it wasn’t returning correct hashes (probably due to trailing CRs and/or LFs).



2 Responses to “Password dump checking”

  1. 1 [email protected]

    the fault in the command line should be the trailing newline. Try something like

    echo -n password| sha1sum

    • Thanks. I knew there was probably a simple way to do this, but my shell skills were clearly failing me badly. I had tried:

      echo password| sha1sum
      c8fed00eb2e87f1cee8e90ebbe870c190ac3848c –

      The key is the -n option to supress the newline:

      echo -n password| sha1sum
      5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 –


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: