Password dump checking

11Jun12

Leaks of (badly secured) password files seem to be big news at the moment. In many cases people set up sites to allow you to see if your password was in the leak – but who knows whether these sites are trustworthy. That’s not a risk I’m happy to take.

Python provides a reasonably simple way to test:

>>> import hashlib
>>> h = hashlib.new(‘sha1’)
>>> h.update(‘password‘)
>>> h.hexdigest()
‘5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8’

Once you have the hash of your password then just search for it in a copy of the leaked dump (normally these spread pretty quickly and can be found easily online).

You can also use this approach to identify passwords that aren’t in such dumps (and thus likely more secure against dictionary attacks where the dictionaries are updated as a result of leaks).

NB I initially tried to use the sha1sum command on Ubuntu to do this, but it wasn’t returning correct hashes (probably due to trailing CRs and/or LFs).

Filed under: howto, security | 2 Comments
Tags: check, checker, leak, password, python, SHA1

2 Responses to “Password dump checking”

Feed for this Entry Trackback Address

1 anonymous@anonymous on June 18, 2012 said:

the fault in the command line should be the trailing newline. Try something like

echo -n password| sha1sum

Reply
- 2 Chris Swan on June 19, 2012 said:
  
  Thanks. I knew there was probably a simple way to do this, but my shell skills were clearly failing me badly. I had tried:
  
  echo password| sha1sum
  c8fed00eb2e87f1cee8e90ebbe870c190ac3848c –
  
  The key is the -n option to supress the newline:
  
  echo -n password| sha1sum
  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 –
  
  Reply

	Tim Coote on Ross Anderson RIP
	iain on Skiing in Espace Killy (Val…
	Chris Swan on Getting more from a British Ga…
	Murray Cowell on Getting more from a British Ga…
	JL on AI MacGuffin