We know that we need to keep our credentials secure. We know that we should not re-use our passwords across different services. Hopefully, by now, most readers of this blog are aware of Troy Hunts excellent free service https://haveibeenpwned.com/ which will notify you if your email has been found in a breach. If not, go and sign up now.
Recently Troy announced on his blog
This blog post introduces a new service I call “Pwned Passwords”, gives you guidance on how to use it and ultimately, provides you with 306 million passwords you can download for free and use to protect your own systems.
So I thought I would write a quick PowerShell script to make use of it and place it on the PowerShell Gallery
You can install it using
Install-Script -Name Get-PwnedPassword
You will be asked if you want to add ‘C:\Program Files\WindowsPowerShell\Scripts’ to your PATH environment variable if this is the first script you have installed
Then load it into your session with a period and a space.
and check some old passwords. Take notice of the screen shot below in which Troy states that you should not send your password currently in use to any third party sites including this one.
There was a game on Twitter which involved finding ‘interesting’ passwords that people have used! Search for it, it’s nsfw by the way!
After posting this Jos made a comment
Nice feature! Then maybe add some Read-Host -AsSecureString 🙂 https://t.co/Ivi3JonPL8
— Jos Koelewijn 🇺🇦🏳️🌈 @firstname.lastname@example.org (@Jawz_84) August 9, 2017
and Mathias added
Not so much for in-memory protection, but for shielding against shoulder-surfers 🙂
— Mathias R. Jessen (@IISResetMe) August 9, 2017
Which is a good point. You don’t want you co-workers or friends seeing your Passwords over the shoulder. So I have updated the script to prompt for a Password and convert it to secure string and added a hash parameter as the API also allows you to pass the SHA1 hash of a password.
Which is a bit better I think. Thank you guys.
UPDATE 2 – This actually broke the script meaning that every password came back as pwned as I was not decoding the securestring correctly. I have fixed this with version 1.2 which you can get if you have already installed the script by running
Thanks to Henkie and Russell for letting me know
There is also a good use case for us technical folk to assist our none-technical friends with their password usage. You can visit this page
and get them to put their old password in the box (look at the screenshot for advice on current passwords) and see if their password has been used in a breach or not and use this as a means to have a discussion about password managers