Using PowerShell to check if your password has been in a breach

We know that we need to keep our credentials secure. We know that we should not re-use our passwords across different services. Hopefully, by now, most readers of this blog are aware of Troy Hunts excellent free service https://haveibeenpwned.com/ which will notify you if your email has been found in a breach. If not, go and sign up now.

Recently Troy announced on his blog

This blog post introduces a new service I call “Pwned Passwords”, gives you guidance on how to use it and ultimately, provides you with 306 million passwords you can download for free and use to protect your own systems.

So I thought I would write a quick PowerShell script to make use of it and place it on the PowerShell Gallery

You can install it using

Install-Script -Name Get-PwnedPassword

You will be asked if you want to add ‘C:\Program Files\WindowsPowerShell\Scripts’ to your PATH environment variable if this is the first script you have installed

Then load it into your session with a period and a space.

. Get-PwnedPassword.ps1

and check some old passwords. Take notice of the screen shot below in which Troy states that you should not send your password currently in use to any third party sites including this one.

Get-PwnedPassword

There was a game on Twitter which involved finding ‘interesting’ passwords that people have used! Search for it, it’s nsfw by the way!

passwords.png

UPDATE

After posting this Jos made a comment

and Mathias added

Which is a good point. You don’t want you co-workers or friends seeing your Passwords over the shoulder. So I have updated the script to prompt for a Password and convert it to secure string and added a hash parameter as the API also allows you to pass the SHA1 hash of a password.

passwords2.png

Which is a bit better I think. Thank you guys.

UPDATE 2 – This actually broke the script meaning that every password came back as pwned as I was not decoding the securestring correctly. I have fixed this with version 1.2 which you can get if you have already installed the script by running

Update-Script Get-PwnedPassword

Thanks to Henkie and Russell for letting me know

There is also a good use case for us technical folk to assist our none-technical friends with their password usage. You can visit this page

https://haveibeenpwned.com/Passwords

and get them to put their old password in the box (look at the screenshot for advice on current passwords) and see if their password has been used in a breach or not and use this as a means to have a discussion about password managers

pwnedpasswords.png

 

Advertisements

11 thoughts on “Using PowerShell to check if your password has been in a breach

  1. Pingback: Using PowerShell to check if your password has been in a breach - How to Code .NET

  2. I dont know if this api works fully. I just tried several throw away passwords and your script says that the password has been found. However when I go to the site it says it has not been.

    • You are absolutely correct. I have uploaded a new version of the script to the gallery
      If you run
      Update-Script Get-PwnedPassword
      You will get version 1.2 which decodes the securestring correctly
      Thank you so much for letting me know
      Rob

    • You are absolutely correct. I have uploaded a new version of the script to the gallery
      If you run
      Update-Script Get-PwnedPassword
      You will get version 1.2 which decodes the securestring correctly
      Thank you so much for letting me know
      Rob

  3. Nice idea! 🙂 regarding the plain-text password, I just wanted to add, that it’s not just shoulder-surfing but also command history ((Get-PSReadlineOption).HistorySavePath) and powershell logging, depending on the console and powershell config.

  4. I assume the script sends the password to the haveibeenpwned API over HTTPS instead of downloading the giant database locally and running a local query. If that is the case, then I find it concerning that anyone would recommend using it for in-use passwords. Read Troy’s post if it is unclear why sending your current password (hashed or plaintext) to a third party is a Very Bad Idea™.

    get them to put their password in the [haveibeenpwned] box

    Gasp!! Please do not take this advise! If you need to make a point about reusing breeched passwords, then YOU enter a former password that you know has been compromised. Dont ever ask anyone to put a current password anywhere except the website that owns the account or a reputable password manager.

    • You will notice I included Troys warning in the screen shot as well. It’s a fair point and I have changed the wording slightly but I still stand by it as an idea.

      When discussing this with none-technical friends I want them to be safe and as I will probably be the one who will be called to help to sort out the mess and this is a useful way to help people to visualise it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s