We know that we need to keep our credentials secure. We know that we should not re-use our passwords across different services. Hopefully, by now, most readers of this blog are aware of Troy Hunts excellent free service https://haveibeenpwned.com/ which will notify you if your email has been found in a breach. If not, go and sign up now.
Recently Troy announced on his blog
This blog post introduces a new service I call “Pwned Passwords”, gives you guidance on how to use it and ultimately, provides you with 306 million passwords you can download for free and use to protect your own systems.
So I thought I would write a quick PowerShell script to make use of it and place it on the PowerShell Gallery
You can install it using
Install-Script -Name Get-PwnedPassword
You will be asked if you want to add ‘C:\Program Files\WindowsPowerShell\Scripts’ to your PATH environment variable if this is the first script you have installed
Then load it into your session with a period and a space.
. Get-PwnedPassword.ps1
and check some old passwords. Take notice of the screen shot below in which Troy states that you should not send your password currently in use to any third party sites including this one.
Get-PwnedPassword
There was a game on Twitter which involved finding ‘interesting’ passwords that people have used! Search for it, it’s nsfw by the way!
UPDATE
After posting this Jos made a comment
Nice feature! Then maybe add some Read-Host -AsSecureString 🙂 https://t.co/Ivi3JonPL8
— Jos Koelewijn 🇺🇦🏳️🌈 (@Jawz_84) August 9, 2017
and Mathias added
Not so much for in-memory protection, but for shielding against shoulder-surfers 🙂
— Mathias R. Jessen (@IISResetMe) August 9, 2017
Which is a good point. You don’t want you co-workers or friends seeing your Passwords over the shoulder. So I have updated the script to prompt for a Password and convert it to secure string and added a hash parameter as the API also allows you to pass the SHA1 hash of a password.
Which is a bit better I think. Thank you guys.
UPDATE 2 – This actually broke the script meaning that every password came back as pwned as I was not decoding the securestring correctly. I have fixed this with version 1.2 which you can get if you have already installed the script by running
Update-Script Get-PwnedPassword
Thanks to Henkie and Russell for letting me know
There is also a good use case for us technical folk to assist our none-technical friends with their password usage. You can visit this page
https://haveibeenpwned.com/Passwords
and get them to put their old password in the box (look at the screenshot for advice on current passwords) and see if their password has been used in a breach or not and use this as a means to have a discussion about password managers
Pingback: Using PowerShell to check if your password has been in a breach - How to Code .NET
I dont know if this api works fully. I just tried several throw away passwords and your script says that the password has been found. However when I go to the site it says it has not been.
You are absolutely correct. I have uploaded a new version of the script to the gallery
If you run
Update-Script Get-PwnedPassword
You will get version 1.2 which decodes the securestring correctly
Thank you so much for letting me know
Rob
Anything I try just says its pwned. Even just random 20+ char strings.
You are absolutely correct. I have uploaded a new version of the script to the gallery
If you run
Update-Script Get-PwnedPassword
You will get version 1.2 which decodes the securestring correctly
Thank you so much for letting me know
Rob
You are absolutely correct. I have uploaded a new version of the script to the gallery
If you run
Update-Script Get-PwnedPassword
You will get version 1.2 which decodes the securestring correctly
Thank you so much for letting me know
Rob
Nice idea! 🙂 regarding the plain-text password, I just wanted to add, that it’s not just shoulder-surfing but also command history ((Get-PSReadlineOption).HistorySavePath) and powershell logging, depending on the console and powershell config.
An excellent point
I assume the script sends the password to the haveibeenpwned API over HTTPS instead of downloading the giant database locally and running a local query. If that is the case, then I find it concerning that anyone would recommend using it for in-use passwords. Read Troy’s post if it is unclear why sending your current password (hashed or plaintext) to a third party is a Very Bad Idea™.
Gasp!! Please do not take this advise! If you need to make a point about reusing breeched passwords, then YOU enter a former password that you know has been compromised. Dont ever ask anyone to put a current password anywhere except the website that owns the account or a reputable password manager.
You will notice I included Troys warning in the screen shot as well. It’s a fair point and I have changed the wording slightly but I still stand by it as an idea.
When discussing this with none-technical friends I want them to be safe and as I will probably be the one who will be called to help to sort out the mess and this is a useful way to help people to visualise it
👍