Home About Blog Media Free Courses Workshops

Using HaveIBeenPwned Password List for Education

June 22, 2019

HaveIBeenPwned by Troy Hunt has been a great asset since its inception for many. With the possibility of the service being sold, now is the time to get a copy of the hashes before its too late!

Start by going to https://haveibeenpwned.com/Passwords and scroll to the bottom of the page to see the torrent files. I will be using the SHA1 list (either SHA1 or NTLM will give the same results).

HIBP Website

Next, I extracted the contents of the zip (31 GB!); 7-Zip will do just fine.

I created a small script in Python to run through the file initially. In summary, the script will ask for the location of the extracted file and for a password to search. It will turn the password into a hash and run a search, notifying you whether a match was found or not.

#SHA1 Hashing and Searching with Python
#Created by Irvin Lemus
import hashlib
import getpass
import re
print "Automatic Hashing and Searching Script"
print "See if your password is public knowledge!"
print "This script will check a repository of 500+ million passwords"
print " "
text = raw_input("What is the file location? ")
pwd_in = getpass.getpass("Please enter a password to search: ")
hash = hashlib.new("sha1", pwd_in).hexdigest()
hash = hash.upper()

print " "
print "Searching..."
with open (text, 'r') as searchfile:
 for line in searchfile:
  if re.search(hash, line):
   print " "
   print "PASSWORD KNOWN!"
   print "Hashed Password and the Number of Uses: "
   print line
   print "You should not use that password."
   print "Hooray! Password is not on the list!"
   print "Hash: ", hash

Revisions to the file will be made (add retry function, demo how to import hashes into a database for faster searching, etc).