Using HaveIBeenPwned Password List for Education

HaveIBeenPwned by Troy Hunt has been a great asset since its inception for many. With the possibility of the service being sold, now is the time to get a copy of the hashes before its too late!

Start by going to https://haveibeenpwned.com/Passwords and scroll to the bottom of the page to see the torrent files. I will be using the SHA1 list (either SHA1 or NTLM will give the same results).

Next, I extracted the contents of the zip (31 GB!); 7-Zip will do just fine.

I created a small script in Python to run through the file initially. In summary, the script will ask for the location of the extracted file and for a password to search. It will turn the password into a hash and run a search, notifying you whether a match was found or not.

#!/usr/bin/python
#SHA1 Hashing and Searching with Python
#Created by Irvin Lemus
 
import hashlib
import getpass
import re
  
print "Automatic Hashing and Searching Script"
print "See if your password is public knowledge!"
print "This script will check a repository of 500+ million passwords"
print " "
text = raw_input("What is the file location? ")
pwd_in = getpass.getpass("Please enter a password to search: ")
hash = hashlib.new("sha1", pwd_in).hexdigest()
hash = hash.upper()

print " "
print "Searching..."
 
with open (text, 'r') as searchfile:
 for line in searchfile:
  if re.search(hash, line):
   print " "
   print "PASSWORD KNOWN!"
   print "Hashed Password and the Number of Uses: "
   print line
   print "You should not use that password."
   quit()
  else:
   print "Hooray! Password is not on the list!"
   print "Hash: ", hash
   quit()

Revisions to the file will be made (add retry function, demo how to import hashes into a database for faster searching, etc).