README
¶
go-pwnedpasswords
Package pwnedpasswords implements a client for checking passwords against the "Have I Been Pwned", Pwned Passwords API. The Pwned Passwords API implements a k-Anonymity model that allows you to check your password against the database without providing the API the full password or full SHA-1 password hash.
This works by creating a SHA-1 hash of the password locally, hex-encodes the SHA-1 checksum, and then sends the first five bytes (prefix) to the Pwned Passwords API. The API then returns the suffix of hashes it has that start with that prefix. The client then compares the returned hashes locally to look for a match. This prevents the password, hashed or not, from leaving the local system.
In effect, this allows you to confirm if your password is seen in one of the many database dumps where passwords were obtained. If your password is not on the list, it does not mean that it is safe or hasn't been compromised. Always remember to never share passwords between different sites or services, as the compromise of one can lead to the compromise of all of your accounts.
License
This code is released under the MIT License. Please see the LICENSE for the full content of the license.
Building the Binary
If you have the Go toolchain installed, you can use the following command to
install the pwnedpasswords command line client (pp):
go get github.com/theckman/go-pwnedpasswords/cmd/pp
Usage
If you plan to use this package as a client library in Go, here is a quick example of how to use it:
client, err := pwnedpasswords.New(pwnedpasswords.DefaultURL)
// handle error
compromiseCount, err := client.Check([]byte("password"))
// handle error
// password was compromised on at least compromiseCount sites
if compromiseCount > 0 {
// handle situation where password is compromised
// in other words, never using it ever again...
}
// password may not be compromised
Documentation
¶
Overview ¶
Package pwnedpasswords implements a client for checking passwords against the "Have I Been Pwned", Pwned Passwords API. The Pwned Passwords API implements a k-Anonymity model that allows you to check your password against the database without providing the API the full password or full SHA-1 password hash.
This works by creating a SHA-1 hash of the password locally, hex-encodes the SHA-1 checksum, and then sends the first five bytes (prefix) to the Pwned Passwords API. The API then returns the suffix of hashes it has that start with that prefix. The client then compares the returned hashes locally to look for a match. This prevents the password, hashed or not, from leaving the local system.
Index ¶
Constants ¶
const DefaultURL = "https://api.pwnedpasswords.com/range/"
DefaultURL is the default URL to the Pwned Passwords API.
const Version = "1.0.2"
Version is the package version.
Variables ¶
This section is empty.
Functions ¶
func HashPassword ¶
HashPassword takes a password, returns the SHA-1 hash split in to the prefix and suffix. The prefix is what's used by the API, and the suffix should then be used to match returned results.
Note: the full hash should *NEVER* be written to disk or sent across the network. If the value makes its way somewhere, it could be used to crack the password. You should only transmit the prefix to the PwnedPasswords API.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is for checking passwords against the Pwned Passwords API without leaking the password.
Source Files
Directories