This script written in Python, is a better alternative to using the haveibeenpwned website directly. The script only sends a portion of your hashed password to the API, and vice versa, making it very difficult for someone to sniff the traffic and guess your password (oversimplified)
Password leaked? Oops, this is definitely a good time to change your password.
- Leverages K-anonymity to ensure no interacting parties have the full information on the password. (https://www.troyhunt.com/understanding-have-i-been-pwneds-use-of-sha-1-and-k-anonymity/)
- Padding has been enabled to increase the response size. This padding is randomly generated to increase the uncertainty of guessing the password hash prefix. (https://www.troyhunt.com/enhancing-pwned-passwords-privacy-with-padding/)
- If you run this command via the command line, your password may be shown in the history or saved "somewhere" locally.
- If you are still concerned about point 1, please make a pull request to add functionality that reads passwords from a text file and checks them one by one.
git clone https://github.com/0KvinayK0/MistakePass.git
cd MistakePass
chmod +x mistake_pass.py
- Ensure you have Python3 installed on your system.
python3 mistake_pass.py <password1> <password2> …. <passwordn>
- Use single or double quotes to send the password literally.
