Quote:
Originally Posted by JoeP
If you really want to check a number of passwords and you don't like the idea of entering them over an https link to a possibly trustworthy site, because who knows, you can download the entire 9GB file and check on your own machine. It contains SHA1 hashes not the original passwords because that's just sensible.
|
If you don't want to enter your password and don't want to download gigabytes of data either, you can send the first 5 characters of the SHA-1 hash (or the complete hash) of your password and you get a list of suffixes back like this:
https://api.pwnedpasswords.com/range/5baa6
Quote:
1E2AAA439972480CEC7F16C795BBB429372:1
1E3687A61BFCE35F69B7408158101C8E414:1
1E4C9B93F3F0682250B6CF8331B7EE68FD8:3303003
20597F5AC10A2F67701B4AD1D3A09F72250:3
20AEBCE40E55EDA1CE07D175EC293150A7E:1
|
Guess what the entry with 3 million hits is? That's right, "password".
It's explained here:
Troy Hunt: I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download