diff options
author | Jakob Odersky <jakob@odersky.com> | 2019-12-25 22:49:11 +0100 |
---|---|---|
committer | Jakob Odersky <jakob@odersky.com> | 2019-12-25 22:50:07 +0100 |
commit | c5a9d9453a832b534c5a8522a5d7e4b080ad7af4 (patch) | |
tree | b5721771eeb61217262caa2a225de7ba65052e5e | |
parent | d948938641c4a18e9df40414f2a5e72dc01353ee (diff) | |
download | dotfiles-c5a9d9453a832b534c5a8522a5d7e4b080ad7af4.tar.gz dotfiles-c5a9d9453a832b534c5a8522a5d7e4b080ad7af4.tar.bz2 dotfiles-c5a9d9453a832b534c5a8522a5d7e4b080ad7af4.zip |
Add script to check for compromised passwords
-rwxr-xr-x | home/bin/hibp | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/home/bin/hibp b/home/bin/hibp new file mode 100755 index 0000000..7631b7e --- /dev/null +++ b/home/bin/hibp @@ -0,0 +1,24 @@ +#!/bin/bash +# Uses https://haveibeenpwned.com/ to check if a password has been compromised. +# Note that only 5 characters of the hashed password are sent to the service. +# Usage: hibp <password> +# Exits 0 if password is not known to be compromised, 1 otherwise. +set -o errexit +set -o nounset + +hash="$(echo -n "$1" | sha1sum | cut -d " " -f 1)" +head5=$(head --bytes 5 <<< "$hash") +tail5=$(tail --bytes +6 <<< "$hash") + +echo "Sending $head5 to server" >&2 +mapfile -t found_tails < <(curl -sS "https://api.pwnedpasswords.com/range/$head5") +echo "Found ${#found_tails[@]} head matches. Checking each one." >&2 + +shopt -s nocasematch +for found in "${found_tails[@]}"; do + if [[ $found == $tail5* ]]; then + echo "Password has been pwned $(tr -d '\r' <<< "${found#*\:}") times!" + exit 1 + fi +done +echo "Rest assured, password has not been pwned." |