One of the websites I used to keep secure online is have I been pwned right now, I love this websites. It's great.

Run by a guy called Troy hunt and whenever it is a big leak

Let's say a company gets hacked and always using these passwords get leave out in internet

Obviously people who are trying to crack passwords and break into your accounts

They're going to be looking at these things

But what he does, is he collects them and lets you know

You've got an email address that you use for most of your accounts

You put this in the website and if that email address ever appears in a leak

I assume probably tied to a password but not necessarily

It will let you know and that's a really good thing because no one's on top of all the leaks, right?

I certainly am not. And so maybe I have an email address. So I want to make sure hasn't been given away

So this is a great website, you know, we'll put a link to it. But actually this is not what we're talking about today

what we're talking about today is the Password API

it's also put online right which is another great asset.

This is where you could actually send in your password in a manner of speaking

and It'll tell you whether it's ever been leaked

Now that's important because if your password has ever been leaked before

by you or by someone else

Then it could be appearing in a long list of words that are being used for a dictionary attack

Right, and that just makes your password much more vulnerable

In general I would argue that if your password has been leaked before it's not really safe to use

There's some interesting questions here

Should you be putting your password into a box on the internet that says it will tell you if it's been hacked?

In general, no!

In general, be very careful about where you type in your password

Even if I make a website and I say you should definitely trust me because it's me.

Still don't trust me. All right

Just know what you know for a start. I might just be inept of programming and I've got a vulnerability

So this uses an interesting mechanism called k-anonymity

to make sure that you can send in your password and find out whether it's in this big database of passwords

and no one gets to find out what it was.

All right, which is using hashing, and it's really great

So we're going to talk about that now

so you can go on to haveibeenpwned.com/passwords

and you can type in your password there and you can look at the source code

That's probably okay. But actually it's got a REST API where you can actually visit specific URLs

and obtain information on whether your password is in that database

you can do this very often

you could do it for example for all the passwords in your collection in your password manager

and actually some password managers like 1Password actually do this automatically for you

and they check your password this way

I mean, that's a really good idea

If you type in a password that you think is great for a new website

Your password manager can say actually this one's already been leaked like previously

so don't use that one.

So, how does this work?

and how does it remain secure

because even if this website is fully trustworthy

It's not a good idea to be sending a hashed version of your password to this website, right?

this is the website that has all the lists of all the passwords

if yours shows up, suddenly your IP address is saying My passwords weak my passwords weak

and that's just not a good thing you want to have happen, right?

So how does it work?

Well, just like with all passwords. We hash it as a start to begin protecting it

So let's imagine I have my password which is you know Password1

this is where we link to the video where I said don't use that password

if there's any variation on the word password or have any of the numbers 1 2 3 4 in or doing it?

You need to delete those passwords. Maybe delete your account out of shame

This will be hashed using SHA-1 which for this purpose is okay, right?

You wouldn't necessarily permanently store your passwords in this format

But for this API is OK and that's going to produce 160 bit hash

Right, which might look something like FA2 241C... for 160 bits

160 bits?

Yeah

Ok. Now the problem is if I send this off to the website, I've just given them my password

I mean not quite because

SHA-1 is hash but that could be broken. Especially if my password is not good, right

and also he's got a bunch of these passwords and hashes already computed in this database

So as soon as he sees that I've got the hash.

He reverse looks up the password.

That's a vulnerability, right?

I trust the guy but I still wouldn't want to do that, right?

And so this API used a system called K anonymity

what happens is instead of me giving them the whole hash

I give them just enough of the hash

But they can give me back anything that might match

and I am the one that actually finds that whether it does, right?

and that's a really neat trick.

So I will give them the first

one, two, three, four, five

characters of the hex of this password hash

so I will send the pwned password API FA224, for example

and it will send me back some number of passwords

that have been leaked in the past whose hashes begin with those five characters now, there'll be a lot of them

there's some 550 million passwords in this database which is a kind of scary and

It will return to you all the passwords but could match this and how many times they've been seen in leaked passwords, right? And

Usually you'll get about 4 or 500 back right? That's when you go through the list yourself at your end and say ok

Actually, my password is or it's not in there, right?

Because there's going to be a lot of possible hashes and possible passwords are start with these 5 characters

This is called k-anonymity the idea is that the website only knows we're one of about 500

People that could have this password. It doesn't even know actually if we have one of these passwords

Which is quite nice, right?

So I've written some code to do this and we'll have a look before you get a code out if you've hashed it with SHA-1

Is this just the way that this system works that it uses SHA-1 or is it I was just trying to work out because yes

Exactly it isn't the case for these passwords all originally hashed in SHA-1 like this database includes both the plaintext and the hashed versions

These are passwords that are previously been cracked right, as opposed to leaked in hashed form

so for example

Maybe my password has been leaked in like bcrypt form and no one ever broke it right in which case it's have no real concern

I mean it's better if it've never been leaked, but you know

So these are passwords that have been leaked and they ended up in plaintext either because they were already in plaintext

or because they've been cracked and they're now in plaintext. She's got some code. Ok, let's look at some code

So the first thing we can do is just pull this API directly very easy to do you simply go to a web address

Part of which is the beginning of your hash and then we try that. All right, so let's to give an example

So I'm gonna hit I'm gonna use curl right to obtain a website back

Just going to send an HTTP request and receive a response

Curl, it's just a software library that I'm using here to send off a request to a specific address and whatever website or day

Comes back. I received that onto the command line, so it's gonna be curl

HTTPS only works for HTTPS to make sure there's encryption involved. API dot pwned passwords

comm for such range forward slash and then the

Prefix of my hash which in this case was FA224. So FA224 that's going to come back

It's done it with a big long list of all the possible passwords that they have that start with that hash

Now it doesn't return the FA224

It just returns the other bits because it's a waste of time now some of these are being cracked or or seen maybe one time

This one's been seen 169 times. I have no idea what it is. I'd have to break the password to find out

Given it's been leaked 106 nine times. It's probably not very strong. Maybe it's Password1

Yeah, it could be you can try any of your password this way

all you have to do is take your password hash it right which is easy to do on the command line or I've written some

Python code and

Then we can fire off to this API the first few bits and then we get back a list

We look through the list to see if our full hash is in there. And if so, our password isn't broken

So I've written some Python code we'll do this exact thing, right?

So all it does is it uses a the cryptography library

which is a great library in Python to hash the password in SHA-1

It takes the first five characters of the hexadecimal representation and it sends them off to the password API

It comes back with let's say 500 of them. I split it all up

I look through and try find my password

And if I find it then it'll print that it's found right and obviously I should change it now, of course

I'm just typing this with random passwords, but you get the idea

So let's have a go - I've called it pwned.py And then let's use this one Password1 with a capital P

So it's been found the hash actually starts with 70CCD and it's been found a 111000 times

That isn't great what that means is that in different leaks. This password has occurred a hundred thousand times, right?

It's definitely in password list right it's a prime candidate. We already knew this is Password1, right?

Let's try something a little bit more difficult. So let's say Password1234

This is going to be in there. There's only 3000 times

Right, but it's still not very good

If your password appears any number of times just one

Then that means that theoretically someone that had access to this list and these are all publicly available these leaks could

Could put that in there big big long list of things and just try them as a matter

Of course on any new leak that turns up. It doesn't mean that you're definitely going to get hacked

It just means that there's a better chance right and it's not ideal

So why not have a look and see so I mean so we've used this password

But perhaps we should use something slightly stronger any ideas in the password cracking video. iloveyoukate was it? All right

Let's try that. So I love you Kate. All right, there we go

It was found 93 times, I think some people might have started using it I mean, please don't use that bad passwords

You know, it's very nice. But yeah

Yeah, I mean any password that appeared in that list is

going to be is breakable enough that it's definitely going to be in there, right? So that's a huge problem

You know if you if you start to get a slightly more difficult passwords

Like some of the ones that we were looking at maybe in the choosing your password video

So for example 4 words, so let's say why don't you do correct horse battery staple

That is definitely in there and I can tell you about even running it.

correcthorsebatterystaple was found. 114 times. No people. We don't use correcthorsebatterystaple

What about but using your tip of pushing a random character?

So if I take correct horse battery staple and let's say I put a star in the middle of here

So correcthorsebat*erystaple. All right, not probably pronounceable

All right, then we'll find it wasn't found in the dictionary. Right? Don't use it now because it will be in there now

But this is the idea

So to sort of make unexpected changes, but it's very easy to just pull this API right and just see you know

It's this new password. I'm trying already in there

Right and if it is don't use it, that's quite simple. If you're using a parcel management generating most your passwords at random

They're unlikely to be in there, but you never know and it just makes it that much weaker if they are

Okay

Shall I ask you how do you say that point own poem home? Pwned is it? I don't know

I mean if I'm wrong then I'm a noob

I thought you were leet

Definitely not