In case anyone is interested, I’ve put together a bit of code that uses Troy Hunt’s HaveIBeenPwnd Password API v2. The API allows for real time querying of over 500 million breached passwords that exist in the HIBP database. It’s really fast & secure.
A lot of forward thinking itsec folks are pointing UI dev away from password strength meters as they often force users to make poor, less secure passwords.
Troy’s API allows us to show users that a poor password they have chosen has already been breached (eg: “password” occurs 3,303,003 times in breached data). The thinking is that this helps educate people into finding better passwords and most importantly, stopping weak/breached password re-use on multiple sites. (see image attached)
Using the k-Anonymity model, the code passes the first 5 characters of a SHA-1 password hash. The API returns a range of potential matches (generally 478 hash suffixes) and an occurrence count for each. It then parses the return and finds the exact match, then parses the occurrence count and returns it for user feedback
Source and links to Troy’s blog posts on the API:
and if anyone wants to clean up the string parsing with some sweet regex, I’d be ok with that …