Checking for Bad (Insecure) Passwords (Part 1)

by May 22, 2019

Complex passwords are not necessarily safe. For example, “P@ssw0rd” is a very complex password, however extremely insecure. That’s why security communities start to recommend that you replace complexity criteria with more relevant tests and prevent the use of passwords that have been seen in previous hacker breaches. Such passwords – however complex they may be – are a regular part of dictionary attacks and highly insecure.

Just how do you know whether a particular password is compromised? You can use sites such as haveibeenpwnd.com and their API. This is how it works:

  1. You create a hash from your password so you don’t compromise your password
  2. You send the first five bytes of this hash to the API so you don’t compromise your hash
  3. You get back all hashes that start with these five bytes
  4. You check whether one of the returned hashes matches your password hash

And this is how PowerShell can check passwords for you:

# enable all SSL protocols
[Net.ServicePointManager]::SecurityProtocol = 'Ssl3,Tls, Tls11, Tls12'

# get password hash
$stream = [IO.MemoryStream]::new([Text.Encoding]::UTF8.GetBytes($Password))
$hash = Get-FileHash -InputStream $stream -Algorithm SHA1
$stream.Close()
$stream.Dispose()

# find first five and subsequent hash characters
$prefix, $suffix = $hash.Hash -split '(?<=^.{5})'

# ask for matching passwords with the same first 5 hash digits
$url = "https://api.pwnedpasswords.com/range/$prefix"
$response = Invoke-RestMethod -Uri $url -UseBasicParsing

# find the exact match
$lines = $response -split '\r\n'
$seen = foreach ($line in $lines)
{
  if ($line.StartsWith($suffix)) { 
    [int]($line -split ':')[-1]
    break
  }
}
  
"$Password has been seen {0:n0} times." -f $seen

Try it and adjust the password to check in $Password. You’ll be amazed in how many breaches the password may have been exposed:

 
Sunshine has been seen 13.524 times.
 

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!