Breached or not? Check a Password.

Note: This page will hash the input on your device, then send a request to our api with first 20 characters of the hash. So, we will not see cleartext of the password nor the exact hash. Also, we do not store any kind of information about your input. (You can also enter a SHA-1 hash or first half of it.)

 

About

Data breaches are common nowadays. Even big companies with tens of millions of users seems not immune to these kind of problems. When a breach of user data occurs, either cleartext or more generally hashed versions of passwords becomes available to malicious people. They may crack the hashed passwords and use it against victims. Because of that, it is a better practice not to use these leaked passwords.

This project is inspired by a security researcher's, Troy Hunt's, 306 million freely downloadable pwned passwords blog post. Actually, he himself created a service with similar functionality to this one. But there are some differences between the two services. We don't allow posting cleartext of the password or exact SHA-1 hash. We added to our database hashes of some extra passwords from OWASP SecLists Project that are publicly available. There are also some differences in usage limits. We allow 5 request per second, 5000 per day per ip. These are soft limits for now. Our primary objective is providing a convenient api.

Actually, also partial hashes could be reverted to cleartext with the help of some tools such as rainbow tables when the password is weak enough to be included in such a table or with password recovery utilities. So, it is possible to get a match with a weak password's partial hash [WE ALL SHOULD USE a password manager with strong passwords for all services we use, a different one for each]. The real use for partial hash is that it is OK'ish to share with a third party when the password is strong. This service's actual benefit is, preventing usage of a strong but somehow, somewhere breached password that ended up in our index. In this case it is unimportant to share it's partial hash because you are advised against using it if it is breached. If there is no breach data and the password is strong, sharing partial hash is seems OK, because cracking it is infeasible. Cutting a hash half increases collisions to 1620. This is a win with regard to crack attempts. On the other side, it may cause false positives but the chance of this happening is very low. With nearly 330 million truncated hashes in our database, we haven't seen a collision with the first 20 characters (which is very normal considering 33x107 by 1620).

It is best practice doing this check on your own server but it obviously requires additional resources and time. Although, if you have time and resources, trivial to do. Just pull the mentioned data, put it in a database, check against it before accepting a password set request.

We hope this service helps some developers out there to make their users safer and users to make their accounts safer.

Sources used in this web site:

Api

This is documentation for the first version (v1).

Just make a json or normal POST request to https://is.breached.pw/v1/ with the first 20 characters of password's SHA-1 hash named hash.

Sample curl request for json: curl --header "Content-Type: application/json" --data '{"hash":"YOUR_PARTIAL_HASH"}' https://is.breached.pw/v1/

Sample curl request for normal POST: curl --data "hash=YOUR_PARTIAL_HASH" https://is.breached.pw/v1/

You can also use the service with a GET request to https://is.breached.pw/v1/?hash=YOUR_PARTIAL_HASH with the first 20 characters of password's SHA-1 hash. (Prefer POST over GET to not to leak hashes to webserver logs.)

Sample curl request: curl https://is.breached.pw/v1/?hash=YOUR_PARTIAL_HASH

All responses will be HTTP 200 OK with Content-Type: application/json.

Successful queries returns a json object with 4 keys:

  • status : ok
  • hash : Returns provided partial hash.
  • breachstatus : Two possible values:
    • breached : The hash found in the breached passwords hashes database. Shouldn't be allowed to use.
    • notbreached : Our breached passwords hashes database doesn't include this hash. This doesn't necessarily mean it is a good strong password. You should employ other checks such as minimum length, usage of non-standard characters etc.
  • quota : Remaining quota for the day.

Unsuccessful queries returns a json object with 2 keys:

  • status : error
  • description : 5 possible values:
    • incorrecthash : There is an error with the supplied hash. Make sure it is only first 20 characters of a SHA-1 hash.
    • missinghash : Request didn't provided a hash to check.
    • toomanyrequests : More than 5 requests within a second, wait a sec.
    • quotaexceeded : Daily quota exceeded.
    • error : Undefined error.

Privacy

We do not collect any telemetry data about hashes. We log ips to be able to limit usage and do some analytics but these are not long lived logs. We also use standard log features of our webservers. This page employs a google analytics script.

Contact

Just send a gmail to hcansiz.