Keeping Bad Passwords Out with BreechLists

Troy Hunt did a great write up on the subject. You can check it our here: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

In short, there are millions of bad or compromised passwords added to the Breech List. To safely ensure your user’s password is on that list:

  • Create a SHA1 version of the password on the client/browser/JS
  • Take the first 5 chars of that SHA1
  • Check those characters against  the Breeched DB `https://api.pwnedpasswords.com/range/[SHA1 5 char range]`
  • That API return hundreds of close SHA1 matches
  • Then check last list against the remaining 5+ characters
  • If it exists, it is probably a bad password
  • Tip: You can use the hit count to determine just how bad it is

Here is a Javascript (ES6) implementation using `sha1` and `axios`:

 

Comments

comments

Leave a Reply

Your email address will not be published. Required fields are marked *