Keeping Bad Passwords Out with BreechLists

Troy Hunt did a great write up on the subject. You can check it our here.

In short, there are millions of bad or compromised passwords added to the Breech List. To safely ensure your user’s password is on that list:

  • Create a SHA1 version of the password on the client/browser/JS
  • Take the first 5 chars of that SHA1
  • Check those characters against  the Breeched DB `https://api.pwnedpasswords.com/range/[SHA1 5 char range]`
  • That API return hundreds of close SHA1 matches
  • Then check last list against the remaining 5+ characters
  • If it exists, it is probably a bad password
  • Tip: You can use the hit count to determine just how bad it is

Here is a Javascript (ES6) implementation using `sha1` and `axios`:

 

Comments

comments

Leave a Reply

Your email address will not be published. Required fields are marked *