Keeping Bad Passwords Out with BreechLists

Troy Hunt did a great write up on the subject. You can check it our here.

In short, there are millions of bad or compromised passwords added to the Breech List. To safely ensure your user’s password is on that list:

  • Create a SHA1 version of the password on the client/browser/JS
  • Take the first 5 chars of that SHA1
  • Check those characters against  the Breeched DB `https://api.pwnedpasswords.com/range/[SHA1 5 char range]`
  • That API return hundreds of close SHA1 matches
  • Then check last list against the remaining 5+ characters
  • If it exists, it is probably a bad password
  • Tip: You can use the hit count to determine just how bad it is

Here is a Javascript (ES6) implementation using `sha1` and `axios`:

 

https://gist.github.com/sshadmand/548d6787050897697e2e99029a1683bb.js

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.