I guess what we were asking today is have your passwords been pwned One of the websites I used to keep secure online is have I been pwned right now, I love this websites. It's great. Run by a guy called Troy hunt and whenever it is a big leak Let's say a company gets hacked and always using these passwords get leave out in internet Obviously people who are trying to crack passwords and break into your accounts They're going to be looking at these things But what he does, is he collects them and lets you know You've got an email address that you use for most of your accounts You put this in the website and if that email address ever appears in a leak I assume probably tied to a password but not necessarily It will let you know and that's a really good thing because no one's on top of all the leaks, right? I certainly am not. And so maybe I have an email address. So I want to make sure hasn't been given away So this is a great website, you know, we'll put a link to it. But actually this is not what we're talking about today what we're talking about today is the Password API it's also put online right which is another great asset. This is where you could actually send in your password in a manner of speaking and It'll tell you whether it's ever been leaked Now that's important because if your password has ever been leaked before by you or by someone else Then it could be appearing in a long list of words that are being used for a dictionary attack Right, and that just makes your password much more vulnerable In general I would argue that if your password has been leaked before it's not really safe to use There's some interesting questions here Should you be putting your password into a box on the internet that says it will tell you if it's been hacked? In general, no! In general, be very careful about where you type in your password Even if I make a website and I say you should definitely trust me because it's me. Still don't trust me. All right Just know what you know for a start. I might just be inept of programming and I've got a vulnerability So this uses an interesting mechanism called k-anonymity to make sure that you can send in your password and find out whether it's in this big database of passwords and no one gets to find out what it was. All right, which is using hashing, and it's really great So we're going to talk about that now so you can go on to haveibeenpwned.com/passwords and you can type in your password there and you can look at the source code That's probably okay. But actually it's got a REST API where you can actually visit specific URLs and obtain information on whether your password is in that database you can do this very often you could do it for example for all the passwords in your collection in your password manager and actually some password managers like 1Password actually do this automatically for you and they check your password this way I mean, that's a really good idea If you type in a password that you think is great for a new website Your password manager can say actually this one's already been leaked like previously so don't use that one. So, how does this work? and how does it remain secure because even if this website is fully trustworthy It's not a good idea to be sending a hashed version of your password to this website, right? this is the website that has all the lists of all the passwords if yours shows up, suddenly your IP address is saying My passwords weak my passwords weak and that's just not a good thing you want to have happen, right? So how does it work? Well, just like with all passwords. We hash it as a start to begin protecting it So let's imagine I have my password which is you know Password1 this is where we link to the video where I said don't use that password if there's any variation on the word password or have any of the numbers 1 2 3 4 in or doing it? You need to delete those passwords. Maybe delete your account out of shame This will be hashed using SHA-1 which for this purpose is okay, right? You wouldn't necessarily permanently store your passwords in this format But for this API is OK and that's going to produce 160 bit hash Right, which might look something like FA2 241C... for 160 bits 160 bits? Yeah Ok. Now the problem is if I send this off to the website, I've just given them my password I mean not quite because SHA-1 is hash but that could be broken. Especially if my password is not good, right and also he's got a bunch of these passwords and hashes already computed in this database So as soon as he sees that I've got the hash. He reverse looks up the password. That's a vulnerability, right? I trust the guy but I still wouldn't want to do that, right? And so this API used a system called K anonymity what happens is instead of me giving them the whole hash I give them just enough of the hash But they can give me back anything that might match and I am the one that actually finds that whether it does, right? and that's a really neat trick. So I will give them the first one, two, three, four, five characters of the hex of this password hash so I will send the pwned password API FA224, for example and it will send me back some number of passwords that have been leaked in the past whose hashes begin with those five characters now, there'll be a lot of them there's some 550 million passwords in this database which is a kind of scary and It will return to you all the passwords but could match this and how many times they've been seen in leaked passwords, right? And Usually you'll get about 4 or 500 back right? That's when you go through the list yourself at your end and say ok Actually, my password is or it's not in there, right? Because there's going to be a lot of possible hashes and possible passwords are start with these 5 characters This is called k-anonymity the idea is that the website only knows we're one of about 500 People that could have this password. It doesn't even know actually if we have one of these passwords Which is quite nice, right? So I've written some code to do this and we'll have a look before you get a code out if you've hashed it with SHA-1 Is this just the way that this system works that it uses SHA-1 or is it I was just trying to work out because yes Exactly it isn't the case for these passwords all originally hashed in SHA-1 like this database includes both the plaintext and the hashed versions These are passwords that are previously been cracked right, as opposed to leaked in hashed form so for example Maybe my password has been leaked in like bcrypt form and no one ever broke it right in which case it's have no real concern I mean it's better if it've never been leaked, but you know So these are passwords that have been leaked and they ended up in plaintext either because they were already in plaintext or because they've been cracked and they're now in plaintext. She's got some code. Ok, let's look at some code So the first thing we can do is just pull this API directly very easy to do you simply go to a web address Part of which is the beginning of your hash and then we try that. All right, so let's to give an example So I'm gonna hit I'm gonna use curl right to obtain a website back Just going to send an HTTP request and receive a response Curl, it's just a software library that I'm using here to send off a request to a specific address and whatever website or day Comes back. I received that onto the command line, so it's gonna be curl HTTPS only works for HTTPS to make sure there's encryption involved. API dot pwned passwords comm for such range forward slash and then the Prefix of my hash which in this case was FA224. So FA224 that's going to come back It's done it with a big long list of all the possible passwords that they have that start with that hash Now it doesn't return the FA224 It just returns the other bits because it's a waste of time now some of these are being cracked or or seen maybe one time This one's been seen 169 times. I have no idea what it is. I'd have to break the password to find out Given it's been leaked 106 nine times. It's probably not very strong. Maybe it's Password1 Yeah, it could be you can try any of your password this way all you have to do is take your password hash it right which is easy to do on the command line or I've written some Python code and Then we can fire off to this API the first few bits and then we get back a list We look through the list to see if our full hash is in there. And if so, our password isn't broken So I've written some Python code we'll do this exact thing, right? So all it does is it uses a the cryptography library which is a great library in Python to hash the password in SHA-1 It takes the first five characters of the hexadecimal representation and it sends them off to the password API It comes back with let's say 500 of them. I split it all up I look through and try find my password And if I find it then it'll print that it's found right and obviously I should change it now, of course I'm just typing this with random passwords, but you get the idea So let's have a go - I've called it pwned.py And then let's use this one Password1 with a capital P So it's been found the hash actually starts with 70CCD and it's been found a 111000 times That isn't great what that means is that in different leaks. This password has occurred a hundred thousand times, right? It's definitely in password list right it's a prime candidate. We already knew this is Password1, right? Let's try something a little bit more difficult. So let's say Password1234 This is going to be in there. There's only 3000 times Right, but it's still not very good If your password appears any number of times just one Then that means that theoretically someone that had access to this list and these are all publicly available these leaks could Could put that in there big big long list of things and just try them as a matter Of course on any new leak that turns up. It doesn't mean that you're definitely going to get hacked It just means that there's a better chance right and it's not ideal So why not have a look and see so I mean so we've used this password But perhaps we should use something slightly stronger any ideas in the password cracking video. iloveyoukate was it? All right Let's try that. So I love you Kate. All right, there we go It was found 93 times, I think some people might have started using it I mean, please don't use that bad passwords You know, it's very nice. But yeah Yeah, I mean any password that appeared in that list is going to be is breakable enough that it's definitely going to be in there, right? So that's a huge problem You know if you if you start to get a slightly more difficult passwords Like some of the ones that we were looking at maybe in the choosing your password video So for example 4 words, so let's say why don't you do correct horse battery staple That is definitely in there and I can tell you about even running it. correcthorsebatterystaple was found. 114 times. No people. We don't use correcthorsebatterystaple What about but using your tip of pushing a random character? So if I take correct horse battery staple and let's say I put a star in the middle of here So correcthorsebat*erystaple. All right, not probably pronounceable All right, then we'll find it wasn't found in the dictionary. Right? Don't use it now because it will be in there now But this is the idea So to sort of make unexpected changes, but it's very easy to just pull this API right and just see you know It's this new password. I'm trying already in there Right and if it is don't use it, that's quite simple. If you're using a parcel management generating most your passwords at random They're unlikely to be in there, but you never know and it just makes it that much weaker if they are Okay Shall I ask you how do you say that point own poem home? Pwned is it? I don't know I mean if I'm wrong then I'm a noob I thought you were leet Definitely not
