Last active
August 21, 2023 08:16
-
-
Save lzybkr/85b4dbd6536ea5351e8d8e492a432030 to your computer and use it in GitHub Desktop.
Query haveibeenpwned.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Reports if your password is pwned by querying haveibeenpwned.com | |
| .DESCRIPTION | |
| Query haveibeenpwned.com to see if a password has appeared in a breach. | |
| The query sends the first 5 characters of the SHA1 hash, so the query should be considered safe and anonymous. | |
| If you pass no parameters, you are prompted for the password to check and the password is not echoed to the screen. | |
| .PARAMETER password_notsecure | |
| Pass a plaintext password. This option is for convenience, but not recommended. | |
| If used with real passwords, clear your history and transcripts after use. | |
| .PARAMETER password_secure | |
| Pass a SecureString password, e.g. read from a file. | |
| .EXAMPLE | |
| PS> Get-AmIPwned.ps1 | |
| Password to check: : ****** | |
| Pwned Seen Hash | |
| ----- ---- ---- | |
| True 2670319 6367c48dd193d56ea7b0baad25b19455e529f5ee | |
| .EXAMPLE | |
| PS> 'P@ssw0rd', 'P@assw0rd', 'adsfadfsasdfadsadsf','abc123','password' | Get-AmIPwned.ps1 | |
| Pwned Seen Hash | |
| ----- ---- ---- | |
| True 47205 21bd12dc183f740ee76f27b78eb39c8ad972a757 | |
| True 39 630aab54f57ad2af22e2479b071bc1b47d09d1b0 | |
| False 0 f59b862b64a1043869acee3997841106d4ec01d5 | |
| True 2670319 6367c48dd193d56ea7b0baad25b19455e529f5ee | |
| True 3303003 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(ValueFromPipeline)] | |
| [string] | |
| $password_notsecure, | |
| [Parameter(ValueFromPipeline)] | |
| [SecureString] | |
| $password_secure | |
| ) | |
| begin | |
| { | |
| class PwnedPasswordResult { | |
| [bool]$Pwned | |
| [int]$Seen | |
| [string]$Hash | |
| } | |
| $sha1 = [System.Security.Cryptography.SHA1CryptoServiceProvider]::new() | |
| $secProtocol = [System.Net.ServicePointManager]::SecurityProtocol | |
| $ProgressPreference = 'Ignore' | |
| } | |
| process | |
| { | |
| try { | |
| [System.Net.ServicePointManager]::SecurityProtocol = "tls, tls11, tls12" | |
| if (!$password_secure -and !$password_notsecure) { | |
| $password_secure = Read-Host -AsSecureString -Prompt 'Password to check: ' | |
| } | |
| if (!$password_notsecure) { | |
| $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password_secure) | |
| $password_notsecure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) | |
| $bstr = $null | |
| } | |
| $password_bytes = [System.Text.Encoding]::ASCII.GetBytes($password_notsecure) | |
| $password_notsecure = $null | |
| $password_hash = ($sha1.ComputeHash($password_bytes) | % { $_.ToString("x2") }) -join '' | |
| $password_bytes = $null | |
| $prefix = $password_hash.Substring(0,5) | |
| $suffix = $password_hash.Substring(5) | |
| $range = (iwr "https://api.pwnedpasswords.com/range/$prefix").Content | |
| if ($range -match "${suffix}:(\d+)") | |
| { | |
| $pwned = $true | |
| $hits = $matches[1] | |
| } | |
| else | |
| { | |
| $pwned = $false | |
| $hits = 0 | |
| } | |
| [PwnedPasswordResult]@{ | |
| Pwned = $pwned | |
| Seen = $hits | |
| Hash = $password_hash | |
| } | |
| } finally { | |
| [System.Net.ServicePointManager]::SecurityProtocol = $secProtocol | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment