In this lab, you'll use the pwnedpasswords API in order to check your own passwords:
- Use curl to see how many passwords there are with the 21BD1 string in their password hashes:
curl https://api.pwnedpasswords.com/range/21BD1
- In the home directory of any of your Linux virtual machines, create the pwnpassword.sh script with the following content:
#!/bin/bash
candidate_password=$1
echo "Candidate password: $candidate_password"
full_hash=$(echo -n $candidate_password | sha1sum | awk '{print substr($1, 0, 32)}')
prefix=$(echo $full_hash | awk '{print substr($1, 0, 5)}')
suffix=$(echo $full_hash | awk '{print substr($1, 6, 26)}')
if curl https://api.pwnedpasswords.com/range/$prefix | grep -i $suffix;
then echo "Candidate password is compromised";
else echo "Candidate password is OK for use";
fi
- Add the executable permission to the script:
chmod u+x pwnedpasswords.sh
- Run the script, specifying TurkeyLips as a password:
./pwnedpasswords.sh TurkeyLips
- Repeat Step 4 as many times as you like, using a different password each time.
What we've looked at so far works great on a small number of computers. But what if you're working in a large enterprise? We'll look at that next.