1.0.0 • Published 2 years ago

passpwnd v1.0.0

Weekly downloads
-
License
MIT
Repository
github
Last release
2 years ago

This tool checks whether a given password is part of a known data leak, thus potentially compromised. It is based on Troy Hunt's Have I Been Pwned services.

  • No dependencies: this tool relies only on core modules of NodeJS and does not import any 3rd-party libraries.
  • No password is sent over the network: this tool only sends a fragment of a hash generated from the given password to verify whether it is compromised. See the "How does it work?" section.

How does it work?

When inputting a password, a SHA1 hash is generated and its first 5 characters are sent to the Have I Been Pwned API.

If the service finds hashes, whose 5 first characters match the ones computed from your input password, they are considered as potential matches and returned in the response.

Once all potential matches are collected, the script locally compares the full hashed password to the hashes found in leaks.

Usage

This package was designed to be imported into your own script or to be used as a stand-alone command-line tool.

Script

const passpwnd = require("passpwnd");

passpwnd("p4ssw0rd").then((isPwned) => {
	// isPwned is a boolean. 
	// set to `true` if password is compromised, `false` otherwise.
	console.log(isPwned)
});

Command-Line

passpwnd p4ssw0rd

The command above will return the status of the password:

  • compromised: the password was found in a leak. You should not use it anywhere! It is not safe.
  • safe: the password was not found. It can be considered safe
pwndsecurityinfosecpasswordpwnedbreachleaks
@infinitebrahmanuniverse/nolb-passpw@everything-registry/sub-chunk-2415
1.0.0

2 years ago