Password Checker

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Password Checker

J. Landman Gay via use-livecode
Read this interesting article about a half billion PW database of
compromised passwords that I thought I'd share:

*https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
<https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/>*

*on* mouseUp
   *local* tSHAData, tSHAHex, tList
   *put* messageDigest(the text of field "password", "SHA-1") into tSHAData
   *repeat* for each byte tByte in tSHAData
      *put* format("%02X",bytetonum(tByte)) after tSHAHex
   *end* *repeat*
   *put* url ("https://api.pwnedpasswords.com/range/" & char 1 to 5 of
tSHAHex) into tList
   *delete* char 1 to 3 of tList *-- delete the BOM*
   *filter* tList with (char 6 to -1 of tSHAHex) & "*"
   *set* the itemdel to ":"
   *put* item 2 of tList into field "hits"
*end* mouseUp

I've written some code that uses the new v2 API.  You send the first 5
characters of the SHA1 of your password and get a list back of matches.
You can then see if the rest of the hash is in the list and get the number
of times it appears on the list.  "123123" appears 2048411 times for
example.

I'm sure that someone can tighten it up some, but just wanted to make
something in LiveCode that could use the API.

You can also download the full database of SHA1 values (8.75GB) if you
would want to use to provide a service.  Links are in the article (he
prefers that you use a torrent).

Thanks,
Brian
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
There seems to be a missing handler, "messageDigest".

~Roger


On Thu, Feb 22, 2018 at 11:50 PM, Brian Milby via use-livecode <
[hidden email]> wrote:

> Read this interesting article about a half billion PW database of
> compromised passwords that I thought I'd share:
>
> *https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
> <https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/>*
>
> *on* mouseUp
>    *local* tSHAData, tSHAHex, tList
>    *put* messageDigest(the text of field "password", "SHA-1") into tSHAData
>    *repeat* for each byte tByte in tSHAData
>       *put* format("%02X",bytetonum(tByte)) after tSHAHex
>    *end* *repeat*
>    *put* url ("https://api.pwnedpasswords.com/range/" & char 1 to 5 of
> tSHAHex) into tList
>    *delete* char 1 to 3 of tList *-- delete the BOM*
>    *filter* tList with (char 6 to -1 of tSHAHex) & "*"
>    *set* the itemdel to ":"
>    *put* item 2 of tList into field "hits"
> *end* mouseUp
>
> I've written some code that uses the new v2 API.  You send the first 5
> characters of the SHA1 of your password and get a list back of matches.
> You can then see if the rest of the hash is in the list and get the number
> of times it appears on the list.  "123123" appears 2048411 times for
> example.
>
> I'm sure that someone can tighten it up some, but just wanted to make
> something in LiveCode that could use the API.
>
> You can also download the full database of SHA1 values (8.75GB) if you
> would want to use to provide a service.  Links are in the article (he
> prefers that you use a torrent).
>
> Thanks,
> Brian
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
That is built in for LC9. You can use sha1digest though.
On Fri, Feb 23, 2018 at 7:52 AM Roger Eller via use-livecode <
[hidden email]> wrote:

> There seems to be a missing handler, "messageDigest".
>
> ~Roger
>
>
> On Thu, Feb 22, 2018 at 11:50 PM, Brian Milby via use-livecode <
> [hidden email]> wrote:
>
> > Read this interesting article about a half billion PW database of
> > compromised passwords that I thought I'd share:
> >
> > *https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
> > <https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/>*
> >
> > *on* mouseUp
> >    *local* tSHAData, tSHAHex, tList
> >    *put* messageDigest(the text of field "password", "SHA-1") into
> tSHAData
> >    *repeat* for each byte tByte in tSHAData
> >       *put* format("%02X",bytetonum(tByte)) after tSHAHex
> >    *end* *repeat*
> >    *put* url ("https://api.pwnedpasswords.com/range/" & char 1 to 5 of
> > tSHAHex) into tList
> >    *delete* char 1 to 3 of tList *-- delete the BOM*
> >    *filter* tList with (char 6 to -1 of tSHAHex) & "*"
> >    *set* the itemdel to ":"
> >    *put* item 2 of tList into field "hits"
> > *end* mouseUp
> >
> > I've written some code that uses the new v2 API.  You send the first 5
> > characters of the SHA1 of your password and get a list back of matches.
> > You can then see if the rest of the hash is in the list and get the
> number
> > of times it appears on the list.  "123123" appears 2048411 times for
> > example.
> >
> > I'm sure that someone can tighten it up some, but just wanted to make
> > something in LiveCode that could use the API.
> >
> > You can also download the full database of SHA1 values (8.75GB) if you
> > would want to use to provide a service.  Links are in the article (he
> > prefers that you use a torrent).
> >
> > Thanks,
> > Brian
> > _______________________________________________
> > use-livecode mailing list
> > [hidden email]
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
In reply to this post by J. Landman Gay via use-livecode
I just got around to trying this -- *very* useful, thanks for posting it.

There are no matches for any of my passwords I've tried so far. :) On
the other hand, even "AbrahamLincoln" has 128 matches. And you have to
insert commas to read the number returned for "qwerty".

On 2/22/18 10:50 PM, Brian Milby via use-livecode wrote:

> Read this interesting article about a half billion PW database of
> compromised passwords that I thought I'd share:
>
> *https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
> <https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/>*
>
> *on* mouseUp
>     *local* tSHAData, tSHAHex, tList
>     *put* messageDigest(the text of field "password", "SHA-1") into tSHAData
>     *repeat* for each byte tByte in tSHAData
>        *put* format("%02X",bytetonum(tByte)) after tSHAHex
>     *end* *repeat*
>     *put* url ("https://api.pwnedpasswords.com/range/" & char 1 to 5 of
> tSHAHex) into tList
>     *delete* char 1 to 3 of tList *-- delete the BOM*
>     *filter* tList with (char 6 to -1 of tSHAHex) & "*"
>     *set* the itemdel to ":"
>     *put* item 2 of tList into field "hits"
> *end* mouseUp
>
> I've written some code that uses the new v2 API.  You send the first 5
> characters of the SHA1 of your password and get a list back of matches.
> You can then see if the rest of the hash is in the list and get the number
> of times it appears on the list.  "123123" appears 2048411 times for
> example.
>
> I'm sure that someone can tighten it up some, but just wanted to make
> something in LiveCode that could use the API.
>
> You can also download the full database of SHA1 values (8.75GB) if you
> would want to use to provide a service.  Links are in the article (he
> prefers that you use a torrent).
>
> Thanks,
> Brian
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>


--
Jacqueline Landman Gay         |     [hidden email]
HyperActive Software           |     http://www.hyperactivesw.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
I would highly recommend NOT typing ANY current password you are using into a web page like this. If no one knew about it before, they sure as hell know it now! Whether they avail themselves of it is anyone's guess.

Bob S


> On Feb 24, 2018, at 13:17 , J. Landman Gay via use-livecode <[hidden email]> wrote:
>
> I just got around to trying this -- *very* useful, thanks for posting it.
>
> There are no matches for any of my passwords I've tried so far. :) On
> the other hand, even "AbrahamLincoln" has 128 matches. And you have to
> insert commas to read the number returned for "qwerty".
>


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
I wouldn't type into that web page either. I used Brian's handler that uses
their API and only sends a few characters of the hash to the database. The
article explains how it works and includes ways to set up the system on
your own server if you want. After reading through it I was convinced it
was a safe check.
--
Jacqueline Landman Gay         |     [hidden email]
HyperActive Software           |     http://www.hyperactivesw.com



On February 27, 2018 10:26:48 AM Bob Sneidar via use-livecode
<[hidden email]> wrote:

> I would highly recommend NOT typing ANY current password you are using into
> a web page like this. If no one knew about it before, they sure as hell
> know it now! Whether they avail themselves of it is anyone's guess.
>
> Bob S
>
>
>> On Feb 24, 2018, at 13:17 , J. Landman Gay via use-livecode
>> <[hidden email]> wrote:
>>
>> I just got around to trying this -- *very* useful, thanks for posting it.
>>
>> There are no matches for any of my passwords I've tried so far. :) On
>> the other hand, even "AbrahamLincoln" has 128 matches. And you have to
>> insert commas to read the number returned for "qwerty".
>>
>
>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode



_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
Troy is a beast in the security community, so I would not be too worried
about him doing something nefarious.  He is constantly working with white
hats and blue teams to get on top of issues as soon as there is even a peep
on the dark web.

On Tue, Feb 27, 2018 at 12:57 PM, J. Landman Gay via use-livecode <
[hidden email]> wrote:

> I wouldn't type into that web page either. I used Brian's handler that
> uses their API and only sends a few characters of the hash to the database.
> The article explains how it works and includes ways to set up the system on
> your own server if you want. After reading through it I was convinced it
> was a safe check.
> --
> Jacqueline Landman Gay         |     [hidden email]
> HyperActive Software           |     http://www.hyperactivesw.com
>
>
>
> On February 27, 2018 10:26:48 AM Bob Sneidar via use-livecode <
> [hidden email]> wrote:
>
> I would highly recommend NOT typing ANY current password you are using
>> into a web page like this. If no one knew about it before, they sure as
>> hell know it now! Whether they avail themselves of it is anyone's guess.
>>
>> Bob S
>>
>>
>> On Feb 24, 2018, at 13:17 , J. Landman Gay via use-livecode <
>>> [hidden email]> wrote:
>>>
>>> I just got around to trying this -- *very* useful, thanks for posting it.
>>>
>>> There are no matches for any of my passwords I've tried so far. :) On
>>> the other hand, even "AbrahamLincoln" has 128 matches. And you have to
>>> insert commas to read the number returned for "qwerty".
>>>
>>>
>>
>> _______________________________________________
>> use-livecode mailing list
>> [hidden email]
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>
>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



--
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Password Checker

J. Landman Gay via use-livecode
Right, I wasn't worried about Troy's site. But I read through the
comments and there was a criticism that the site was vulnerable to
malicious intrusions. Because I wasn't using the site itself I didn't
worry. Troy also explained why the critcism wasn't entirely valid, but
the commenter was still fairly vicious about it.

On 2/27/18 12:55 PM, Mike Kerner via use-livecode wrote:

> Troy is a beast in the security community, so I would not be too worried
> about him doing something nefarious.  He is constantly working with white
> hats and blue teams to get on top of issues as soon as there is even a peep
> on the dark web.
>
> On Tue, Feb 27, 2018 at 12:57 PM, J. Landman Gay via use-livecode <
> [hidden email]> wrote:
>
>> I wouldn't type into that web page either. I used Brian's handler that
>> uses their API and only sends a few characters of the hash to the database.
>> The article explains how it works and includes ways to set up the system on
>> your own server if you want. After reading through it I was convinced it
>> was a safe check.
>> --
>> Jacqueline Landman Gay         |     [hidden email]
>> HyperActive Software           |     http://www.hyperactivesw.com
>>
>>
>>
>> On February 27, 2018 10:26:48 AM Bob Sneidar via use-livecode <
>> [hidden email]> wrote:
>>
>> I would highly recommend NOT typing ANY current password you are using
>>> into a web page like this. If no one knew about it before, they sure as
>>> hell know it now! Whether they avail themselves of it is anyone's guess.
>>>
>>> Bob S
>>>
>>>
>>> On Feb 24, 2018, at 13:17 , J. Landman Gay via use-livecode <
>>>> [hidden email]> wrote:
>>>>
>>>> I just got around to trying this -- *very* useful, thanks for posting it.
>>>>
>>>> There are no matches for any of my passwords I've tried so far. :) On
>>>> the other hand, even "AbrahamLincoln" has 128 matches. And you have to
>>>> insert commas to read the number returned for "qwerty".
>>>>
>>>>
>>>
>>> _______________________________________________
>>> use-livecode mailing list
>>> [hidden email]
>>> Please visit this url to subscribe, unsubscribe and manage your
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>
>>
>>
>>
>> _______________________________________________
>> use-livecode mailing list
>> [hidden email]
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>
>


--
Jacqueline Landman Gay         |     [hidden email]
HyperActive Software           |     http://www.hyperactivesw.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode