It's easy to check through their verification service if your passwords have been compromised.

Hash your password locally

    $ echo -n fredflinstone | shasum
    95e47d937e105fa1cc84bfa476b10f091304c090  - 

Then take the first five characters of the hash and invoke the API

    $ curl https://api.pwnedpasswords.com/range/95e47
    ...
    D8F3BA8D3952AA8917C78295EE1122F675C:17
    D910D224A8450006478ED28D2CE2D005343:10
    D91C102088F1D91469B803235DB60903259:874
    D937E105FA1CC84BFA476B10F091304C090:290
    D96BF2796784C142392D8B46AEF68B991D0:4
    D98009835A90E46EFFD43AC3E5C6BD1C14B:5

And there we have it -- my password is compromised (the suffix D937...)

Easy enough to script this up with minimal information leakage. All you're sending is 20 bits; that's not enough to do anything malicious even if your password is compromised.

add two spaces right before the echo to avoid logging your secrets in the shell history

Or better, just do a `(read -s asdf; echo -n $asdf | shasum)` to create a temporary subshell and never even expose your password in the shell output.

will create interesting errors with certain characters

One space is sufficient in bash, if memory serves right.

And secondly, on macOS with the default config for zsh no amount of spaces will help, I think. You have to first configure zsh to ignore from history when starting with space. And after that I think one space will be enough.

That functionality in bash is controlled by the HISTCONTROL environment variable. Many systems this defaults to "ignorespace" but this isn't always the case.

On Fedora, with bash, HISTCONTROL defaults to "ignoredups" and is set by /etc/profile (unless it's changed in the last few years).

Usually you can set/unset the shell option "history". For instance, "set +o history" to disable history in the current shell and "set -o history" to turn it back on.

Edit, Looks like on Ubuntu HISTCONTROL=ignoreboth comes from .bashrc in /etc/skel/

thanks for the context

  % head -1 | tr -d \\n | shasum

Type your username and press the RETURN key.

This could be baked into BitWarden to be honest. Or is it already? Yeah it seems it's there already https://github.com/bitwarden/clients/issues/523

Prefix not suffix

They have a downloader for the hashed password list: https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader

Why does this need to be an app? Why not just release the hashes?

The hashes are split into a million (2^20) files based on the first 20 bits (5 hex characters) of the hash. The downloader is just a convenient way to download them all.

The urls are https://api.pwnedpasswords.com/range/00000 to .../FFFFF, downloadable via any http client.

Thanks, TIL! Bet JDownloader can make quick work of that as well

You can just host it yourself: https://github.com/radekg/hibp.

Any ideas what the final size on disk would be after downloading?

It is 37 GB (I downloaded it yesterday).

Is it 37 GB with these new 1/3rd of previously unknown passwords hashes added?

So basically: did that DB grow from about 27 GB to 37 GB in the last few days?

Obligatory H2:

Can you see if my passwd is in there ***?*

Looks like hunter2 to me

Asking for a friend

It's a .NET application, so may be windows only. :/

.NET 6+ is cross platform.

Isn't that just specific parts, rather than the whole thing?

The core of the .NET runtime is cross-platform.

You do have the option to use platform-specific APIs or frameworks, which will make your app only work on that platform.

In the case of this app, it doesn't use anything platform-specific, so it could run on Windows, Linux and macOS.

You can download the password hashes.

https://haveibeenpwned.com/Passwords

As mentioned in the article, the database has been uploaded with emails redacted to Troy's Pwned Password search on haveibeenpwned.

They should offer a small Bloom filter for download.