For a while now ';--have i been pwned? has been providing two services. One more known is informing people of data breaches. One slightly less known is their API. My personal favorite are their password search interface. So, I was really sad to see when Troy started charging for it.
While I understand Troy's reasons, I used this API in freeware application. And yes, I could "swallow" $3.50 this service cost but I wasn't willing to. My freeware hobby is already costing me enough. :)
Fortunately, Troy is allowing download of password hashes so one could easily make API on their own server. So, over a weekend I did. In my OwnPwned GitHub repository there's everything you might need to create your own verification service. But there are some differences.
First of all, this is not a substitution for ';--have i been pwned? API as due to dependency on the data from it, it will ALWAYS be one step behind. Also, I haven't implemented full API as I only needed the password verification portion. Even for password verification portion, I trimmed all extra data (e.g. password breach count) and focused only on passwords themselves.
To make use of the project, you first need to download the latest password dump (ordered by hash). Once you unpack that file, you would use PwnedRepack to convert this to a binary file. I found this step necessary for both speed (as you can use binary search) and for size (as it brought 25 GB file to slightly more manageable but still huge 12 GB).
With file in hand, there are two ways to search data. The first one would be PwnedServe application that will simply expose interface on localhost. Second way forward it serving PwnedPhp on Apache server. Either way, you can do k-anonymity search over a range using the first 5 hexadecimal characters of password's SHA-1 hash.
Something like this /range/12345/.
And yes, code is not optimized and probably will never be due to the lack of free time on my side. But it does solve my issue. Your mileage may vary.
PS: Please note, Tray Hunt has opensourced some elements of HIBP with more to come. If you need fully-featured interface that's probably what you should keep eye on.
4 thoughts to “Own Pwned”
In the documentation it is stated that the api key is only needed for retrieving breaches not for the passwords API. Did I miss something?
You are correct.
Albeit passwords API does require throttling so having your own is still beneficial.
Correct just wanted to make sure I didn’t overlook something in my project
No, you’re good. :)
I overlooked it originally since my project also used breaches.