Pwned Credentials is a webapp which allows users to securely search over multiple data breaches to determine if their password has ever been compromised, alongside necessary password strength recommendations. It also provides an exhaustive list of breached websites which includes date of breach, number of breached accounts and breached data. Visit the website at https://pwnedcredentials.herokuapp.com/
It is built over the APIs provided by haveibeenpwned.com. Please refer here for Have I Been Pwned Api documentation.
The pwned password service provided by Have I Been Pwned utilizes k-anonymity which allows external parties to use it and maintain anonymity. The pwned password service only requires first 5 characters of SHA-I password hash and returns a list of SHA-I hashes matching the first 5 characters, thus delegating the responsibility to the client to match the password hash against the list provided by the service. This ensures that the service is not aware about the full password hash and thus cannot use it to generate the raw password. Please refer here for further details with illustrated example.
- Clone this repository on your local machine.
- Make sure python 3.8 or above and pip is installed. Refer here for python installation.
- Create and activate a virtual environment.
- Navigate to project directory and run
pip install -r requirements.txton terminal to install all the project requirements. - Run
export FLASK_APP=pwned_credentials.pyon terminal to set the FLASK_APP environment variable. Usesetinstead ofexporton Windows. - Execute
flask runcommand on terminal to launch the application. - Navigate to http://127.0.0.1:5000/ to visit the website home page.