DEV Community

Cover image for Check Your Passwords for Pwnage - The Pythonic Way
Niko Heikkilä
Niko Heikkilä

Posted on • Updated on

Check Your Passwords for Pwnage - The Pythonic Way

We humans rarely practice enough as software developers. Therefore, as a practice I decided to roll out my first public Python package few days ago. It's called pwnedapi and it helps you stay aware of your passwords.

For those who are not familiar with Troy Hunt's Have I Been Pwned API it's, in brief, a wonderful REST service for searching if your user data has been compromised in one or more security breaches which the service is continuously tracking. For the most simplistic use case, go ahead and input your email address on their homepage to see if it has been pwned.

All right, back to the nest of Python then. The package (version 0.3.0) I created has two main implementations.

a) Check if a single password was pwned using the API version 2 range search and the k-Anonymity model:

>>> from pwnedapi import Password
>>> password = Password("mysupersecretpassword")
>>>
>>> if password.is_pwned():
...     print(f"Your password has been pwned {password.pwned_count} times.")
...
Your password has been pwned 2 times.
>>>
Enter fullscreen mode Exit fullscreen mode

b) Scan a list of passwords and report their leak counts in any format provided by Kenneth Reitz's ingenious tablib library:

>>> from pwnedapi import Scanner
>>> scanner = Scanner()
>>> scanner.scan("passwords.txt")
>>> scanner.export_as("leaked.json")
>>> open("leaked.json").read()
'[{"Password": "dog", "Leak Count": 28348}, {"Password": "cat", "Leak Count": 26354}, {"Password": "somepass", "Leak Count": 657}]'
Enter fullscreen mode Exit fullscreen mode

The implementation was inspired by Phil Nash's Ruby implementation covered in this excellent post.

It's easy to use the package for standard library needs or create, for example, a CLI tool for system administration with it – as a matter of fact, I created one at work.

As noted in the package README and at the beginning of this post, it is my first public package. Pull requests and feedback are warmly welcome.

Download it or fork it.

Top comments (3)

Collapse
 
philnash profile image
Phil Nash

This is awesome! Congratulations for releasing your first public package and for making it a really useful one!

I'm pleased that I was able to inspire the implementation too.

Let's spread the word of better passwords for all!

Collapse
 
nikoheikkila profile image
Niko Heikkilä

Thanks Phil! Yes, it was not too hard to implement similar logic with Python as its syntax and structure are quite close to those of Ruby. Getting package to PyPI was an interesting adventure, too. :muscle:

Collapse
 
philnash profile image
Phil Nash

You'll have to write up the process of publishing to PyPi too then! I bet that would be useful for others trying to do it for the first time.