Check Your Passwords for Pwnage - The Pythonic Way

We humans rarely practice enough as software developers. Therefore, as a practice I decided to roll out my first public Python package few days ago. It's called pwnedapi and it helps you stay aware of your passwords.

For those who are not familiar with Troy Hunt's Have I Been Pwned API it's, in brief, a wonderful REST service for searching if your user data has been compromised in one or more security breaches which the service is continuously tracking. For the most simplistic use case, go ahead and input your email address on their homepage to see if it has been pwned.

All right, back to the nest of Python then. The package (version 0.3.0) I created has two main implementations.

a) Check if a single password was pwned using the API version 2 range search and the k-Anonymity model:

>>> from pwnedapi import Password
>>> password = Password("mysupersecretpassword")
>>>
>>> if password.is_pwned():
...     print(f"Your password has been pwned {password.pwned_count} times.")
...
Your password has been pwned 2 times.
>>>

b) Scan a list of passwords and report their leak counts in any format provided by Kenneth Reitz's ingenious tablib library:

>>> from pwnedapi import Scanner
>>> scanner = Scanner()
>>> scanner.scan("passwords.txt")
>>> scanner.export_as("leaked.json")
>>> open("leaked.json").read()
'[{"Password": "dog", "Leak Count": 28348}, {"Password": "cat", "Leak Count": 26354}, {"Password": "somepass", "Leak Count": 657}]'

The implementation was inspired by Phil Nash's Ruby implementation covered in this excellent post.

Better passwords in Ruby applications with the Pwned Passwords API

Phil Nash ・ Apr 4 '18 ・ 6 min read

#ruby #rails #passwords #security

It's easy to use the package for standard library needs or create, for example, a CLI tool for system administration with it – as a matter of fact, I created one at work.

As noted in the package README and at the beginning of this post, it is my first public package. Pull requests and feedback are warmly welcome.

Download it or fork it.

Comments

[Phil Nash]

This is awesome! Congratulations for releasing your first public package and for making it a really useful one!

I'm pleased that I was able to inspire the implementation too.

Let's spread the word of better passwords for all!

[Niko Heikkilä]

Thanks Phil! Yes, it was not too hard to implement similar logic with Python as its syntax and structure are quite close to those of Ruby. Getting package to PyPI was an interesting adventure, too. :muscle:

[Phil Nash]

You'll have to write up the process of publishing to PyPi too then! I bet that would be useful for others trying to do it for the first time.