 Another day another data breach. This is kind of commonplace if you follow anything in the infosec security world when it comes to technology that there is a constant of these companies that didn't secure data properly getting out there and Your passwords along with it or whatever information. They also may have about you Well, this is another day and here's 773 million reasons you should keep a good strong unique password for everything now Many of you listeners probably already do and that's fine It's important to use a password manager because the human mind well with a few exceptions I've seen people that can do this doesn't Really do well at creating high entropy passwords that unique across hundreds of sites So I highly recommend using a password manager But what we're here to talk about is as your password been used before has it been pwned and not everyone Knows about this service where maybe you don't understand it very well, but this is a pwned Passwords checker that Troy Hunt keeps so he started with a database of all the email addresses On here and then he's moved on and then created this pwned passwords What it is if you type in a password I'm gonna use the word password. Whoops E a s s w r d and How many times has the word password been used a three million six hundred forty five thousand eight hundred four times according to the Databases that Troy Hunt has collected on this website and put together So what this is is a way to check if your password has been used before and especially if you're using high entropy You very unique passwords. It should not have been used before or if it has well You know where it was used and you can start understanding the breach or that you really really should change your password if your password shows up here at all or a password you plan on using because just because it hasn't been pwned doesn't make It a good password, but if it's been pwned before it's out in the wild and being used So you may have some really unique thing you came up with or you don't and this will let you know that someone else came up with that same combination of Letters and numbers and things like that before so but maybe you're going I'm nervous Tom I don't want to put my password just in some guy's website for it to be checked not a problem First he's not taking your whole password, but you don't have to take me for it We're gonna walk through the steps of how to how to actually test this and How it works from the back end side because he developed an entire API and I'll give you the links to the scripts I use for this, but it's pretty straights Forward that you just go ahead and pull some parameters right from an API And this is all done in open source and clear text But it's real it's gonna be pretty easy to follow first. We're gonna go over here to get hub And I'll leave a link to this below in the description to grab this person's script that is my password pwned It's a really simple script That's why I like this one. There's other ones out there pick whichever one works for you This one's just easy to step through for this demonstration. All right, I'm gonna go ahead and copy this so we're gonna clone and Go over here. I just a command line with Debbie in nothing big. I do have get installed So we're gonna do get clone. Oops Paste that link in Alright All right, let's walk through what the script does I'll see it's a pwned pass.sh. So it's a single bash script. So start here at the beginning We'll just walk you through real quick It's gonna go ahead and get to the important parts right here It's gonna grab whatever input you put so whatever you put in as your password when it asks you It's gonna go ahead and pipe that through open SSL and get a sha one and what the sha one is It's a hash of your password not your password And I'll show you how the hash is working just a second here Then we're gonna take the password and we only need The first five characters of that password. So we need the prefix So here's the hash prefix. Here's the hash suffix. It's just gonna dump it back out on the screen And then here is where we're only sending that first five characters of a sha one Then we'll understand in a second here if you haven't seen a sha one that this is a One that you create a hash of a password This is a way or to identify uniqueness without revealing the full password because sha one are very very difficult If ever to reverse engineer, so if I gave you a sha one of my password It would be very very difficult to reverse engineer what it was But you don't really want to give it all out there because you never want to give anyone even the chance to reverse engineer So with this here the script does is gonna go is it pwned range hash prefix pull that first piece of the sha one And it's gonna echo a response and then it's going to Go ahead and what this does is sorts and does a count of how many times it's been pwned So we'll run it first from the command line Then we'll see what the script does to make it look even nicer. All right, we're gonna use the same password again Just password so record password Fight and we're gonna going to open SSL one and There's the sha one of this now if we change this password to be But the word one in front of it You get a substantially different sha one if we put a one after it instead We get a completely different sha one password now Just so you kind of get an idea of how this works the length never changes. So even if I Tried some more complicated password some more Bird and we'll add some fun characters to it See the sha one never changes the length But the first five digits are going to be unique unique enough that we can determine whether or not this was used so if we go over here and we go to Where we use a curl command like they did and we're gonna go use the API to make a determination We're gonna use the first one the password Happy laser type then we put range Then all's we need is them first five characters. So One two three four five and it Giving us a count of all the databases that have that in there Well, let's actually run the script manually and show you how that works And we're gonna go ahead and type in password And we get that same number we got on there So three six three million six hundred forty five thousand eight hundred four times just like when we typed in the word password here So if we added a once we're a type password one this time we get two thousand two million four hundred one thousand seven or sixty one So we're gonna go ahead and run the script again, and you get the same thing So now you can see just by setting this hash prefix. There's enough uniqueness in Your passwords that you can do this now This is a fun script you can do to see if your password has been pwned and You know, you can type different things in so I'll Make something high entropy up. I'm gonna go ahead and I'm last pass as my favorite password manager So we're gonna go ahead and go here We're gonna hit generate password That looks unique enough. Happy owned password paste that in Yay use zero times now just because this is use your times doesn't mean it's a great password that one feels pretty good This is what I actually paste it in But you get the idea that you can see if your password is use somewhere So if you're nervous or you think someone has your password and you think it might be in the database there It's worth checking. I think this is pretty and cool as a tool There's actually a lot of people and I haven't tested all of them But a tree has listed on the API just tons of companies that have built all kinds of different plugins for different things To check this so as people are putting passwords in you can check it against there I think there's even a WordPress plugin for this which I thought was kind of cool There's a key pass one so you can take in you're just sending out those hashes and send it to VIP key pass and say alright where any of these passwords use and things like that So this is kind of a neat tool and obviously Troy has keeping up with the database as best he can it doesn't mean Because you didn't find it. It isn't breached, but hey, it's one more way if you do find it It's been breached. So at least that is good information It's one more layer of security one more thing to check and kind of novel to play with it here I'll leave links all these scripts and of course this website. So I found it interesting. I thought you would too Thanks, thanks for watching if you enjoyed this video Go ahead and hit the thumbs up if you want to see more content from my channel Go ahead and hit subscribe and the bell icon and hopefully YouTube will send you a notice If you're interested in contracting Lawrence systems for any type of IT services work or consulting work Go ahead and head over to Lawrence systems comm and fill out our contacting it in touch with us If you would like to help the channel out in other ways You can use our affiliate links below in the description or we have a link directly to our Lawrence systems page We have a list of different affiliate offers and it's very appreciated if you use any of those for signing up any of the services And many of them offer you discounts if you want to head over to our forums There'll be a link in the description for our forums Wherever they may be because we've been looking at different forum platforms, but they'll always be relevantly linked right there All right Once again, thanks leave some feedback and comments below on this video if you loved it if you hated it I try to reply to everyone the people who hate and the people who love them So thank you very much and see you next time