04-08-2021, 10:46 AM
22
Simple javascript library to check if user password was leaked in the past
For security reasons, the comparison takes place only in the user's browser without sending any data.
Except 6 char long sha1 hash prefix for have i been pwned api if enabled
Informations
You can check user's password in three modes:
HIBP - use haveibeenpwned.com api to check if password exists in leaked databases
Most Common - 100.000 most common passwords dictionary
Last Chaos
The last mode is a hashed dictionary which contain passwords from last chaos databases in range of 2012-2020 that I had collected.
97.531 passwords from 29 databases in total.
-------------------------------------------
At first I wanted to make it as username/email/password check but I figured it was too dangerous due to small community size even after semi-anonymizing it.
Maybe it would work if I could use k-anonimity model (checking partial hash) however I'm not quite sure yet how to do it properly.
Most of the passwords was dehashed and hashed again using md5.
Main goal is to provide additional check at registration stage to avoid account takeovers.
-------------------------------------------
Usage
var settings = {
'mode': {
'hibp': true,
'mostcommon': true,
'lastchaos': true
},
'hibp-api': 'https://api.pwnedpasswords.com/range/', // have i been pwned api url
'data-dir': './data/' // password dictionaries location
};
var test = await chaosleak(settings, "password123");
You can test it out at
2 - webpage source available on "gh-pages" branch