We know that we need to keep our credentials secure. We know that we should not re-use our passwords across different services. Hopefully, by now, most readers of this blog are aware of Troy Hunts excellent free service https://haveibeenpwned.com/ which will notify you if your email has been found in a breach. If not, go and sign up now.

Recently Troy announced on his blog

This blog post introduces a new service I call “Pwned Passwords”, gives you guidance on how to use it and ultimately, provides you with 306 million passwords you can download for free and use to protect your own systems.

So I thought I would write a quick PowerShell script to make use of it and place it on the PowerShell Gallery

You can install it using

Install-Script -Name Get-PwnedPassword

You will be asked if you want to add ‘C:\Program Files\WindowsPowerShell\Scripts’ to your PATH environment variable if this is the first script you have installed

Then load it into your session with a period and a space.

. Get-PwnedPassword.ps1

and check some old passwords. Take notice of the screen shot below in which Troy states that you should not send your password currently in use to any third party sites including this one.

Get-PwnedPassword

There was a game on Twitter which involved finding ‘interesting’ passwords that people have used! Search for it, it’s nsfw by the way!

UPDATE

After posting this Jos made a comment

Nice feature! Then maybe add some Read-Host -AsSecureString https://t.co/Ivi3JonPL8

— Jos Koelewijn (@Jawz_84) August 9, 2017

and Mathias added

Not so much for in-memory protection, but for shielding against shoulder-surfers

— Mathias Jessen (@IISResetMe) August 9, 2017

Which is a good point. You don’t want you co-workers or friends seeing your Passwords over the shoulder. So I have updated the script to prompt for a Password and convert it to secure string and added a hash parameter as the API also allows you to pass the SHA1 hash of a password.

Which is a bit better I think. Thank you guys.

UPDATE 2 – This actually broke the script meaning that every password came back as pwned as I was not decoding the securestring correctly. I have fixed this with version 1.2 which you can get if you have already installed the script by running

Update-Script Get-PwnedPassword

Thanks to Henkie and Russell for letting me know

There is also a good use case for us technical folk to assist our none-technical friends with their password usage. You can visit this page

https://haveibeenpwned.com/Passwords

and get them to put their old password in the box (look at the screenshot for advice on current passwords) and see if their password has been used in a breach or not and use this as a means to have a discussion about password managers