{"id":21853262,"url":"https://github.com/rmbolger/pwnedpasscheck","last_synced_at":"2025-07-04T12:05:20.519Z","repository":{"id":148634728,"uuid":"201722407","full_name":"rmbolger/PwnedPassCheck","owner":"rmbolger","description":"Check passwords and hashes against the haveibeenpwned.com Pwned Passwords API using PowerShell","archived":false,"fork":false,"pushed_at":"2023-02-15T06:50:51.000Z","size":63,"stargazers_count":17,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-28T05:13:37.986Z","etag":null,"topics":["haveibeenpwned","hibp","infosec","powershell","powershell-module","security"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rmbolger.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-11T05:35:38.000Z","updated_at":"2024-07-23T17:28:44.000Z","dependencies_parsed_at":"2023-03-30T07:05:12.142Z","dependency_job_id":null,"html_url":"https://github.com/rmbolger/PwnedPassCheck","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmbolger%2FPwnedPassCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmbolger%2FPwnedPassCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmbolger%2FPwnedPassCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmbolger%2FPwnedPassCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rmbolger","download_url":"https://codeload.github.com/rmbolger/PwnedPassCheck/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248917121,"owners_count":21182929,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["haveibeenpwned","hibp","infosec","powershell","powershell-module","security"],"created_at":"2024-11-28T01:21:20.741Z","updated_at":"2025-04-14T16:34:56.859Z","avatar_url":"https://github.com/rmbolger.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PwnedPassCheck\n\nCheck passwords and hashes against the [haveibeenpwned.com](https://haveibeenpwned.com) [Pwned Passwords API](https://haveibeenpwned.com/API/v3#PwnedPasswords) using PowerShell. Also supports third party equivalent APIs.\n\n# Background\n\nThe Pwned Passwords portion of Troy Hunt's [Have I Been Pwned](https://haveibeenpwned.com) site is a collection of over half a billion passwords compiled from various data breaches over the years. It's both downloadable and searchable via a free API. This module makes it easy to check existing passwords or hashes against the API to see whether they've been compromised and how many times they've been seen in breaches.\n\nThe beauty of the API design is that it implements a [k-Anonymity](https://new.blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/) model which ensures that neither your password or full hash is ever sent to the API server. Only the first 5 characters of the hash are sent and the server returns a list of compromised hashes starting with that prefix. The client then compares the returned list against the full hash locally to see if it was compromised.\n\n**TO REITERATE:** All passwords are hashed locally and only the first 5 characters of a hash are sent to the API which makes it impossible for API server owners to know, log, or crack your password hashes.\n\n# Install\n\n## Release\n\nThe [latest release version](https://www.powershellgallery.com/packages/PwnedPassCheck) can found in the PowerShell Gallery or the [GitHub releases page](https://github.com/rmbolger/PwnedPassCheck/releases). Installing from the gallery is easiest using `Install-Module` from the PowerShellGet module. See [Installing PowerShellGet](https://docs.microsoft.com/en-us/powershell/gallery/installing-psget) if you don't already have it installed.\n\n```powershell\n# install for all users (requires elevated privs)\nInstall-Module -Name PwnedPassCheck -Scope AllUsers\n\n# install for current user\nInstall-Module -Name PwnedPassCheck -Scope CurrentUser\n```\n\n## Development\n\nTo install the latest *development* version from the git main branch, use the following command.\n\n```powershell\n# (optional) set less restrictive execution policy\nSet-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force\n\n# install latest dev version\niex (irm https://raw.githubusercontent.com/rmbolger/PwnedPassCheck/main/instdev.ps1)\n```\n\n\n# Quick Start\n\nThe easiest function to start with is `Get-PwnedPassword`. You can supply a plaintext password to it as either a String, SecureString, or PSCredential object.\n\n```powershell\n# Using a regular string like this is super easy, but not recommended for\n# real passwords because it can be saved in your command history\nGet-PwnedPassword 'password'\n\n# Instead, use Read-Host to interactively collect the password as a SecureString\n$secPass = Read-Host -AsSecureString -Prompt 'Enter Password'\nGet-PwnedPassword $secPass\n\n# You can do the same thing with a PSCredential (Username is ignored)\n$credential = Get-Credential\nGet-PwnedPassword $credential\n```\n\nThe output should look like this where `Hash` is the hash of the password that was checked and `SeenCount` is the number of times that hash was seen in data breaches. If the number is zero, that means the hash has never been see in a data breach.\n\n```\nHash                                     SeenCount\n----                                     ---------\n5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8   3861493\n```\n\nIf you want to bulk test passwords, just pass them all in via the pipeline like this.\n\n```powershell\n'password',$secPass,$credential | Get-PwnedPassword\n```\n\nIf you have existing hashes to check, you can use `Get-PwnedHash`. However, the official API only supports SHA1 hashes.\n\n```powershell\n$hash = '70CCD9007338D6D81DD3B6271621B9CF9A97EA00' # SHA1 hash of \"Password1\"\nGet-PwnedHash $hash\n```\n\n`Test-PwnedPassword`, `Test-PwnedHash`, and `Test-PwnedHashBytes` also exist which are similar to their `Get-Pwned*` equivalents except they return a True/False result instead of the more details Hash/SeenCount data. True indicates the password/hash was seen in at least one breach. Otherwise, False.\n\nBecause the Pwned Password data is freely downloadable, it's possible to setup your own local copy of the API or use one hosted by a third party. Use the `ApiRoot` parameter to override the default API URL you test against.\n\n```powershell\nGet-PwnedPassword 'password' -ApiRoot 'https://pwnpass.example.com/range/'\n```\n\nIn addition to the SHA1 hashed copy of the data, an NTLM hashed copy is available. This can be incredibly useful for auditing passwords in an Active Directory environment. If you are testing against an NTLM version of the API, use the `HashType` parameter to make sure the function calculates the correct hash value.\n\n```powershell\nGet-PwnedPassword 'password' -HashType 'NTLM' -ApiRoot 'https://pwnntlm.example.com/range/'\n```\n\n\n# Requirements and Platform Support\n\n* Supports Windows PowerShell 3.0 or later (a.k.a. Desktop edition).\n* Supports [Powershell Core](https://github.com/PowerShell/PowerShell) 6.0 or later (a.k.a. Core edition) on all supported OS platforms.\n\n# Changelog\n\nSee [CHANGELOG.md](/CHANGELOG.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frmbolger%2Fpwnedpasscheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frmbolger%2Fpwnedpasscheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frmbolger%2Fpwnedpasscheck/lists"}