This tool provides a very basic API on top of Have I Been Pwned's API. The full API specification is availble here to allow you to check to see if a given account and/or password has been compromised. Note you should not use this applicaiton. It is untested, likely insecure, and in no case should be relied upon for your security.
This tool was created to adhere to the specific requirements for a take-home development evaluation. The requirements as given were:
- Create a client for this API https://haveibeenpwned.com/API/v2
- Terminal client, GUI, web, etc
- Add as much functionality as you would like
- Add some documentation on how we can use it
- (Required) Push your project to github
- (Required) Try not to use external open source tools/libraries other than basic HTTP clients, the less the better
Due to time constraints this application implements only a very small part of the overall API, with a rudimentary command line interface.
This application is built using stack. To build the application install stack as per the documentation, and then run:
user@host$ stack build
You can execute the application from within the source directory with
stack exec
:
user@host$ stack exec pwnchk -- <account|password> [args]
The application is modal, with the first positional argument determining the
mode, and subsequent arguments being passed along to the mode. A full list of
the modes and their arguments are available by using the help
mode or, in any
mode, passing in the --help
flag:
user@host$ stack exec pwnchk -- help
user@host$ stack exec pwnchk -- account --help
user@host$ stack exec pwnchk -- password --help
user@host$ stack exec pwnchk -- account [options] <account>
The account mode will display a list of breaches that an account was involved in. By default only the names of breaches are provided, but you may provide.
--verbose
will display additional information about the account breaches--include-unverified
will display unverified breaches in addition to verified breaches.
user@host$ stack exec pwnchk -- password [options]
The password mode will let you know if a given password has been compromised.
By default the application will prompt you to enter the password from the
command line. You may pass the password in using the --hash
or
--unsafe-password
flag, but note that both of these modes are less secure than
the default mode of operation.
--hash=<sha1>
do not prompt for the password, instead use the password hash provided. Note that while this is safer than--unsafe-password
the password hash may still be vulnerable to compromise, so this option is less secure than the standard mode.--unsafe-password=<password>
use the provided plaintext password. Note: this is unsafe for several reasons. Do not use this option for any passwords that you are actively using.