Troy Hunt has published the hashes of 306,000,000 passwords that have been breached. And exposed it as a web service.

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

Awesome!

This lets you tell a user if a given password has appeared in a breach. You send the service a hash of the password, and Troy’s web service responds if that hash has appeared in a breach.

Why is that useful? You can pro-actively inform users if their password has been breached (and recorded in haveibeenpawned) at either registration or login. You may want to block users from using that password, or you could just warn them.

Example code to make use of this. Note that the API is rate limited to 1 call every 1500ms. I would imagine running this check on login and registration, but only periodically; the idea being to gradually wean users off using breached passwords. Perhaps something like ‘once in every 10 logins, make this check’.

You can’t just check after password changes as obviously, more breached passwords are appearing all the time.

private static string _awesomeTroyUrl = "https://haveibeenpwned.com/api/v2/pwnedpassword/";
public static bool? IsPwned(string password)
{
byte[] hash = (new SHA1Managed()).ComputeHash(Encoding.UTF8.GetBytes(password));
string passwordHash = string.Join("", hash.Select(b=>b.ToString("x2")).ToArray());
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(_awesomeTroyUrl + passwordHash);
req.UserAgent = "Your User Agent Description Here";
HttpStatusCode code = HttpStatusCode.NotImplemented;
try
{
HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
code = resp.StatusCode;
} catch (WebException wex)
{
code = ((HttpWebResponse)wex.Response).StatusCode;
}
if( code == HttpStatusCode.OK )
{
return true; // Yup, it's breached;
}
else if(code == HttpStatusCode.NotFound)
{
return false; // Nope, it's ok.
} else
{
return null;
}
}