We humans rarely practice enough as software developers. Therefore, as a practice I decided to roll out my first public Python package few days ago. It’s called pwnedapi and it helps you stay aware of your passwords.
For those who are not familiar with Troy Hunt’s Have I Been Pwned API it’s, in brief, a wonderful REST service for searching if your user data has been compromised in one or more security breaches which the service is continuously tracking. For the most simplistic use case, go ahead and input your email address on their homepage to see if it has been pwned.
All right, back to the nest of Python then. The package (version 0.3.0) I created has two main implementations.
a) Check if a single password was pwned using the API version 2 range search and the k-Anonymity model:
>>> from pwnedapi import Password
>>> password = Password("mysupersecretpassword")
>>>
>>> if password.is_pwned():
... print(f"Your password has been pwned {password.pwned_count} times.")
...
Your password has been pwned 2 times.
>>>
Enter fullscreen mode Exit fullscreen mode
b) Scan a list of passwords and report their leak counts in any format provided by Kenneth Reitz’s ingenious tablib library:
>>> from pwnedapi import Scanner
>>> scanner = Scanner()
>>> scanner.scan("passwords.txt")
>>> scanner.export_as("leaked.json")
>>> open("leaked.json").read()
'[{"Password": "dog", "Leak Count": 28348}, {"Password": "cat", "Leak Count": 26354}, {"Password": "somepass", "Leak Count": 657}]'
Enter fullscreen mode Exit fullscreen mode
The implementation was inspired by Phil Nash’s Ruby implementation covered in this excellent post.
![图片[1]-Check Your Passwords for Pwnage - The Pythonic Way - 拾光赋-拾光赋](https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F312%2F0bfb1ba6-a192-44af-8231-4f6b07e582a8.png)
![图片[1]-Check Your Passwords for Pwnage - The Pythonic Way - 拾光赋-拾光赋](https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1359%2F3daf053e-eade-4edb-a423-1c3c3a318ef9.jpg)
Better passwords in Ruby applications with the Pwned Passwords API
Phil Nash for Twilio ・ Apr 4 ’18
#ruby #rails #passwords #security
It’s easy to use the package for standard library needs or create, for example, a CLI tool for system administration with it – as a matter of fact, I created one at work.
As noted in the package README and at the beginning of this post, it is my first public package. Pull requests and feedback are warmly welcome.
暂无评论内容