HashCheck – A Small Piece Of Mind
- June 7th, 2012
- Posted in Breach . HashCheck . LinkedIN . Programming . Projects . Python
- By Robert (arch3angel) Miller
- Write comment
Yesterday brought a considerable amount of attention, and mayhem from the LinkedIn password dump. Many security researchers and professionals were trying to gather as much information as possible, while still having the monkey on their back wanting to know if their password was leaked. This onslaught of demand brought forth the good and the bad, but one question which remained the same was the desire to have something which could take their password and compare it against an estimated 6.5 million hashes, and fast. Websites began popping up everyone, domain registration grew, but one thing still bothered me…
In order to check your password you must trust that the creator of the website was ethical and not capturing your password to store somewhere else. There was the Javascript sites, the PHP sites, and even an ASP site; but the fact still remained. You must trust them! Maybe its just me, but a very large data breach, ~6.5 million records released, everyone is scrambling for answers, password crackers everywhere are smoking their GPUs in an attempt to get the passwords cracked, it just doesn’t seem logical that I should trust them. Now before anyone goes off screaming their site wasn’t collecting passwords, I know. Many, and I mean a good number, of the sites I found were legit sites by security professionals with incredible reputations. However, there has to be just one site that wasn’t. There has to be one person, a person who put numerous passwords into the one bad site trying to see if any of their passwords were on the list.
Lets say five people, did five password tries on the one bad guys website. Those five people think great, none of my passwords were in this list. However, they are now, because you just gave them 25 passwords they didn’t have previously. Not only did you give them the hash, you gave them the matching plain text password; saving them the time cracking the hash themselves!
This brings me to my late night / early morning project. The adventure began, the goal was to write a script so that I could test my passwords while still feeling safe in the fact that I was not giving my information to some website. While hard coding the password was quick, simple, and quite easy; that’s just not my style. I jumped head first, deciding that it should be flexible to take any hash dump, and the user should be able to specify the hash dump filename, and the password. Thus HashCheck was born!
The LinkedIn hashes posed a slight snag in the fact that the first five characters could have been 0’s to pad the length. Currently HashCheck will do the Linked SHA1 hashes but I will shortly be able to do standard hashes without much trouble, I just need some time to finish writing it. My goal was to just get this out in to the public so that people who want to check their passwords can without the fear of using a website.
I have included a very small sample of the LinkedIn hashes and included the “password” password hash which was padded with five 0’s as mentioned before. I did this so you could use it as a control sample.
Enjoy, and look for updates! [Someone was playing around with GUIs today, so who knows what might come in the future]
Download the code [ HERE ]
No comments yet.