<DocScrutinizer05>
or if you do, c&p the password so only one query with full length passowrd gets generated
<xmn>
do you guys feel safe using this with your passwords?
<DocScrutinizer05>
yes, the local shellscript is safe
<DocScrutinizer05>
the web interface is NOT !!!
<xmn>
yeah, so the local one hashs your password and then check it against their database right?
<Joerg-Neo900>
xmn: right
<Joerg-Neo900>
actually it also truncates the hash to leading 5 chars
<Joerg-Neo900>
thanks to max-p of PIA for helping with the analysis of the web interface
<atk>
I didn't use the shellscript or the web-interface
<atk>
I just manually generated the hash and manually made the web requests
<atk>
I know there isn't much in that shell script, but who the fuck knows, I don't know bash that well, might be here's some missing character somewhere which would cause things to be interpreted "incorrectly"
<sixwheeledbeast>
Yes it hashes the password and only sends the first 5 chars of the sha1 to the api. You receive the sha's that match and compare locally is how I read it. I assume I am reading the source of the script correctly and there is nothing else in there.
<Joerg-Neo900>
atk: the true geek's approach :-)
<sixwheeledbeast>
The website (HIBP) can work the same if you sha1 your password first I believe but the website source would need checking each time. My only concern is bash will log the password in plaintext locally.
<sixwheeledbeast>
Time to change your root password I think Doc
<Joerg-Neo900>
how and where/why would bash log any of that?
<Joerg-Neo900>
of course my rot pw got changed hours ago
<Joerg-Neo900>
:-)
<Joerg-Neo900>
been about time anyway
<sixwheeledbeast>
If you run the script on the shell the plaintext will be in history
<Joerg-Neo900>
that's why my recommendation is to run the script without parameters and provide the pw on prompt
<sixwheeledbeast>
and therefore ~/.bash_history
<sixwheeledbeast>
I see, I haven't played with it much yet just used some known passwords in to check
<sixwheeledbeast>
correcthorsebatterystaple for example
<Joerg-Neo900>
how many hits? :-D
<sixwheeledbeast>
114
<Joerg-Neo900>
low
<sixwheeledbeast>
I see so the prompt wouldn't be logged anywhere, the script will end therefore never stored to disk.
<Joerg-Neo900>
exactly. The usual way to deal with this, also used by passwd(1)
<sixwheeledbeast>
yes logins etc. compare the first part of the hash
<xmn>
cool, good info guys thanks
<sixwheeledbeast>
It's a handy little script to have in your toolbox
<Joerg-Neo900>
sixwheeledbeast: >>...website (HIBP) can work the same if you sha1 your password...<< https://passwordsecurity.info/ does exactly same like script, incl generating SHA from plaintext password locally, according to Max-P's analysis
bemyak has joined #neo900
<sixwheeledbeast>
I see it just hooks into the HIBP API. What are your concerns over the website versions? I personally wouldn't use a website for this as I would want to check over the source of the site each time I need it, it may have been compromised.
<Joerg-Neo900>
sixwheeledbeast: it does incremental search, thus the first query sent out is for exactly one out of max 256 chars, it's dead simple to reverse the hash to conclude the single char
<Joerg-Neo900>
the next query is for the hash of a 2char password, of which first char is known from last query
<Joerg-Neo900>
so again one out of 256 choices
<Joerg-Neo900>
this way you "recursively" or iteratively reveal the complete password from snooping HTML traffic as it is typed, in realtime
<sixwheeledbeast>
oh I believed it would send the first part of the sha and match locally. Also site is https like the API to reduce risk of leaking the sha1
<Joerg-Neo900>
yes, HTTPS defeats a worst case scenario here
<Joerg-Neo900>
it actually does >>send the first part of the sha and match locally<<
<Joerg-Neo900>
but that first 5 chars of SHA are more than sufficient to discern between 256 possible solutions to find the right one
<sixwheeledbeast>
So similar risk with the API then?
<Joerg-Neo900>
no since the local version only does ONE query for full length password, no incremental search
<Joerg-Neo900>
the website does one query for each char you type
<sixwheeledbeast>
oh I see, you can unhash each of the 5 sent chars for sure even without the rest of the hash
<sixwheeledbeast>
not unhash
<Joerg-Neo900>
nah, those 5chars are truncated SHA sum, not truncated password
<xmn>
sixwheeledbeast: makes a good point on that the site could be comprised at some other time. Where as the script will stay the same and hash locally.
<Joerg-Neo900>
12345678X will still send a different truncated 5char hash than 12345678O
<sixwheeledbeast>
I understand I am just not explaining verbosely. You have reduced the amount of hashs it isn't because it has been sent 1+2+3+4+5 times