Subversion Repositories sysadmin_scripts

Rev

Rev 26 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
26 rodolico 1
/*
2
 * Check password for inclusion in lists maintained by 
3
 * https://haveibeenpwned.com/ using their API.
4
 * 
5
 * Copyright (C) [2019] by Daily Data, Inc <https://dailydata.net>
6
 * All rights reserved.
7
 * 
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions 
10
 * are met:
11
 * 
12
 * 1. Redistributions of source code must retain the above copyright notice, this
13
 *    list of conditions and the following disclaimer.
14
 * 2. Attribution to Troy Hunt at https://haveibeenpwned.com/ must appear
15
 *    on any page which uses this set of scripts.
16
 * 3. Attribution to Daily Data, Inc. (https://dailydata.net) is optional
17
 *    but appreciated.
18
 * 
19
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 
20
 * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 
21
 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 
22
 * AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
23
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
24
 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 
25
 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
26
 * PERFORMANCE OF THIS SOFTWARE.
27
 * 
28
 */
29
 
30
var pre_hash = null;
31
var post_hash = null;
32
 
33
$( document ).ready(function() {  //Once the document is ready
34
    $("button#lookup").click( // When the button is clicked
35
            function(event) {
36
                //Set the result div so if the request takes a while, the user will know it's working.
37
                $("div#result").html("Checking password against password list, please wait...");
38
                //And now process the query.
39
                processQuery($("input#password").val());
40
 
41
            });
42
});
43
 
44
async function processQuery( str ) {
45
  //Crypto stuff to use modern browsers SHA functions to create the hash.
46
  const buffer = new TextEncoder( 'utf-8' ).encode( str );
47
  const digest = await crypto.subtle.digest('SHA-1', buffer);
48
 
49
  // Convert digest to hex string
50
  const result = Array.from(new Uint8Array(digest)).map( x => x.toString(16).padStart(2,'0') ).join('');
51
 
52
  //Once this is done, take the result and make the AJAX call.
53
  pre_hash = result.substring(0,5).toUpperCase();
54
  post_hash = result.substring(5,result.length).toUpperCase();
55
 
56
  console.log("Full hash: " + result);
57
  console.log("Pre_hash: " + pre_hash);
58
  console.log("Post_hash: " + post_hash);
59
  console.log("Making AJAX call for " + pre_hash + ".");
60
 
61
  var url = "https://api.pwnedpasswords.com/range/" + pre_hash;
62
  $.get( url, function( data ) {
63
        var lines = data.split('\n');
64
        var found = false;
65
        console.log("Returned lines:");
66
        console.log(lines.length);
67
 
68
        //If we got here, it was successful, so check the returned lines for a match.
69
        for(let line of lines) {
70
            var tmp_line = line.split(":");
71
            console.log("Testing " + post_hash + " vs " + tmp_line[0]);
72
            if(post_hash === tmp_line[0]) {
73
                //Got a match!
74
                console.log("*** MATCH FOUND *** ");
75
                $("div#result").html("<b>Warning: That password was found " + tmp_line[1] + " times!</b><br />We recommend you never use this password.");
76
                found = true;
77
                break;
78
            }
79
          };
80
 
81
        if(found === false) { 
82
            $("div#result").html("Password was not found in any lists.<br />However, this does not guarantee it is a good password.");
83
        }
84
    });
85
}