chrisphan.com: Pwn Checker

I made a new thing: Pwn Checker, a TUI app to check whether a password appears in Pwned Passwords' database of breached passwords.

A screen shot of a TUI app. A password has been typed in, and its hash is shown. The program reports that this password appears in the database over two million times. — You type a password into the app, and it queries the Pwned Passwords service for you.

Of course, most people would be justifiably reluctant to send their passwords to a third party. However, that is now how the Pwned Passwords service works. Rather than sending your password over the Internet, you first compute the SHA1 hash (a kind of digital fingerprint) of your password and then send only the first five hex digits of that hash to the API. The API then replies with all hashes in the database that have those same first five hex digits.

A diagram that illustrates the steps in the caption below. — The user types in their password (in this case, `secret`) into their computer running the Pwn Checker app. The program calculates the SHA1 hash of the password, and then sends the first five of 40 hex digits of the hash to the Pwned Passwords API. The API responds with a list of every hash in the database with the same five initial digits, as well as the number of times the corresponding password appears in the database. The program then checks the returned hashes and determines whether the password was stolen.

I wrote Pwn Checker in Python, using Textual, a cool package for making TUI apps. Pwn Checker is now on Codeberg, and is offered under the MIT license.