7

I want check if my various passwords are in lists of cracked passwords, but I don't want to type the passwords online. For example, I'd rather scroll through an ordered list of passwords that have been merged from all rainbow tables and other sources to see if my favorite passwords are in there. I don't want to use a search engine because doing would require that I type in my passwords, thus revealing them to the site operator or middlemen. I could download all the rainbow tables, one by one, and search through them on my computer, but that's a lot of work.

What method(s) can I use to check my passwords without revealing them?

Jeff
  • 173
  • 1
  • 5
  • 1
    Try this?: http://project-rainbowcrack.com/table.htm – dreamist Mar 22 '17 at 23:09
  • 1
    Why not generate different hashes of your passwords, then run them against the online databases. For example: write a program that will hash your password with MD5, then submit the hash to one of the MD5 online crackers/databases and see if it returns back the plaintext match – nd510 Mar 23 '17 at 00:25
  • 1
    @ncd275: Great idea -- might even be better than scrolling huge lists. I hashed using the 'md5' command (OSX) and I tried a few online crackers. https://hashkiller.co.uk/md5-decrypter.aspx did the best job, but it still missed a few of my non-random, human-generated passwords. Submit an Answer and I'll check it. – Jeff Mar 23 '17 at 03:38
  • https://github.com/danielmiessler/SecLists/tree/master/Passwords – dandavis Mar 23 '17 at 06:47
  • You know, DuckDuckGo doesn't keep track of your searches. Besides, rather than look for passwords, you probably are better off searching for hashes which you could generate on your own computer. – SDsolar Mar 23 '17 at 08:24
  • 1
    "favorite passwords" implies password reuse. Password reuse is frowned on. –  Mar 23 '17 at 16:12

4 Answers4

6

We need to know more about the reason for your question.

If you're a sysadmin or an auditor, and you want to use leaked lists and and dictionaries to check the strength of people's passwords prior to acceptance, that is a sound idea. Projects like zxcvbn that provide a password blacklist, plus a length requirement, provide at least a cursory assurance of strength.

But if, as it sounds, you are asking this question in order to verify the strength of your own personal password, then you should reconsider. If you're generating the password in a sound way, then you should already know how hard it is to crack.

If you select a strong password (say, 15 random characters or more) or a strong passphrase (5 or more random words from a sufficiently long dictionary of 10K or more), then the strength of that password relies solely on the pure math of how many combinations are possible, and you know that the likelihood of it appearing in any list is very, very low.

But if your password is 'JellyfishVacation2014", or a keyboard pattern, or your childhood address backwards, or any of the hundreds of different psychologies of non-random human password selection ... then even if your specific password doesn't appear in a giant dictionary, it is still weak enough to fall to offline bruteforce and hybrid password-guessing attacks. The password crackers know all of these human selection processes. When hundreds of millions of accounts are leaked yearly, the likelihood that your "favorite" password method is unique is very low.

In other words, Kerkhoffs' Principle applies to password selection methodology. If you might be reluctant to share exactly how you generated your password, then you should switch to a different method.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
  • It is as it sounds. And the passwords I'm interested in checking are, as you say, non-random human generated (by me). I'm simply curious and want to look through the list without revealing anything about my non-random human-generated passwords. I respect your advice, My most important accounts are protected by 2FA. – Jeff Mar 23 '17 at 03:02
  • 1
    That's fair. Then if your true goal is to assess the strength of your password in a real-world way, your best bet is to hash it with a very fast algorithm (like simple MD5), and then try to crack it yourself using tools like hashcat and John the Ripper. As you learn more about techniques known to attackers, you will quickly discover how weak most human-generated passwords actually are - especially when a single modern GPU can literally try *tens of billions of passwords per second*. – Royce Williams Mar 23 '17 at 05:12
4

I know this question is a tad old, but things change rapidly (just about a year old, lol).

There are two options I can think of, one misses the mark a little and is first, the second hits the mark and is second. Provided for convenience and I don't know your level of comfort.

Anyway, there is this site, respected, https://haveibeenpwned.com/ where you can enter an email address to check the status of the user ID or actually enter a password in the same field to see if it has shown up in a previously used hack.

Not quite what you want, but this is, from the same site, https://haveibeenpwned.com/API/v2 which also has some code samples out already or easy enough to code if you like it. Also now used by 1Password.com so you can check your passwords through the web portal, for example (there are others: https://haveibeenpwned.com/API/Consumers).

This does not reveal your password. You send a hash of your password, just the first 5 chars, they then send back a list of a 100 or so hashes missing the first 5 chars as well,

You then look up your full against their return hashes. If there is a match, the password appears in their database.

Someone "looking" at the data going back and forth 1) can't be sure your password really is 2) Can't be sure what your password hash really is, and 3) no idea who you are or what username it is associated with.

Here is the blog post announcing the service https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

IGotAHeadache
  • 41
  • 6
1

@Royce William has the correct answer here, but in order to specifically address your question regarding how to check if your specific password is in a dictionary securely? You can't.

The only option would be to locally download a copy of the most used dictionaries and start trying to do a find for your common passwords. But this is already an indication that your password is not strong enough if you even think this is something you need to do. Not to mention that a lot of attackers have lists that aren't available online; they are customized or were stolen in some of their own attacks.

The proper action is to use a password manager with a truly unique and randomly generated password for each site you use. This prevents someone from getting your password through brute-force, password leakage, weak hashing on a bad website and, most importantly, prevents someone from generating a unique wordlist targeting you personally.

Andrew
  • 371
  • 1
  • 6
  • Andrew, thank you for the comments. You, Royce, and ncd275 have all offered good advice and concern for my welfare. I asked this question because I wanted to check my mostly-low-value passwords to get a feel for how they fare when compared to the rainbow tables. My high-value accounts have good passwords or 2SV. I haven't seen this question asked before, so I thought it worthwhile, and based on the comments here, that proved to be true. There's an imperfect answer to my question, but it does the job. – Jeff Mar 24 '17 at 16:37
0

Use with caution

But you can write a small program that will create different hashes of your passwords then check them against the online crackers/databases

For example: you can create an MD5 hash of your password then submit the hashed version to a website such as http://md5online.org to see if it returns the plaintext.

This way you can check to see if any databases hold your hash without revealing your plaintext just in case they don't.

Note: if you use an online hash generator, they will automatically store your plaintext and hash pair in their database if it is not already there. This is why you hash before just in case they don't have that pair.

nd510
  • 1,738
  • 1
  • 10
  • 15
  • 2
    Two things - first, some online checkers may silently add your hash to their back-end private cracking attacks anyway. I recommend against using hashes of actual passwords in such systems. Second, while perhaps technically a better answer because you're actually answering the question :), my hope is that we can convince the original asker to reconsider. – Royce Williams Mar 23 '17 at 05:08
  • @RoyceWilliams it's true, they could just store the hash alone but hashes are 1 way functions so they aren't going to be reversed so I don't think having the hash alone gives them much of an advantage but I do understand where you are coming from of why give them more information then they need. – nd510 Mar 23 '17 at 05:14
  • 2
    Since the original poster has explicitly stated that it's a human-generated string and not random, I cannot professionally recommend that it be submitted anywhere, even in its hashed form. If someone has the hash, they can try to brute-force it, or use other more sophisticated high-speed attacks. If they don't have the hash, they can't. – Royce Williams Mar 23 '17 at 05:39
  • 1
    @RoyceWilliams okay I can agree with that. My thinking behind my answer was that even if the online tools stored the hash it doesn't say tell them where and what it's used for and I'd figure an attacker would obtain your hash from compromising a database so I was thinking you might as well check to see if the attacker is going to be able to do a quick look up on your hash and get the corresponding plaintext. From a professional standpoint, I agree, this wouldn't be recommended but from a curious user standpoint I don't see it as a huge threat. – nd510 Mar 23 '17 at 05:52
  • 1
    @RoyceWilliams good conversation though. Hopefully he will read and make a decision for himself – nd510 Mar 23 '17 at 05:53
  • 1
    Thank you for the suggestions and good comments. My solution is to use md5 command on OSX to create a hash, then check that hash online. Thus, I never have to type my passwords online, just on my iMac. I'm not a high-value target and I do use good passwords for banking (and I have those sites set to not allow external money transfers anyway). My most precious data is my email, for which I use 2FA. – Jeff Mar 23 '17 at 17:17