SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

SQL DBA With A Beard

Rob is a SQL Server DBA currently supporting several hundred databases ranging from SQL 2000 to SQL 2012. Rob has a fabulous beard and loves to use Powershell to make his life easier.

Using PowerShell to check if your password has been in a breach

We know that we need to keep our credentials secure. We know that we should not re-use our passwords across different services. Hopefully, by now, most readers of this blog are aware of Troy Hunts excellent free service https://haveibeenpwned.com/ which will notify you if your email has been found in a breach. If not, go and sign up now.

Recently Troy announced on his blog

This blog post introduces a new service I call “Pwned Passwords”, gives you guidance on how to use it and ultimately, provides you with 306 million passwords you can download for free and use to protect your own systems.

So I thought I would write a quick PowerShell script to make use of it and place it on the PowerShell Gallery

You can install it using

Install-Script -Name Get-PwnedPassword

You will be asked if you want to add ‘C:\Program Files\WindowsPowerShell\Scripts’ to your PATH environment variable if this is the first script you have installed

Then load it into your session with a period and a space.

. Get-PwnedPassword.ps1

and check some old passwords. Take notice of the screen shot below in which Troy states that you should not send your password currently in use to any third party sites including this one.

Get-PwnedPassword

There was a game on Twitter which involved finding ‘interesting’ passwords that people have used! Search for it, it’s nsfw by the way!

passwords.png

UPDATE

After posting this Jos made a comment

and Mathias added

Which is a good point. You don’t want you co-workers or friends seeing your Passwords over the shoulder. So I have updated the script to prompt for a Password and convert it to secure string and added a hash parameter as the API also allows you to pass the SHA1 hash of a password.

passwords2.png

Which is a bit better I think. Thank you guys.

UPDATE 2 – This actually broke the script meaning that every password came back as pwned as I was not decoding the securestring correctly. I have fixed this with version 1.2 which you can get if you have already installed the script by running

Update-Script Get-PwnedPassword

Thanks to Henkie and Russell for letting me know

There is also a good use case for us technical folk to assist our none-technical friends with their password usage. You can visit this page

https://haveibeenpwned.com/Passwords

and get them to put their old password in the box (look at the screenshot for advice on current passwords) and see if their password has been used in a breach or not and use this as a means to have a discussion about password managers

pwnedpasswords.png

 


Comments

Leave a comment on the original post [sqldbawithabeard.com, opens in a new window]

Loading comments...