Update Get-PwnedPassword to use anonymous endpoint

SQLDBAWithABeard / Functions

Contains useful functions that I use

MIT License

44 stars 22 forks source link

Update Get-PwnedPassword to use anonymous endpoint #2

Closed mattlorimor closed 5 years ago

mattlorimor commented 6 years ago

Troy of Have I Been Pwned? has disabled the ability to search by password. Current calls to https://haveibeenpwned.com/api/v2/pwnedpassword/ are probably failing. This PR changes the pwned password check to use the anonymous endpoint Troy has set up.
- This PR maintains the ability to pass either a password or a hash (specified by command line switch).
- Rate limiting should no longer be a concern as there is no rate limiting on the new API.
- This PR also removes the IT IS NOT RECOMMENDED TO USE ACTIVE PASSWORDS WITH THIS SERVICE warning since only the first five characters of a SHA1 hash are now sent. The API responds with ~500 hash suffixes that the requesting client can check against.

mattlorimor commented 5 years ago

@SQLDBAWithABeard

Any thoughts on merging this in so that PwnedPasswords can be checked again? Currently, calls to https://haveibeenpwned.com/api/v2/pwnedpassword/ are redirecting to https://haveibeenpwned.com/Error/PageNotFound which, of course, responds with an HTTP 200. The current code path takes that 200 and assumes that it means a password has been pwned when it hasn't. This PR fixes that.