Have I been pwned?


#1

Hi,

I wanted to write a Julia password checker following the news about a list of hacked passwords, posted here as a list of SHA1 hashes:

The code I came up with is this: (requires 6.2 GB RAM on the real password list)

using SHA

const N = 307_000_000

struct PWHash
  data::NTuple{20,UInt8}
end

PWHash(sha_hash) = PWHash((sha_hash...))
PWHash() = PWHash((fill(typemax(UInt8),20)...))

Base.isless(x::PWHash, y::PWHash) = (x.data < y.data)

tic()
hashes = fill(PWHash(), N)
t = toc()

println("Memory allocated")

tic()
open("pwned-passwords-1.0.txt") do f
  for (i,ln) in enumerate(eachline(f))
    hashes[i] = PWHash(hex2bytes(ln))
  end
end
t = toc()

println("File read")

pwhash = PWHash()
emptyhash = PWHash(sha1(""))
while pwhash != emptyhash
  println("enter password:")
  pwhash = PWHash(sha1(readline()))
  if !isempty(searchsorted(hashes, pwhash))
    println("You're pwned!")
  else
    println("You're safe, possibly")
  end
end

Of course I am certain this is already perfect and couldn’t possibly be improved upon ( :wink: ), except for a small detail: the readline echos back the password to the screen, is there any way to avoid that?


#2

There are prompt and winprompt functions used in the LibGit2 bindings that have a password flag, which you can set to avoid echoing the typed password.


#3

Thanks, that works. Do you know where the echo comes from in the normal readline? I couldn’t find where this happens in the Julia code, it seems it would be more elegant to have a prompt function in Julia Base rather than having to rely on LibGit2 for this.


#4

I don’t know, sorry. The existing prompt code isn’t actually LibGit2 specific or depending on that library at all, it just happened to be put there because that was where it needed to be used. It was recently moved to a different module on master.