Help Your Users to Not Get Pwned

The indefatigable Troy Hunt — publisher of the “Have I Been Pwned?” site, also has a site and Web service API called Pwned Passwords. You can use this to check a candidate password to see if it has been used before… in one of the many hacked credential dumps that Mr. Hunt has accumulated.

Mostly, this API will be of interest for Web sites and Web services that allow users to create their own password-protected accounts. You can rapidly check the user’s candidate password to see if has already been pwned, perhaps rejecting it if it has.

There will be scenarios where you want to check this client-side, though:

  • Your Android team can move faster than your Web service team, and so you would like to check for pwnage on the client side now, while waiting for the Web service team to integrate the check on their side

  • The password will be used for files that mostly will remain local on the device, but might be published somewhere, using the supplied password as part of an encryption scheme

  • You want to integrate pwnage checking into your Android-based password safe

  • And so on

The Pwned Passwords Web service API is fairly straightforward. There are two modes, one where you submit the actual password, and one where you submit the first five characters of the SHA-1 hash of the password. That latter case is more private, in that you don’t give Mr. Hunt your user’s password. While Mr. Hunt surely wouldn’t use that information, he is Australian, and cockatoos there have a remarkable interest in Internet connectivity, and you wouldn’t want your users password in the, um, claws of a rogue cockatoo.

Besides, shipping passwords over the Internet unnecessarily is just uncool.

This Java class uses OkHttp and RxJava to let you check a password for pwnage. If you get back 0, then all is well. A positive number represents the number of times that password occurs in Mr. Hunt’s database. Whether you reject the password for any positive value, or only for a value that exceeds some threshold, is up to you. It uses the SHA-1 hash approach, and so the password itself does not leave the device.

The class is lightly tested, so YMMV, but it’s a starting point for you to use for crafting your own on-device access to the Pwned Passwords. And, a variation on this class might show up in a sample app in a book at some point. Just sayin’.


Want an expert opinion on your Android app architecture decisions? Perhaps Mark Murphy can help!