← Back to context

Comment by eterm

3 months ago

> Chrome told me my PureGym PIN had been compromised

This is likely a false positive, if chrome is using haveibeenpwned API.

e.g. A pin of 87623103

Hashes to 558B4C37F6E3FF9A5E1115C66CEF0703E3F2ADEE

We get the range from HaveIBeenPwned:

https://api.pwnedpasswords.com/range/558B4

And search for C37F6E3FF9A5E1115C66CEF0703E3F2ADEE

And see it's "Compromised" and seen 3 times before.

9 comments

eterm

Reply
eterm  3 months ago

In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.

To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:

  var httpClient = new System.Net.Http.HttpClient();
  httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");

  while (true)
  {
   var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));

   var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));

   var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");

   passwordRange.EnsureSuccessStatusCode();

   var allhashes = await passwordRange.Content.ReadAsStringAsync();

   var splitHashes = allhashes.Split(Environment.NewLine);
   
   var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
   
   if (compromised != null)
   {
    Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
    Console.WriteLine($"Hash: {hash}");
    return;
   }
   await System.Threading.Tasks.Task.Delay(1_000);
  }

The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.

  • cornholio  3 months ago

    > not all 8 digit pins are "compromised"

    Sure they have been, I can send you a text file with all of them. It's 850MB, but i expect it compresses very well.

    • eterm  3 months ago

      There's a reason I put "compromised" in quotes. By that I mean that not all 8 digit numbers are yet flagged in haveibeenpwned.

      Of course there's no world in which they're actually a secure password, which is why it's kind of insane to treat them as one.

qingcharles  3 months ago

I had this constantly the last couple of days. I've been doing some UI mockups in Claude and it includes a password field, and either it puts in a placeholder of like 1234 or I type asdf to test the field. Then as soon as I do anything else Chrome has a fit because "my" password has (obviously) been "pwned."