← Back to context

Comment by eterm

3 months ago

In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.

To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:

  var httpClient = new System.Net.Http.HttpClient();
  httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");

  while (true)
  {
   var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));

   var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));

   var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");

   passwordRange.EnsureSuccessStatusCode();

   var allhashes = await passwordRange.Content.ReadAsStringAsync();

   var splitHashes = allhashes.Split(Environment.NewLine);
   
   var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
   
   if (compromised != null)
   {
    Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
    Console.WriteLine($"Hash: {hash}");
    return;
   }
   await System.Threading.Tasks.Task.Delay(1_000);
  }

The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.

7 comments

eterm

Reply
cornholio  3 months ago

> not all 8 digit pins are "compromised"

Sure they have been, I can send you a text file with all of them. It's 850MB, but i expect it compresses very well.

  • eterm  3 months ago

    There's a reason I put "compromised" in quotes. By that I mean that not all 8 digit numbers are yet flagged in haveibeenpwned.

    Of course there's no world in which they're actually a secure password, which is why it's kind of insane to treat them as one.