A local-only software to check for leaked credentials. Currently only supports checking a password hash against a thin REST API.
Intended to be used with plugins like LCC Keycloak.
This software needs all password hashes downloaded as a file with one hash a line. Then, it can generate a xor filter, which is being used by the web API to check whether a particular hash is included in the leaked hash file provided. This check is done in a few microseconds.
You can use a prepared filter from us or build the software yourself. For building, please see below. For running with the prepared filter, you need as much memory as the filter size, currently about 8 GB.
We provide a Docker image, which contains the Have I been pwned filter as well as the web API binaries. It might incorporate more sources in future when they become available. You can run it like
docker run -it --rm -p 127.0.0.1:3000:3000 --name lcc-api dr.rechenknecht.net/mixxplorer/lcc/lcc/main:api-latest-all
# request API
curl 'http://localhost:3000/v1/hashes/check' -X POST -H 'Content-Type: application/json' --data-raw $'{\n"hash": "1000000A0E3B9F25FF41DE4B5A"\n}' -vWe also provide a much smaller image just containing the binaries:
docker run -it --rm -p 127.0.0.1:3000:3000 --name lcc-api dr.rechenknecht.net/mixxplorer/lcc/lcc/main:bin-latestYou can make use of the following tags per image:
api-v1-allcontaining the latest API with support to thev1REST API.api-latest-allcontaining the latest API.bin-v1containing the binaries providing support to thev1REST API.bin-latestcontaining the latest binaries.
We re-build all images every week with the latest hashes. Therefore, please make sure to restart your API instance accordingly.
For a full list of available images, please see the Container Registry.
cargo build --releaseIt is important to build the release version of this software if you are dealing with larger filters or inputs as the performance is better by a factor of at least 10 when using the release build.
This software support generating the filter with have I been pwned password hashes.
docker run -it --rm mcr.microsoft.com/dotnet/sdk /bin/bash
export PATH="$PATH:/root/.dotnet/tools"
dotnet tool install --global haveibeenpwned-downloader
haveibeenpwned-downloader pwnedpasswordsThis will create the file pwnedpasswords.txt.
target/release/leaked-passwords-filter-tool pwnedpasswords.txt filter.bincode -b
For generating the filter file for the full pwnedpasswords set, you need about 35 GB of memory. You can make use of swap pretty efficiently.
target/release/lcc-web-api -f filter.bincodenow, you can request it like curl 'http://localhost:3000/v1/hashes/check' -X POST -H 'Content-Type: application/json' --data-raw $'{\n"hash": "1000000B0E6B3F21"\n}'