Can I use Hashcat for checking against HIBP DB?
#3
Well, theoretically, you could download the HIBP SHA-1 hashes from https://haveibeenpwned.com/Passwords, and then crack them with hashcat using your list as a wordlist. But since the HIBP list is so large, it may not fit into GPU memory and so hashcat wouldn't be able to crack it without breaking the list up into multiple subsets.

Alternatively, you could simply hash your passwords with SHA-1 and search for them in the list using any of the various command-line tools. At that point, it's just a string-matching exercise.

Either of the above would have the benefit of not disclosing even part of your hash to a third party.

Troy also has an API available - you send just a prefix, and a list of matching hashes are returned.

https://www.troyhunt.com/ive-just-launch...kanonymity
~
Reply


Messages In This Thread
RE: Can I use Hashcat for checking against HIBP DB? - by royce - 03-10-2019, 06:30 PM