haveibeenpwned DB

[ColtMorgan]

I am trying to use hashcat to attack the haveibeenpwned DB, the whole 27GB file, split up into sections of course. The issue is that the DB adds these appendages to the end of ths sha1 hash. Its the number of times the password has appeared in a wordlist or such. So I basically need to be able to tell hashcat to ignore the salt on the end of a hash. I cannot seem to be able to find out how to do this. I know people have done it, I just cant seem to manage it. I imagine it is similar to telling hashcat to ignore the username on a hash.

I am not planning on using this maliciously or anything crazy. I just want to be able to see the plaintext passwords and compare them against my own. I would also like to be able to have a list that people can look at for bad examples. I work with a small ISP, and want to be able to show customers how to pick good passwords.

./hashcat64.exe --username -a 0 -m 100 -r ./rules/dive.rule haveibeenpwned/segmentaf.hash rockyou.txt -o haveibeenpwnedcracked.txt

[royce]

Strip the unneeded field before handing the hashlist to hashcat.

[EnviableOne]

the HIBP lists are too big for most editors, and cause a lot of hassle to split up.

the best thing to do is run it through a tool and dump anything after and including the :

if you want some of them in plain text the NCSC have posted the top 100k (its a start, but not a big one)


tbf its not really necessary to crack them for most purposes, its enough to match the hashes as troy says in the launch post .

but if you want to spend your computing time and money, go ahead.
there are easier ways to get the list, as its just a collation of those in the breaches on HIBP, including everything in rockyou