A local-only software to check for leaked credentials. Currently only supports checking a password hash against a thin REST API.
Intended to be used with plugins like LCC Keycloak.
This software needs all password hashes downloaded as a file with one hash a line. Then, it can generate a xor filter, which is being used by the web API to check whether a particular hash is included in the leaked hash file provided. This check is done in a few microseconds.
You can use a prepared filter from us or build the software yourself. For building, please see below.
We provide a Docker image, which contains the Have I been pwned filter as well as the web API binaries. It might incorporate more sources in future when they become available. You can run it like
docker run -it --rm -p 127.0.0.1:3000:3000 --name lcc-api dr.rechenknecht.net/mixxplorer/lcc/lcc/main:api-latest-all
# request API
curl 'http://localhost:3000/v1/hashes/check' -X POST -H 'Content-Type: application/json' --data-raw $'{\n"hash": "1000000A0E3B9F25FF41DE4B5A"\n}' -vWe also provide a much smaller image just containing the binaries:
docker run -it --rm -p 127.0.0.1:3000:3000 --name lcc-api dr.rechenknecht.net/mixxplorer/lcc/lcc/main:bin-latestYou can make use of the following tags per image:
api-v1-allcontaining the latest API with support to thev1REST API.api-latest-allcontaining the latest API.bin-v1containing the binaries providing support to thev1REST API.bin-latestcontaining the latest binaries.
We re-build all images every week with the latest hashes. Therefore, please make sure to restart your API instance accordingly.
For a full list of available images, please see the Container Registry.
cargo build --releaseIt is important to build the release version of this software if you are dealing with larger filters or inputs as the performance is better by a factor of at least 10 when using the release build.
This software support generating the filter with have I been pwned password hashes.
docker run -it --rm mcr.microsoft.com/dotnet/sdk /bin/bash
export PATH="$PATH:/root/.dotnet/tools"
dotnet tool install --global haveibeenpwned-downloader
haveibeenpwned-downloader pwnedpasswordsThis will create the file pwnedpasswords.txt.
target/release/leaked-passwords-filter-tool pwnedpasswords.txt filter.bincode -b
For generating the filter file for the full pwnedpasswords set, you need about 35 GB of memory. You can make use of swap pretty efficiently.
target/release/lcc-web-api -f filter.bincodenow, you can request it like curl 'http://localhost:3000/v1/hashes/check' -X POST -H 'Content-Type: application/json' --data-raw $'{\n"hash": "1000000B0E6B3F21"\n}'