09. Leaked Password Databases and Tools

What Are Leaked Password Databases?

Leaked password databases contain credentials (emails, usernames, and passwords) exposed in data breaches. These databases are often shared online, making them accessible to both security professionals and malicious actors. Ethical use of these resources helps enhance security by identifying vulnerabilities.

---

Purpose of Using Leaked Password Databases (Ethically)

1. Account Security Audits: Identify if personal or organizational accounts have been compromised.
2. Password Hygiene: Ensure strong and unique passwords are used.
3. Penetration Testing: Test for reused or weak passwords as part of ethical hacking.

---

Free Resources for Checking Leaked Passwords

---

1. Have I Been Pwned (HIBP)

• Website: https://haveibeenpwned.com
• Purpose: A free tool to check if an email or password has been exposed in breaches.
• Features:
  • Email Check: Enter your email to see associated breaches.
  • Pwned Passwords: Check if a specific password is compromised.
  • Notifications: Sign up for alerts when new breaches occur.
• Usage:
  • Go to the website and enter your email or password.
  • Review results and take necessary actions.

---

2. HIBP Pwned Passwords API (Free Tier)

• Website: Pwned Passwords API

• Purpose: Developers can validate passwords securely using this API.

• Features:

  • Uses k-anonymity for secure password validation.
  • Checks if a hashed password is in the breach database.
  • Example (Python):

  import hashlib
  import requests
  
  password = "password123"
  sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
  prefix = sha1[:5]
  suffix = sha1[5:]
  
  url = f"https://api.pwnedpasswords.com/range/{prefix}"
  response = requests.get(url)
  
  if suffix in response.text:
      print("Password is compromised!")
  

---

3. Dehashed

• Website: https://www.dehashed.com
• Purpose: Search emails, usernames, IPs, and domains in breach data.
• Free Features:
  • Limited searches without a subscription.
  • Detailed results for premium users.

---

4. Breach Directory

• Website: https://breachdirectory.org
• Purpose: Check if an email or username has been part of a breach.
• Usage:
  • Enter your email to see associated breaches for free.
  • Full access may require a premium subscription.

---

5. Intelligence X

• Website: https://intelx.io/
• Purpose: Search for leaked credentials, documents, and more.
• Free Features:
  • Limited searches for free users.
  • Access to pastes and public leaks.

---

6. LeakBase

• Website: https://leakbase.cc
• Purpose: Free and community-supported platform for searching leaked credentials.
• Free Features:
  • Limited searches without an account.
  • Advanced features for premium users.

---

7. GitHub Dorking

• Description: Search for leaked credentials accidentally shared on GitHub.
• Examples:
  • password site:github.com
  • db_password site:github.com
  • site:github.com filetype:env

---

8. OSINT Framework

• Website: https://osintframework.com
• Purpose: A collection of tools for OSINT, including leaked credential lookup resources.

---

9. Cracked.to Forums

• Website: https://cracked.to
• Purpose: Free community forum discussing breaches and leaked databases.
• Note: Use only for educational and ethical purposes.

---

Free Tools for Password Analysis

---

1. heHarvester

• Description: A reconnaissance tool that can collect emails, subdomains, and usernames from public sources like Google, LinkedIn, and Bing.

• Usage Example:

  theHarvester -d example.com -b google
  

---

2. SearchSploit

• Description: Part of the Exploit-DB suite for searching vulnerabilities in known exploits.

• Command Example:

  searchsploit password leak
  

---

3. CredSweeper

• Tool: GitHub
• Purpose: Detect sensitive credentials in public repositories.

---

Usage Scenarios

1. Checking Email Breaches:

• Tool: Have I Been Pwned
  • Input: user@example.com
  • Result: List of breaches where the email was exposed.

2. Validating Password Security:

• Tool: HIBP Pwned Passwords API
  • Input: password123 (hashed)
  • Result: Check if the password appears in any breach.

3. Searching Public Leaks:

• Tool: GitHub Dorking
  • Input: password site:github.com filetype:env
  • Result: Exposed credentials in .env files.

---

Best Practices for Password Security

1. Use Strong Passwords:

   • Minimum 12 characters with a mix of uppercase, lowercase, numbers, and symbols.

   • Password Managers:

   • Use tools like Bitwarden, LastPass, or Dashlane for generating and storing strong passwords.

   • Enable Multi-Factor Authentication (MFA):

   • Add an extra layer of security to critical accounts.

   • Monitor Breaches Regularly:

   • Periodically check your accounts with tools like HIBP or Intelligence X.

---

Important Notes

1. Ethical Use Only:

   • Always ensure you have permission to check credentials.
   • Misuse of leaked databases is illegal and unethical.

   • Combine Resources:

   • Use multiple tools for comprehensive checks (e.g., HIBP, GitHub dorks, and theHarvester).

   • Stay Updated:

   • Breach databases are updated frequently. Regularly check trusted sources for new leaks.

---