commit b2907f3bb1b727c39f468077155f3b3b0097e510
Author: Joerg Elfring <devops@elfrinjo.de>
Date:   Thu Jan 17 21:29:01 2019 +0100

    INITIAL COMMIT
    
    with checkPasswordList.sh

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9902b4f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,23 @@
+# My Have I been pwned scripts
+
+These are my scripts to the haveibeenpwned.com api.
+... To be extended ...
+
+
+## checkPasswordList.sh
+
+This script checks a list of passwords against the api and reports whether they hae been compromised.
+The passwords themselfs will NOT be send to the web-api.
+haveibeenpwned.com's k-anonymity model is used.
+More info can be found here https://haveibeenpwned.com/API/v2#PwnedPasswords
+
+Example:
+
+```
+$ ./checkPasswordList.sh passwordlist.txt
+Checking passwords from list passwordlist.txt
+XX: Password P@ssw0rd has been pwned 51259 times.
+__: Password c60e6754-8abf-4c0f-a7a7-2225da28637f has not been pwned.
+__: Password c60e6754-8a f-4c0f-a7a -2225da28637f has not been pwned.
+==: 1 of 3 passwords have been pwned.
+```
diff --git a/checkPasswordList.sh b/checkPasswordList.sh
new file mode 100755
index 0000000..4646475
--- /dev/null
+++ b/checkPasswordList.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+pfile=$1
+cPwned=0
+cPswds=0
+
+## Check if the argument is a file we can read
+if [ ! -f "$pfile" ]
+then
+	echo "$pfile can not be read."
+	echo
+	exit 2
+fi
+
+## Check if the list in the argument is an actual ascii file
+## and not something crazy like a zip, etc.
+filetype=$(file "$pfile")
+if [ "$filetype" != "$pfile: ASCII text" ]
+then
+	echo "$pfile is not an ascii password list."
+	echo
+	exit 2
+fi
+
+## loop through the file and verify against the api
+echo "Checking passwords from list $1"
+
+IFS=$'\n'
+for p in $(cat < "$pfile"); do
+	((cPswds++))
+	## Hash the password, filter non-hashy things (" -" at the end),
+	## translate to upper for the beauty
+	pHashed=$(echo -n "$p" | sha1sum | cut --delimiter=' ' --fields=1 | tr '[:lower:]' '[:upper:]')
+	## Devide into prefix and suffix used by k-anonymity model
+	## https://haveibeenpwned.com/API/v2#PwnedPasswords
+	pPrefix=$(echo -n "$pHashed" | cut --characters='-5')
+	pSuffix=$(echo -n "$pHashed" | cut --characters='6-')
+	## get a list of pwnedsuffix:pwncount from the webservice
+	wsResult=$(curl --silent https://api.pwnedpasswords.com/range/$pPrefix)
+	## Check if our suffix is included and strip characters we can not understand
+	wsCheck=$(echo -n "$wsResult" | grep $pSuffix | tr -cd [:alnum:][:])
+	if [ -n "$wsCheck" ]
+	then
+		## CheckedResult contains a value --> EVIL
+		pwnCount=$(echo -n "$wsCheck" | cut --delimiter=':' --fields=2)
+		echo "XX: Password $p has been pwned $pwnCount times."
+		((cPwned++))
+	else
+		## CheckedResult does not contain a value --> good
+		echo "__: Password $p has not been pwned."
+	fi
+done
+
+echo "==: $cPwned of $cPswds passwords have been pwned."
+echo
+
+if [ $cPwned -gt 0 ]
+then
+	exit 1
+fi
diff --git a/passwordlist.txt b/passwordlist.txt
new file mode 100644
index 0000000..964fd5b
--- /dev/null
+++ b/passwordlist.txt
@@ -0,0 +1,3 @@
+P@ssw0rd
+c60e6754-8abf-4c0f-a7a7-2225da28637f
+c60e6754-8a f-4c0f-a7a -2225da28637f