Have You Been Pwned: NTLM Hashes

Troy Hunt continues to be amazing for cyber security with the Have I Been Pwned project. All the Version 3 passwords have been released as NTLM hashes, the password hash used by Windows. This should be really useful for any sysadmins managing a Windows Enterprise deployment wanting to make sure that users aren’t using bad passwords. Hopefully as this is adopted it will also reduce the number of poor password rules that many companies still enforce.

Things like:

  • Forcing users to use upper and lower case letters, numbers and a special character
  • Then only allowing some special characters
  • Forcing password changes after a set number of days

I have been neglecting my GutHub project for checking these passwords, and some of the info on my website is out of date now. The offline file part still works, but the web API is broken due to some changes made a while back which you can read about here.

My software give a warning about using the web API for passwords that you actually use, and this is still correct since it will send the SHA1 hash to the web service. The new API (not implemented as of writing, so my warning in my software still stands!) only searches for the first 5 hex characters of the hash and returns all matches. With the current array of passwords the most you are likely to get back is <500 and normally <10. This is much more reasonable to search locally, so you can safely search for passwords that you actively use now.

Shortly I will remove the web API from my software since I can’t see any value in keeping it any more. Many services are using the API to check your passwords for you now (such as Firefox and 1password), so the need for a stand alone bit of software is going away. I also won’t be adding support for NTLM hashes as this is going to be a very specific use case and I don’t even want to think about having to do Active Directory integration. There is also no ordered by hash version, so the file can’t be quickly searched using a binary search algorithm.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.