Thread: RSPS Database Breach Checker (API)

Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22
  1. #11  
    Registered Member
    hc747's Avatar
    Join Date
    Dec 2013
    Age
    23
    Posts
    1,456
    Thanks given
    3,196
    Thanks received
    682
    Discord
    View profile
    Rep Power
    1067
    Quote Originally Posted by jet kai View Post
    - Added Python & PowerShell (Module) examples, I am still currently updating the comments on them & readme docs
    - Tested response and HTTP is about ~2x faster than HTTPS on initial connection
    Would think you'd probably still want to use HTTPS over HTTP anyway - it's kinda a non-negotiable
    Reply With Quote  
     

  2. Thankful user:


  3. #12  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    26
    Posts
    837
    Thanks given
    558
    Thanks received
    638
    Discord
    View profile
    Rep Power
    3578
    Quote Originally Posted by hc747 View Post
    Would think you'd probably still want to use HTTPS over HTTP anyway - it's kinda a non-negotiable
    Choice is there for people who donít care HTTPS + SHA1 setup by default anyways
    Reply With Quote  
     

  4. Thankful user:


  5. #13  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    26
    Posts
    837
    Thanks given
    558
    Thanks received
    638
    Discord
    View profile
    Rep Power
    3578
    Updated stability & speed of the API.
    - Always on 24/7
    Reply With Quote  
     

  6. #14  
    Donator


    Join Date
    Jan 2010
    Age
    27
    Posts
    4,139
    Thanks given
    272
    Thanks received
    530
    Discord
    View profile
    Rep Power
    710
    Pretty sick, will prob impl it in my server
    Reply With Quote  
     

  7. #15  
    Registered Member
    Join Date
    Dec 2013
    Posts
    342
    Thanks given
    115
    Thanks received
    81
    Rep Power
    355
    From the looks of it, you're comparing hashed passwords to a database that contains other hashed passwords.

    If this is the case, the tool is pretty useless as you haven't tied it to a specific username. If I want to use the password "password", I won't be able to because it'll probably be in your database.
    If my secure [email protected]! is in your database, I'll get given a "unable to login complete" or your "password is too weak"??
    As a player, what if I don't care that my password is in a leaked database because in this implementation, you can't tie anything back to a username?

    There's a few more points including other technical flaws I can make but these are the first 3 to mind.

    Why not just implement password complexity and leave it at that?
    Reply With Quote  
     

  8. #16  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    26
    Posts
    837
    Thanks given
    558
    Thanks received
    638
    Discord
    View profile
    Rep Power
    3578
    Quote Originally Posted by Kiissmyswagb View Post
    From the looks of it, you're comparing hashed passwords to a database that contains other hashed passwords.

    If this is the case, the tool is pretty useless as you haven't tied it to a specific username. If I want to use the password "password", I won't be able to because it'll probably be in your database.
    If my secure [email protected]! is in your database, I'll get given a "unable to login complete" or your "password is too weak"??
    As a player, what if I don't care that my password is in a leaked database because in this implementation, you can't tie anything back to a username?

    There's a few more points including other technical flaws I can make but these are the first 3 to mind.

    Why not just implement password complexity and leave it at that?
    It’s not designed for that kinda scenario. There are other sites available which can check usernames and emails that are listed in breaches. This is specific for servers who want to warn players of weak passwords before they login - it’s not mainly to do with the player caring that their password is on a leaked rsps database. A lot of players use the same weak passwords, but they may be under a different username. Comparing the username & password is a less likely hit. Tools that most people use to attack players dont lookup the usernames, they’ll just brute force with the weakest and most common passwords.
    Reply With Quote  
     

  9. #17  
    Registered Member
    Join Date
    Dec 2013
    Posts
    342
    Thanks given
    115
    Thanks received
    81
    Rep Power
    355
    Quote Originally Posted by jet kai View Post
    It’s not designed for that kinda scenario. There are other sites available which can check usernames and emails that are listed in breaches. This is specific for servers who want to warn players of weak passwords before they login - it’s not mainly to do with the player caring that their password is on a leaked rsps database. A lot of players use the same weak passwords, but they may be under a different username. Comparing the username & password is a less likely hit. Tools that most people use to attack players dont lookup the usernames, they’ll just brute force with the weakest and most common passwords.
    -------------------------------

    I take everything back. The NIST 2020 guidelines recommend that passwords are checked against a breach list.

    Good tool to adapt onto your platform would be https://haveibeenpwned.com/Passwords alongside your current dataset (https://haveibeenpwned.com/API/v3).

    -------------------------------

    Should be worth mentioning that on the main post!
    Reply With Quote  
     

  10. Thankful users:


  11. #18  
    zen2
    Corey's Avatar
    Join Date
    Feb 2012
    Age
    23
    Posts
    1,401
    Thanks given
    1,116
    Thanks received
    1,500
    Discord
    View profile
    Rep Power
    5000
    Quote Originally Posted by Kiissmyswagb View Post
    -------------------------------

    I take everything back. The NIST 2020 guidelines recommend that passwords are checked against a breach list.

    Good tool to adapt onto your platform would be https://haveibeenpwned.com/Passwords alongside your current dataset (https://haveibeenpwned.com/API/v3).

    -------------------------------

    Should be worth mentioning that on the main post!
    I didn't know about the API until a few months ago but it's pretty neat - let users know if their password is weak, or has been breached before, upon login or password change.
    If a user decides to proceed then at least you've given them a warning.

    I've seen AIO solutions, such as Ory Kratos, build it in too.
    Reply With Quote  
     

  12. Thankful user:


  13. #19  
    Registered Member
    Join Date
    Dec 2013
    Posts
    342
    Thanks given
    115
    Thanks received
    81
    Rep Power
    355
    Just wrote some code testing the haveibeenpwned/API/v3 API if you guys want it.
    To note: on error, we return false here to avoid your program to stop functioning if the API goes down:

    Code:
    import javax.xml.bind.DatatypeConverter;
    import java.io.BufferedReader;
    import java.io.InputStreamReader;
    import java.net.HttpURLConnection;
    import java.net.URL;
    import java.nio.charset.StandardCharsets;
    import java.security.MessageDigest;
    import java.security.NoSuchAlgorithmException;
    
    /** @author Kiissmyswagb */
    public class HaveIBeenPwned {
        private static final String API_URL = "https://api.pwnedpasswords.com/range/";
        public static boolean pwned(String password) {
            var hashed = sha1(password.getBytes());
            if(hashed != null) {
                try {
                    var sb = new StringBuilder();
                    var url = new URL(API_URL + hashed.substring(0, 5));
                    var http = (HttpURLConnection) url.openConnection();
                    http.setRequestMethod("GET");
                    http.setDoOutput(true);
                    if(http.getResponseCode() == HttpURLConnection.HTTP_OK) {
                        try (var reader = new BufferedReader(new InputStreamReader(http.getInputStream(), StandardCharsets.UTF_8))) {
                            var read = 0;
                            while ((read = reader.read()) >= 0) {
                                sb.append((char) read);
                            }
                        }
                        return sb.toString().contains(hashed.substring(5));
                    }
                } catch (Exception e) {
                    Logger.error(e.getMessage());
                }
            }
            return false;
        }
    
        public static String sha1(byte[] input) {
            try {
                return DatatypeConverter.printHexBinary(MessageDigest.getInstance("SHA-1").digest(input));
            } catch (NoSuchAlgorithmException e) {
                Logger.error(e.getMessage());
            }
            return null;
        }
    }
    Unit tested with:
    Code:
    assertTrue(HaveIBeenPwned.pwned("password"));
    assertFalse(HaveIBeenPwned.pwned(RandomStringUtils.randomAlphanumeric(24)));
    Reply With Quote  
     

  14. Thankful user:


  15. #20  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    26
    Posts
    837
    Thanks given
    558
    Thanks received
    638
    Discord
    View profile
    Rep Power
    3578
    Quote Originally Posted by Kiissmyswagb View Post
    Just wrote some code testing the haveibeenpwned/API/v3 API if you guys want it.
    To note: on error, we return false here to avoid your program to stop functioning if the API goes down:

    Code:
    import javax.xml.bind.DatatypeConverter;
    import java.io.BufferedReader;
    import java.io.InputStreamReader;
    import java.net.HttpURLConnection;
    import java.net.URL;
    import java.nio.charset.StandardCharsets;
    import java.security.MessageDigest;
    import java.security.NoSuchAlgorithmException;
    
    /** @author Kiissmyswagb */
    public class HaveIBeenPwned {
        private static final String API_URL = "https://api.pwnedpasswords.com/range/";
        public static boolean pwned(String password) {
            var hashed = sha1(password.getBytes());
            if(hashed != null) {
                try {
                    var sb = new StringBuilder();
                    var url = new URL(API_URL + hashed.substring(0, 5));
                    var http = (HttpURLConnection) url.openConnection();
                    http.setRequestMethod("GET");
                    http.setDoOutput(true);
                    if(http.getResponseCode() == HttpURLConnection.HTTP_OK) {
                        try (var reader = new BufferedReader(new InputStreamReader(http.getInputStream(), StandardCharsets.UTF_8))) {
                            var read = 0;
                            while ((read = reader.read()) >= 0) {
                                sb.append((char) read);
                            }
                        }
                        return sb.toString().contains(hashed.substring(5));
                    }
                } catch (Exception e) {
                    Logger.error(e.getMessage());
                }
            }
            return false;
        }
    
        public static String sha1(byte[] input) {
            try {
                return DatatypeConverter.printHexBinary(MessageDigest.getInstance("SHA-1").digest(input));
            } catch (NoSuchAlgorithmException e) {
                Logger.error(e.getMessage());
            }
            return null;
        }
    }
    Unit tested with:
    Code:
    assertTrue(HaveIBeenPwned.pwned("password"));
    assertFalse(HaveIBeenPwned.pwned(RandomStringUtils.randomAlphanumeric(24)));
    I’ll defo try that out once I’m out of work - looks really neat! Great work with this!
    Reply With Quote  
     

Page 2 of 3 FirstFirst 123 LastLast

Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Replies: 6
    Last Post: 10-14-2014, 05:19 PM
  2. Replies: 14
    Last Post: 10-17-2011, 07:31 PM
  3. Best Database Software for RSPS/Runescape?
    By TORONTO in forum RS2 Server
    Replies: 41
    Last Post: 03-10-2011, 08:02 PM
  4. Replies: 10
    Last Post: 08-21-2009, 02:02 PM
  5. Eversio - The RSPS API
    By blakeman8192 in forum RS2 Server
    Replies: 30
    Last Post: 02-20-2009, 11:46 AM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •