Imagine this: you've been using the same password across multiple sites for years. One morning, you receive an alert that your credentials are circulating on the dark web. This scenario is not hypothetical—it happens daily to thousands of users. Yet, most developers don't know how to proactively check if their own passwords have been compromised.
Contrary to what one might think, you don't need to be a cybersecurity expert to create basic protection tools. In less than 50 lines of Python code, you can build a password leak checker that uses real breach data. This article guides you step-by-step in creating such a tool, explaining why this approach is more effective than manual checks and how to integrate it into your development workflows.
Why scan text files for plaintext passwords?
Before even checking if a password has leaked online, you must first ensure it's not stored in plaintext in your code or configuration files. As highlighted by a Spiceworks Community user, searching for hard-coded passwords in text files is a real concern for IT teams. The Python script we'll develop could be adapted to scan directories for strings resembling passwords—an often overlooked first line of defense.
The traditional approach involves looking for specific patterns, but as noted in the Spiceworks discussion, this method has its limits. A password like "P@ssw0rd2025!" might escape a search based on the term "password." That's why our tool will first focus on external verification via known leak databases.
The Have I Been Pwned API: your ally against leaks
The core of our detector will rely on the Have I Been Pwned (HIBP) API, a service maintained by Troy Hunt that aggregates billions of compromised accounts. Instead of transmitting the password in plaintext, we'll use the k-anonymity technique: only a prefix of the password's SHA-1 hash is sent, preserving confidentiality. The API then returns the complete list of hashes matching that prefix, which we'll compare locally with the full hash.
This approach, described in a DEV Community article, represents the recommended method for checking leaks without exposing the original password. It combines efficiency and privacy—two crucial aspects often in tension in security tools.
The code: a Python script in three parts
1. Installing dependencies
Our script only requires the `requests` library, which you can install via pip:
pip install requests
2. Secure hashing function
import hashlib
import requests
def check_password_leak(password):
# Create the SHA-1 hash of the password
sha1_hash = hashlib.sha1(password.encode('utf-8')).hexdigest().upper()
prefix = sha1_hash[:5]
suffix = sha1_hash[5:]
# Query the HIBP API
url = f"https://api.pwnedpasswords.com/range/{prefix}"
response = requests.get(url)
if response.status_code == 200:
hashes = (line.split(':') for line in response.text.splitlines())
for h, count in hashes:
if h == suffix:
return True, int(count)
return False, 0
else:
raise Exception("API request failed")
3. Simple user interface
def main():
print("=== Password Leak Checker ===")
password = input("Enter the password to check: ")
try:
leaked, count = check_password_leak(password)
if leaked:
print(f"⚠️ This password was found in {count} data leaks.")
print("Recommendation: change it immediately.")
else:
print("✅ This password was not found in known leaks.")
print("Note: this does not guarantee its strength or security.")
except Exception as e:
print(f"Error: {e}")
if name == "main":
main()
Beyond verification: secure generation and storage
Checking for leaks is only part of the equation. If your password is compromised, it needs to be replaced—but with what? As highlighted on Stack Overflow, on Python 3.6+, the `secrets` module should be used to generate cryptographically secure passwords. Here's a complementary example:
import secrets
import string
def generate_secure_password(length=16):
alphabet = string.ascii_letters + string.digits + string.punctuation
return ''.join(secrets.choice(alphabet) for _ in range(length))
Once a new password is generated, the question of storage arises. Another Stack Overflow thread addresses this very problem: how to securely store credentials in a Python script? Solutions range from local encryption to using dedicated password vaults, including personal access tokens like those described in Microsoft's documentation for Azure DevOps.
Practical applications and limitations
This basic script can be extended in several ways:
- Automatically scan configuration files for hard-coded passwords (as mentioned in Spiceworks Community)
- Integrate verification into a CI/CD pipeline to alert if sensitive credentials are accidentally committed
- Create a simple web interface for non-technical teams
However, it has significant limitations. It only checks against leaks already documented in HIBP. A weak but not yet leaked password would pass the test. That's why KnowledgeHut includes password strength testing projects in its list of cybersecurity projects—the two approaches are complementary.
The future: when deep learning meets password security
A fascinating approach is emerging on the research side: using deep learning to identify passwords in files or code. The DeepPass project, presented on SpecterOps, uses deep learning models to detect "password candidates" in various contexts. Although more complex to implement than our simple script, this direction shows how AI could in the future automate the detection of dangerous configurations.
Conclusion: security as a daily practice
Building a password leak checker in Python isn't just a technical exercise—it's adopting a proactive mindset toward digital risks. By understanding how these tools work, you become better equipped to assess the security of your own practices and those of your projects.
The code presented here is a starting point. You could extend it to handle password lists, add basic strength tests, or integrate it into regular audits. In a world where, according to the DEV Community article, billions of credentials circulate on the dark web, these few lines of Python could make the difference between illusory security and real protection.
Start by testing your own passwords—the results might surprise you. Then, share this tool with your team. Security isn't just for experts; it's a collective responsibility that begins with accessible tools.
To go further
- DEV Community - Password Leaks: What Devs. Must Know - Tutorial on detecting password leaks with Python
- Spiceworks Community - Finding hard coded passwords in text files - Discussion on finding plaintext passwords in files
- SpecterOps - DeepPass — Finding Passwords With Deep Learning - Advanced approach using deep learning
- KnowledgeHut - Top Cyber Security Projects - List of practical cybersecurity projects
- Stack Overflow - Generate password in Python - Best practices for generating passwords
- Stack Overflow - Securely store username and password in Python - Options for securely storing credentials
- Microsoft Learn - Use Personal Access Tokens - Documentation on personal access tokens