Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
eterm 5 days ago

> Chrome told me my PureGym PIN had been compromised

This is likely a false positive, if chrome is using haveibeenpwned API.

e.g. A pin of 87623103

Hashes to 558B4C37F6E3FF9A5E1115C66CEF0703E3F2ADEE

We get the range from HaveIBeenPwned:

https://api.pwnedpasswords.com/range/558B4

And search for C37F6E3FF9A5E1115C66CEF0703E3F2ADEE

And see it's "Compromised" and seen 3 times before.

eterm 5 days ago | parent | next [-]

In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.

To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:

  var httpClient = new System.Net.Http.HttpClient();
  httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");

  while (true)
  {
   var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));

   var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));

   var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");

   passwordRange.EnsureSuccessStatusCode();

   var allhashes = await passwordRange.Content.ReadAsStringAsync();

   var splitHashes = allhashes.Split(Environment.NewLine);
   
   var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
   
   if (compromised != null)
   {
    Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
    Console.WriteLine($"Hash: {hash}");
    return;
   }
   await System.Threading.Tasks.Task.Delay(1_000);
  }
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.
cornholio 5 days ago | parent | next [-]

> not all 8 digit pins are "compromised"

Sure they have been, I can send you a text file with all of them. It's 850MB, but i expect it compresses very well.

eterm 4 days ago | parent [-]

There's a reason I put "compromised" in quotes. By that I mean that not all 8 digit numbers are yet flagged in haveibeenpwned.

Of course there's no world in which they're actually a secure password, which is why it's kind of insane to treat them as one.

charcircuit 5 days ago | parent | prev [-]

>17385382

That's a truncated 9 digit pin of a unix timestamp.

nkrisc 4 days ago | parent | next [-]

Well yeah if you’re enumerating every 8 digit number you’re of course going to get parts of larger numbers.

londons_explore 5 days ago | parent | prev [-]

Seems a stretch... What is special about that time?

echoangle 4 days ago | parent [-]

If you truncate the current time to make it 8 digits long, every timestamp since the 2nd of February 2025 would return this result.

londons_explore 3 days ago | parent [-]

No... Only timestamps on Feb 2nd 2025. So what happened that day?

qingcharles 4 days ago | parent | prev [-]

I had this constantly the last couple of days. I've been doing some UI mockups in Claude and it includes a password field, and either it puts in a placeholder of like 1234 or I type asdf to test the field. Then as soon as I do anything else Chrome has a fit because "my" password has (obviously) been "pwned."