I needed a project that would be relatively simple to develop and expose me to a range of new technologies and techniques, and I knew the perfect project. I am an avid follower of Troy Hunt, he runs the Have I Been Pwned? (HIBP) service which includes a Application Programming Interface (API) to allow others to query the service. There are already many uses of the Have I Been Pwned? API, including iOS and Android apps, and at the moment this project is very similar. However, I have some ideas/features planned for the next few months which shouold make the app stand out from the rest (data aggregation, visualisations etc).
I decided to call the app pwned?, borrowing the main reference used in HIBP.
The app has two core modules, 'accounts' and 'passwords', both of which are core to the HIBP service. Users can search their email address, username or password to see if they've been pwned. The final element, possibly one of the most sensitive item of information in which a user could supply to an unknown third party, their password, is protected using an approach recommend by Troy. The HIBP password range API is used, where the user password is converted to SHA-1 in the app, and only the first 5 characters of the SHA-1 are sent to HIBP.
Below are a couple of screen screenshots and you can see a live demo here.
Contribute: I welcome any comments, pulls and commits.
I created a Firebase Function to monitor the Have I Been Pwned API (daily), and when a new breach is detected an email is then sent to me (via SendGrid), giving me the option to push the notification to users.
It was a fun little hobby project for a Saturday morning. It appears to be working well, I will be updating the project over time to introduce new features. I am very keen to develop new methods to generate 'user insights' and promote more awareness of information security in the general public.
Note: The app has been avaliable for quiet a while, I've just been slow to blog about it.