A friend & colleague wrote a powershell module which queries Troy Hunt’s haveibeenpwned.com API. The haveibeenpwned site that Troy runs, documents/records data breaches where data has been leaked and provides an API to query the data.
Wanting to punch out a few Ansible roles onto galaxy, I started to put together a role that queries the haveibeenpwned API: Im0.have-i-been-pwned
Using the role
Download from galaxy with something like: ansible-galaxy install Im0.have-i-been-pwned
Run it by including it in a role a number of ways:
---
- name: Check have i been pwned
hosts: localhost
roles:
- { role: Im0.ansible-role-have-i-been-pwned,
lookup: 'password',
password: 'password123' }
- { role: Im0.ansible-role-have-i-been-pwned,
lookup: 'password',
hash: 'AB87D24BDC7452E55738DEB5F868E1F16DEA5ACE'}
- { role: Im0.ansible-role-have-i-been-pwned,
lookup: 'account_breach',
account: '[email protected]'}Or, as a task:
tasks:
- include_role:
name: Im0.ansible-role-have-i-been-pwned
tasks_from: password_lookup
vars:
password: 'password123'
- include_role:
name: Im0.ansible-role-have-i-been-pwned
tasks_from: account_breach
vars:
account: [email protected]If an account or password is in either of the queried databases, the task will fail.
TASK [ansible-role-have-i-been-pwned : Fail if the password is in the pwned database] ************************************************************* fatal: [localhost]: FAILED! => {"changed": false, "msg": "Password is compromised"} to retry, use: --limit @/home/user/haveibeenpwned.retry
Or:
TASK [ansible-role-have-i-been-pwned : Fail if "[email protected]" is found in breached account list] ************************************************ fatal: [localhost]: FAILED! => {"changed": false, "msg": "Account [email protected] was found in 1 breaches"}
The haveibeenpwned database also contains some data from pastes, which, I may add soon.
Further reading on the API overview page.