At there was recently a challenge for the shortest code to check for how often a password was previously pwnd (hacked). Here is the result (credits to Daniel Rothgänger):

'P@ssw0rd'|sc p -N;$a,$b=(FileHash p -A SHA1|% h*)-split'(?<=^.{5})';((irm$a)-split"$b`:(\d+)")[1]  

You can either use this chunk of code as brain jogging to find out what it does, or simply use it: it takes a password (i.e. “P@ssw0rd” in our example) and returns a number. The number is how often this particular password has been seen in previous attacks. Any password that has been seen is considered insecure. Only passwords that do not return a number are safe.

Twitter This Tip! ReTweet this Tip!

  • Just because the string (password) that was sent didn't return a number does not indicate it is safe.  You did just send it to an API on the internet to add to it's list of passwords to try....

  • "Shortest Code" brings an interesting risk on Aliases. In my case, I'm disabling aliases as they make code non-portable (and introduce funny risks). "sc" is just SC.exe, not Set-Content. Apart from that, useful !