Quick n’ dirty loop to check breaches against Have I Been Pwned API

Using Have I Been Pwned to see if your email address has been breached? Most of us have more than one email address which can make plunking each address into the site painful. But, fear not, there’s an API here

There’s a million ways to use it and a crappy little bash script works just fine.

Here’s mine:

File with email addresses

Create a text file with one email address per line. I called mine emailaddys. Something like:

The script

Write a one-liner like this. I called mine check_haveibeepwned.sh:

Loop it all together

Note: The rate limiting is not specified in the API docs, but I found that sleep 2 was necessary to avoid tripping it. A User Agent is also required.

Did it work?

Breaches look like this (that’s 4 separate breaches):

Clean addys return nothing at all.


Why loosing Lavabit and Silent Mail doesn’t change anything.

Here’s a non-concept for you: secure email. There’s a lot of media frenzy surrounding the recent shuttering of Lavabit and Silent Mail and most of it is unwarranted (see what I did, there? Warranted?) While any security is certainly better than no security, the media is presenting the loss of these services as something that matters and honestly, it really doesn’t. Email is so inherently insecure and the laws of most countries allow law enforcement to warrant emails anyhow, so there’s almost no advantage to using a secure email service if your intention is to be bad. In short, there is no such thing as secure email.

I had never heard of Silent Mail before a few days ago but I have both a Lavabit (had) and a Hush Mail account; both provide encryption bundled into their email service and from the press surrounding Silent Mail, I assume it offered a similar service. Continue reading “Why loosing Lavabit and Silent Mail doesn’t change anything.”