Skip to main content
Glama
enesjakozh
Cyreslab-AI

Have I Been Pwned MCP Server

by Cyreslab-AI
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Remote

check_password

Verify if a password has been exposed in data breaches using k-anonymity via the Have I Been Pwned API. Ensure account security by identifying compromised passwords.

Instructions

Check if a password has been exposed in data breaches (using k-anonymity)

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
passwordYesPassword to check

Implementation Reference

  • src/index.ts:287-339 (handler)
    The handler function that implements the core logic of the 'check_password' tool. It uses SHA-1 hashing and k-anonymity to query the Pwned Passwords API without sending the full password.
    private async handleCheckPassword(args: any) {
  if (!args.password || typeof args.password !== "string") {
    throw new McpError(
      ErrorCode.InvalidParams,
      "Password is required"
    );
  }

  // Hash the password with SHA-1
  const sha1Hash = crypto.createHash("sha1").update(args.password).digest("hex").toUpperCase();

  // Get the first 5 characters (prefix) and the rest (suffix)
  const prefix = sha1Hash.substring(0, 5);
  const suffix = sha1Hash.substring(5);

  // Query the API with just the prefix (k-anonymity)
  const response = await axios.get(`https://api.pwnedpasswords.com/range/${prefix}`);

  // Parse the response to find if our suffix is in the list
  const hashes = response.data.split("\n");
  let found = false;
  let occurrences = 0;

  for (const hash of hashes) {
    const [hashSuffix, count] = hash.split(":");

    if (hashSuffix.trim() === suffix) {
      found = true;
      occurrences = parseInt(count.trim(), 10);
      break;
    }
  }

  if (found) {
    return {
      content: [
        {
          type: "text",
          text: `⚠️ This password has been exposed in data breaches ${occurrences.toLocaleString()} times!\n\nRecommendations:\n- Stop using this password immediately\n- Change it on any site where you use it\n- Use a unique, strong password for each account\n- Consider using a password manager`,
        },
      ],
    };
  } else {
    return {
      content: [
        {
          type: "text",
          text: "Good news! This password hasn't been found in any known data breaches. However, remember to use strong, unique passwords for each account and consider using a password manager.",
        },
      ],
    };
  }
}
  • src/index.ts:107-116 (schema)
    The input schema defining the parameters for the 'check_password' tool (requires a 'password' string).
    inputSchema: {
  type: "object",
  properties: {
    password: {
      type: "string",
      description: "Password to check",
    },
  },
  required: ["password"],
},
  • src/index.ts:104-117 (registration)
    Registration of the 'check_password' tool in the ListTools handler, including name, description, and schema.
    {
  name: "check_password",
  description: "Check if a password has been exposed in data breaches (using k-anonymity)",
  inputSchema: {
    type: "object",
    properties: {
      password: {
        type: "string",
        description: "Password to check",
      },
    },
    required: ["password"],
  },
},
  • src/index.ts:167-168 (registration)
    Dispatch/registration in the CallToolRequestSchema switch statement that routes calls to the handleCheckPassword method.
    case "check_password":
  return await this.handleCheckPassword(request.params.arguments);
Install Server

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Cyreslab-AI/hibp-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server