← Back

Breach Checker

Built

Signature capability

Password checks use HIBP's k-anonymity protocol, only the first 5 chars of the SHA-1 hash ever leave the machine, so the tool verifies exposure without transmitting the password itself.

What it is

It is a single-binary CLI (about 2,240 lines of Rust across a lib + main split) that aggregates breach-exposure signals from five sources behind one interface: HIBP Pwned Passwords via k-anonymity, and the HIBP, Snusbase, DeHashed and LeakCheck account APIs behind pluggable async clients. A ResultAggregator deduplicates passwords and breach metadata across sources into a single per-email report, and a local searcher uses rayon to scan plaintext and gzip breach dumps in parallel with a progress bar. Individual providers can be toggled off with flags, and output renders as terminal, JSON, or CSV. It reads targets from CLI args or a file and pulls API keys from a config.toml.

Highlights

  • k-anonymity password check: SHA-1 the password, send only the 5-char prefix to api.pwnedpasswords.com, match suffixes locally, so the password never leaves the machine
  • Five sources behind one aggregator: HIBP, Snusbase, DeHashed, LeakCheck API clients plus a local file searcher, deduplicated into one BreachReport
  • Local dump search is rayon-parallel and streams gzip (.gz) files via flate2, tracking line numbers and source file for each hit, with per-provider toggle flags
  • Three output formats (terminal/JSON/CSV) and batch input from a file, one email per line
  • 13 tests across the client, searcher, aggregator, config and output modules; clean lib/CLI separation so the core is usable as a crate
  • Release build tuned for a lean binary: LTO, codegen-units=1, opt-level 3, symbols stripped

Tech · Rust 2021, tokio, reqwest, clap, sha1, rayon, flate2, serde, anyhow, indicatif; release profile with LTO + single codegen-unit