http Basic Bruteforce
Recently during a pentest I found a directory of a website that was protected by http basic authentication. Since http basic offers practically no protection against brute force attacks, I wanted to test at least the most common username/password combinations to see if it might be possible to access the directory.
In this post we show how to create a local version of the Haveibeenpwned password database. This can then be used to check passwords for security without the need for an internet connection.
What is Haveibeenpwned?
Haveibeenpwned is a website by security researcher Troy Hunt that collects leaked credentials from data breaches. As a user, you can enter your email address and then find out whether it has already been included in a data breach. You can also test your password in the same way.
If a password is contained in a breach, it should be changed immediately.