Documentation for Product Version:
The Raw Passwords API allows you to lookup all the compromised passwords Enzoic has for a given user. The passwords are returned in cleartext, if available, or in the raw hash format that was recovered if not (e.g. MD5, SHA1, etc.). This API is extremely sensitive and restricted to organizations that pass extensive vetting. Please contact sales if you believe you have an appropriate use case for this API.
https://api.enzoic.com/accounts
Returns a list of passwords in the Enzoic database for a given user. The username can be specified in either plaintext or via a SHA256 hash of the username.
See Using Enzoic for general instructions on using the API.
| Parameter | Type | Description |
|---|---|---|
| username | string | Either the plaintext username (e.g. test@enzoic.com) or a SHA-256 hash of the lower-cased username. |
| includePasswords | int | Set to 1 to include the passwords in the response. |
| Response | Description |
|---|---|
| 200 | Passwords for the user were found in the Enzoic database and are included in the response |
| 404 | Enzoic has no passwords for the requested user. |
| Member | Type | Description |
|---|---|---|
| passwords | passwordHashSpecification[] | An array of passwords/password hash specifications. |
| lastBreachDate | datetime | A string containing the date/time of the last credentials exposure found for this account. This can be used to more intelligently check credentials for a user, i.e. if the lastBreachDate is less than the last time you performed a credentials check, you can skip the remaining steps. |
| Member | Type | Description |
|---|---|---|
| hashType | PasswordHashType | The hash algorithm to use (see PasswordHashType enum). The password should be in UTF-8 encoding prior to hashing. Hash type 0 is a cleartext password. |
| salt | string | The salt value to use with the algorithm, if applicable. If an empty string, password is cleartext or no salt value is necessary. |
| exposures | string[] | An array of Exposure IDs, indicating which exposures this password was revealed in for this user. These can be used with the Exposure Details call to retrieve additional info about the exposure. |
| Value | Description | Output |
|---|---|---|
| 0 | Cleartext | Password in cleartext (not hashed) |
| 1 | MD5 hash algorithm without salt | Hex string |
| 2 | SHA1 hash algorithm without salt | Hex string |
| 3 | SHA256 hash algorithm without salt | Hex string |
| 5 | Composite Algorithm: md5(md5(salt) + md5(password)) | Hex string |
| 6 | Composite Algorithm: md5(md5(password) + salt) | Hex string |
| 7 | Composite Algorithm: md5(md5(password) + salt) | Hex string |
| 8 | BCrypt algorithm using provided salt | Bcrypt string |
| 9 | CRC32 hash algorithm without salt | Hex string |
| 10 | PHPBB3 (PHPass) | PHPass string |
| 11 | Composite Algorithm: xor(sha512(password + salt), whirlpool(salt + password)) | Hex string |
| 13 | Composite Algorithm: md5(password + salt) | Hex string |
| 14 | SHA512 hash algorithm without salt | Hex string |
| 15 | Composite Algorithm with fixed salt: md5(“kikugalanet” + password) | Hex string |
| 16 | MD5Crypt algorithm using provided salt | MD5Crypt string |
| 17 | Composite Algorithm: bcrypt(md5(password)) using provided salt for BCrypt | BCrypt string |
| 18 | Composite Algorithm: sha256(md5(password + salt)) | Hex string |
| 19 | Composite Algorithm: md5(salt + password) | Hex string |
| 20 | DESCrypt algorithm using provided salt | DESCrypt string |
| 21 | MySQL (pre 4.1) algorithm | Hex string |
| 22 | Composite Algorithm: “*” + sha1(sha1(password)) | Hex string prefixed with “*” |
| 23 | Composite Algorithm: base64(sha1(UTF16Bytes(password))) | Hex string |
| 24 | Composite Algorithm: sha1(salt + sha1(password)) | Hex string |
| 25 | Composite Algorithm: sha1(password + salt) | Hex string |
| 26 | Partial MD5 – first 20 bytes of MD5 hash of password | Hex string |
| 27 | Composite Algorithm: md5(md5(password)) | Hex string |
| 28 | Composite Algorithm: “md5$” + salt + “$” + md5(salt + password) | Hex string |
| 29 | Composite Algorithm: “sha1$” + salt + “$” + sha1(salt + password) | Formatted hex string |
| 30 | Partial MD5 – first 29 bytes of MD5 hash of password | Hex string |
| 31 | Composite Algorithm: salt + sha1(salt + password) | Formatted hex string |
| 32 | Composite Algorithm: sha1(username + password) | Hex string |
| 33 | NTLM | Hex string |
| 34 | Composite Algorithm: sha1(“–” + salt + “–” + password + “–“) | Hex string |
| 35 | SHA384 | Hex string |
| 36 | Composite Algorithm: hmac-sha256(sha1(salt) + password) HMAC key: “d2e1a4c569e7018cc142e9cce755a964bd9b193d2d31f02d80bb589c959afd7e” |
Hex string |
| 37 | Composite Algorithm: sha256(salt + password) | Hex string |
| 38 | Composite Algorithm: sha512<11 times>(sha512(password + salt)) | Hex string |
| 39 | SHA512Crypt | SHA512Crypt string |
| 40 | Composite Algorithm: sha512(password + “:” + salt) | Hex string |
curl --header "authorization: basic {your auth string}" "https://api.enzoic.com/accounts?username=eicar@enzoic.com&includePasswords=1"
{
"lastBreachDate": "2020-01-24T23:45:48.000Z",
"passwords": [
{
"hashType": 0,
"password": "password123",
"passwordSalt": ""
},
{
"hashType": 2,
"password": "cbfdac6008f9cab4083784cbd1874f76618d2a97",
"passwordSalt": ""
}
]
}
Test accounts are available for all of the hash types above. Test accounts all have the same form:
Username: eicar_type(passwordType)@enzoic.com Password: ~7N8?g(Vyw-W^`A<
So, for example, to test an account with a BCrypt password in the Enzoic database, you would use a username of:
eicar_type8@enzoic.com
[/cs_text][cs_text _bp_base=”4_4″ class=”doc-text”]
The Raw Passwords API allows you to lookup all the compromised passwords Enzoic has for a given user. The passwords are returned in cleartext, if available, or in the raw hash format that was recovered if not (e.g. MD5, SHA1, etc.). This API is extremely sensitive and restricted to organizations that pass extensive vetting. Please contact sales if you believe you have an appropriate use case for this API.
https://api.enzoic.com/accounts
Returns a list of passwords in the Enzoic database for a given user. The username can be specified in either plaintext or via a SHA256 hash of the username.
See Using Enzoic for general instructions on using the API.
| Parameter | Type | Description |
|---|---|---|
| username | string | Either the plaintext username (e.g. test@enzoic.com) or a SHA-256 hash of the lower-cased username. |
| includePasswords | int | Set to 1 to include the passwords in the response. |
| Response | Description |
|---|---|
| 200 | Passwords for the user were found in the Enzoic database and are included in the response |
| 404 | Enzoic has no passwords for the requested user. |
| Member | Type | Description |
|---|---|---|
| passwords | passwordHashSpecification[] | An array of passwords/password hash specifications. |
| lastBreachDate | datetime | A string containing the date/time of the last credentials exposure found for this account. This can be used to more intelligently check credentials for a user, i.e. if the lastBreachDate is less than the last time you performed a credentials check, you can skip the remaining steps. |
| Member | Type | Description |
|---|---|---|
| hashType | PasswordHashType | The hash algorithm to use (see PasswordHashType enum). The password should be in UTF-8 encoding prior to hashing. Hash type 0 is a cleartext password. |
| salt | string | The salt value to use with the algorithm, if applicable. If an empty string, password is cleartext or no salt value is necessary. |
| exposures | string[] | An array of Exposure IDs, indicating which exposures this password was revealed in for this user. These can be used with the Exposure Details call to retrieve additional info about the exposure. |
| Value | Description | Output |
|---|---|---|
| 0 | Cleartext | Password in cleartext (not hashed) |
| 1 | MD5 hash algorithm without salt | Hex string |
| 2 | SHA1 hash algorithm without salt | Hex string |
| 3 | SHA256 hash algorithm without salt | Hex string |
| 5 | Composite Algorithm: md5(md5(salt) + md5(password)) | Hex string |
| 6 | Composite Algorithm: md5(md5(password) + salt) | Hex string |
| 7 | Composite Algorithm: md5(md5(password) + salt) | Hex string |
| 8 | BCrypt algorithm using provided salt | Bcrypt string |
| 9 | CRC32 hash algorithm without salt | Hex string |
| 10 | PHPBB3 (PHPass) | PHPass string |
| 11 | Composite Algorithm: xor(sha512(password + salt), whirlpool(salt + password)) | Hex string |
| 13 | Composite Algorithm: md5(password + salt) | Hex string |
| 14 | SHA512 hash algorithm without salt | Hex string |
| 15 | Composite Algorithm with fixed salt: md5(“kikugalanet” + password) | Hex string |
| 16 | MD5Crypt algorithm using provided salt | MD5Crypt string |
| 17 | Composite Algorithm: bcrypt(md5(password)) using provided salt for BCrypt | BCrypt string |
| 18 | Composite Algorithm: sha256(md5(password + salt)) | Hex string |
| 19 | Composite Algorithm: md5(salt + password) | Hex string |
| 20 | DESCrypt algorithm using provided salt | DESCrypt string |
| 21 | MySQL (pre 4.1) algorithm | Hex string |
| 22 | Composite Algorithm: “*” + sha1(sha1(password)) | Hex string prefixed with “*” |
| 23 | Composite Algorithm: base64(sha1(UTF16Bytes(password))) | Hex string |
| 24 | Composite Algorithm: sha1(salt + sha1(password)) | Hex string |
| 25 | Composite Algorithm: sha1(password + salt) | Hex string |
| 26 | Partial MD5 – first 20 bytes of MD5 hash of password | Hex string |
| 27 | Composite Algorithm: md5(md5(password)) | Hex string |
| 28 | Composite Algorithm: “md5$” + salt + “$” + md5(salt + password) | Hex string |
| 29 | Composite Algorithm: “sha1$” + salt + “$” + sha1(salt + password) | Formatted hex string |
| 30 | Partial MD5 – first 29 bytes of MD5 hash of password | Hex string |
| 31 | Composite Algorithm: salt + sha1(salt + password) | Formatted hex string |
| 32 | Composite Algorithm: sha1(username + password) | Hex string |
| 33 | NTLM | Hex string |
| 34 | Composite Algorithm: sha1(“–” + salt + “–” + password + “–“) | Hex string |
| 35 | SHA384 | Hex string |
| 36 | Composite Algorithm: hmac-sha256(sha1(salt) + password) HMAC key: “d2e1a4c569e7018cc142e9cce755a964bd9b193d2d31f02d80bb589c959afd7e” |
Hex string |
| 37 | Composite Algorithm: sha256(salt + password) | Hex string |
| 38 | Composite Algorithm: sha512<11 times>(sha512(password + salt)) | Hex string |
| 39 | SHA512Crypt | SHA512Crypt string |
| 40 | Composite Algorithm: sha512(password + “:” + salt) | Hex string |
curl --header "authorization: basic {your auth string}" "https://api.enzoic.com/accounts?username=eicar@enzoic.com&includePasswords=1"
{
"lastBreachDate": "2020-01-24T23:45:48.000Z",
"passwords": [
{
"hashType": 0,
"password": "password123",
"passwordSalt": ""
},
{
"hashType": 2,
"password": "cbfdac6008f9cab4083784cbd1874f76618d2a97",
"passwordSalt": ""
}
]
}
Test accounts are available for all of the hash types above. Test accounts all have the same form:
Username: eicar_type(passwordType)@enzoic.com Password: ~7N8?g(Vyw-W^`A<
So, for example, to test an account with a BCrypt password in the Enzoic database, you would use a username of:
eicar_type8@enzoic.com