API Quick Reference

API Reference directory

Last Updated: 12-Jun-2018

1. API call to check XoN for a specific password.

https://www.xposedornot.com/api/v1/pass/[keccak-512 128 characters hash]
Sample output on successfully finding the password hash:
 {
  "SearchMyPass": {
    "anon": "1e2e9fc200", 
    "char": "D:0;A:4;S:0;L:4", 
    "count": "125", 
    "wordlist": 0
  }
}
 
For people who are interested to query this portal through the use of API will find this quite useful. The API given above returns only two output, either successful or not. Let us assume you are searching for "123456” which is the most used password in known history.

The output will consist of JSON output for easy reference. Primary reasons for giving an output in JSON instead of a yes/no is to ensure that this can be further used by people to develop and improve on the data aggregated here.

Alright, the first element "anon" is added to all password hashes stored in XoN for enabling privacy conscious users to search as well. Will touch on this a bit later. Second element "char" is a list of characteristics of the password, which can be further used for understanding the strength of the password to know if this will meet the requirements of applications in need. Many websites have policies on the use of selecting passwords based on number of characters, mixture of alphabets, numbers and special characters.

The following table explains a bit more about the characteristics in simple terms :

Digits Count of numbers
Alphabets Count of alphabets
Special chars Count of special chars
Length Length of the password
The last one "count" denotes the number of times, this password was observed in the collected xposed data breaches. For a comprehensive list of all xposed websites, please visit Xposed websites-XoN.

Also, one another point to note is the use of Keccak-512 hashing for searching and storing data in XoN. Traditional hashing algorithms like MD5 and SHA1 are currently deprecated and also considering the enormous number of records exposed, I have gone ahead with Keccak-512 hashes.
Yes, Keccak-512 is 128 characters long and it consumes more storage. However, if you consider the fact that there are currently no known Keccak-512 cracking tools/sites makes it a better option. You can also make use of free utilities like emn178 to check respective hashes.

Two sample Keccak-512 hashes given for easy reference:

test - 1e2e9fc2002b002d75198b7503210c05a1baac4560916a3c6d93bcce3a50d7f00fd395bf1647b9abb8d1afcc9c76c289b0c9383ba386a956da4b38934417789e
pass - adf34f3e63a8e0bd2938f3e09ddc161125a031c3c86d06ec59574a5c723e7fdbe04c2c15d9171e05e90a9c822936185f12b9d7384b2bedb02e75c4c5fe89e4d4

Sample output on not finding the password hash:
 {
  "Error": "Not found"
}
 

2. API call to check XoN for a specific password without sharing the complete password. This can be used by users who need more privacy in searches.

https://www.xposedornot.com/api/v1/pass/anon/[keccak-512 first 10 characters of hash]
Sample output on successfully finding the password hash:
{
  "SearchPassAnon": "409054b631b5e5eb3a0c5530c9439828f9c65f69ce3b3430a237b5447aa3043e753ae9a212c2f6ce64219046c2074189068787beee297e4f0b9e53fed619b3b1"
}
 
The idea here is to enable users to search for passwords without completely divulging the entire password. In simple terms, this API takes only the first 10 characters of the Keccak-512as input and shares hashes matching the same. Every hash which is stored in XoN meeting these criteria would be shown for easy reference.
If there are output with value in SearchPassAnon JSON element, that means there is a high probability that this password could also have been breached. You can also validate the same through the hashes quickly.

Sample output on not finding through anonymous search :
 {
  "Error": "Not found"
}