CLI tool for credential dump triage and analysis
Project description
credsift
CLI tool for credential dump triage and domain-targeted analysis.
credsift ingests credential dump files, normalizes them across seven formats, deduplicates across sessions, scores each record by risk, and outputs a prioritized hit list filtered to a target domain. Built for authorized security testing and incident response.
Example output
credsift --input tests/fixtures/large_dump.txt \
--domain example.com \ --no-enrich \ --dry-run \ --top 10 \ --source rockyou
credsift starting run
───────────────────────────────────────────────────────────────────────────────────────────── run summary ────────────────────────────────────────────────────────────────────────────────────────────── target domain : example.com processed : 1,200 unique : 1,000 duplicates : 200
high risk (≥0.8) : 152 medium risk (≥0.6) : 0 low risk (<0.6) : 0 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
credsift results — example.com
score email / user domain secret type tags
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1.00 carol868@example.com example.com correct-horse email —
1.00 dave505@example.com example.com correct-horse email —
1.00 grace446@example.com example.com monkey email —
1.00 bob983@example.com example.com monkey email —
1.00 grace279@example.com example.com correct-horse email —
1.00 bob747@example.com example.com hunter2 email —
1.00 frank719@example.com example.com hunter2 email —
1.00 dave277@example.com example.com monkey email —
1.00 bob733@example.com example.com password123 email —
1.00 alice874@example.com example.com password123 email —
showing 10 of 152 records
Features
- Auto-detects seven credential formats —
email:password,email:MD5,email:SHA1,email:SHA256,email:bcrypt,user:password, hash-only wordlists, and JSON breach exports - Two-layer deduplication — bloom filter + SQLite, persistent across sessions
- Weighted risk scoring across credential type, domain match, format quality, and source trust
- HIBP enrichment via k-anonymity — plaintext passwords never leave your machine
- Three output formats — rich terminal table, CSV, newline-delimited JSON
- Session isolation via
--db— one database file per engagement
Installation
pip install credsift
Or from source:
git clone https://github.com/cooperberube/credsift
cd credsift
pip install -e .
Usage
# Basic run — table output
credsift --input dump.txt --domain example.com
# Skip HIBP enrichment (faster, offline-safe)
credsift --input dump.txt --domain example.com --no-enrich
# Top 10 highest-risk hits only
credsift --input dump.txt --domain example.com --no-enrich --top 10
# Label the source for trust scoring
credsift --input dump.txt --domain example.com --source rockyou
# CSV output
credsift --input dump.txt --domain example.com --format csv > results.csv
# JSON output — pipe to jq for filtering
credsift --input dump.txt --domain example.com --format json \
| jq 'select(.risk_score >= 0.7)'
# High risk records only
credsift --input dump.txt --domain example.com --min-score 0.8
# Dry run — process but do not write to database
credsift --input dump.txt --domain example.com --dry-run
# Isolate sessions per engagement
credsift --input dump.txt --domain example.com --db engagement_acme.db
All flags
| Flag | Default | Description |
|---|---|---|
--input / -i |
required | Path to credential dump file |
--domain / -d |
none | Target domain to prioritize |
--format / -f |
table |
Output format: table, csv, json |
--top |
all | Show only top N results by risk score |
--min-score |
0.0 |
Filter results below this score |
--source |
none | Label for this data source |
--no-enrich |
off | Skip HIBP enrichment |
--dry-run |
off | Process without writing to database |
--db |
credsift.db |
Path to SQLite session database |
Supported input formats
| Format | Example |
|---|---|
email:password |
bob@example.com:hunter2 |
email:MD5 |
bob@example.com:5f4dcc3b5aa765d61d8327deb882cf99 |
email:SHA1 |
bob@example.com:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 |
email:SHA256 |
bob@example.com:a665a45920422f... |
email:bcrypt |
bob@example.com:$2b$12$... |
user:password |
bobsmith:hunter2 |
hash only |
5f4dcc3b5aa765d61d8327deb882cf99 |
JSON export |
{"email":"bob@example.com","password":"hunter2"} |
Risk scoring
Each record receives a score between 0.0 and 1.0 based on four factors:
| Factor | Weight | High score | Low score |
|---|---|---|---|
| Credential type | 35% | Plaintext password | bcrypt hash |
| Domain match | 35% | Exact target domain | No match |
| Format quality | 15% | email:password |
Hash only |
| Source trust | 15% | Known breach dataset | No source |
Scores are color-coded in table output — red (≥0.8), orange (≥0.6), yellow (≥0.4).
HIBP enrichment and k-anonymity
When checking passwords against HaveIBeenPwned, credsift never transmits the plaintext password or its full hash. Only the first 5 characters of the SHA1 hash are sent. The full suffix is checked locally against the returned dataset. This is the k-anonymity model described in the HIBP API documentation.
Hash records are skipped automatically — cracking is out of scope. API failures degrade gracefully — the run continues without enrichment. Results are cached in SQLite so each unique password is only checked once across all sessions.
Session management
credsift remembers every record it processes in its session database. Running the same dump twice correctly produces no output on the second run — all records are identified as duplicates. This is intentional for production use where you ingest multiple related dumps over time and want to see only what is new.
For repeated testing, use --dry-run. For separate engagements,
use --db engagement_name.db.
Legal and ethics
This tool is for authorized security testing, incident response, and threat intelligence work only. Use against systems or data you do not have explicit written permission to analyze is prohibited.
See docs/ETHICS.md for the full policy.
Development
git clone https://github.com/cooperberube/credsift
cd credsift
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest tests/ -v
License
MIT — see LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file credsift-0.1.0.tar.gz.
File metadata
- Download URL: credsift-0.1.0.tar.gz
- Upload date:
- Size: 277.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2e2cffa853899a0cc8d212a860ecdec3936ea856e08ebf263ecfb72e6af6504b
|
|
| MD5 |
23b596796bf7907f2a0bfd8061b12448
|
|
| BLAKE2b-256 |
6f2662d03818d46fc65a9da02e11e4702ea466bfa811b6517d0ee7f1fcf3a44d
|
File details
Details for the file credsift-0.1.0-py3-none-any.whl.
File metadata
- Download URL: credsift-0.1.0-py3-none-any.whl
- Upload date:
- Size: 18.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c1c84476b067f68db45969de5c2a7f9adeb3475391fd55b30ece3c47439b9714
|
|
| MD5 |
1739d9c469922b686a68f3f1ccb3825b
|
|
| BLAKE2b-256 |
d63720800c7e57c0cecdcbe5d619b6cae149efa44dee3a61326b8f822e7db811
|
