Raw Passwords API

The Raw Passwords API allows you to lookup all the compromised passwords Enzoic has for a given user. The passwords are returned in cleartext, if available, or in the raw hash format that was recovered if not (e.g. MD5, SHA1, etc.). This API is extremely sensitive and restricted to organizations that pass extensive vetting. Please contact sales if you believe you have an appropriate use case for this API.

Available Calls

GET Retrieve Passwords for Account


Returns a list of passwords in the Enzoic database for a given user. The username can be specified in either plaintext or via a SHA256 hash of the username.

See Using Enzoic for general instructions on using the API.


Parameter Type Description
username string Either the plaintext username (e.g. test@enzoic.com) or a SHA-256 hash of the lower-cased username.
includePasswords int Set to 1 to include the passwords in the response.


Response Description
200 Passwords for the user were found in the Enzoic database and are included in the response
404 Enzoic has no passwords for the requested user.

Response Body

Member Type Description
passwords passwordHashSpecification[] An array of passwords/password hash specifications.
lastBreachDate datetime A string containing the date/time of the last credentials exposure found for this account. This can be used to more intelligently check credentials for a user, i.e. if the lastBreachDate is less than the last time you performed a credentials check, you can skip the remaining steps.

Member Type Description
hashType PasswordHashType The hash algorithm to use (see PasswordHashType enum). The password should be in UTF-8 encoding prior to hashing. Hash type 0 is a cleartext password.
salt string The salt value to use with the algorithm, if applicable. If an empty string, password is cleartext or no salt value is necessary.

Value Description Output
0 Cleartext Password in cleartext (not hashed)
1 MD5 hash algorithm without salt Hex string
2 SHA1 hash algorithm without salt Hex string
3 SHA256 hash algorithm without salt Hex string
5 Composite Algorithm: md5(md5(salt) + md5(password)) Hex string
6 Composite Algorithm: md5(md5(password) + salt) Hex string
7 Composite Algorithm: md5(md5(password) + salt) Hex string
8 BCrypt algorithm using provided salt Bcrypt string
9 CRC32 hash algorithm without salt Hex string
11 Composite Algorithm: xor(sha512(password + salt), whirlpool(salt + password)) Hex string
12 SCrypt algorithm using provided salt SCrypt string
13 Composite Algorithm: md5(password + salt) Hex string
14 SHA512 hash algorithm without salt Hex string
15 Composite Algorithm with fixed salt: md5(“kikugalanet” + password) Hex string
16 MD5Crypt algorithm using provided salt MD5Crypt string
17 Composite Algorithm: bcrypt(md5(password)) using provided salt for BCrypt BCrypt string
18 Composite Algorithm: sha256(md5(password + salt)) Hex string
19 Composite Algorithm: md5(salt + password) Hex string
20 DESCrypt algorithm using provided salt DESCrypt string
21 MySQL (pre 4.1) algorithm Hex string
22 Composite Algorithm: “*” + sha1(sha1(password)) Hex string prefixed with “*”
23 Composite Algorithm: base64(sha1(UTF16Bytes(password))) Hex string
24 Composite Algorithm: sha1(salt + sha1(password)) Hex string
25 Composite Algorithm: sha1(password + salt) Hex string
26 Partial MD5 – first 20 bytes of MD5 hash of password Hex string
27 Composite Algorithm: md5(md5(password)) Hex string
28 Composite Algorithm: “md5$” + salt + “$” + md5(salt + password) Hex string
29 Composite Algorithm: “sha1$” + salt + “$” + sha1(salt + password) Formatted hex string
30 Partial MD5 – first 29 bytes of MD5 hash of password Hex string
31 Composite Algorithm: salt + sha1(salt + password) Formatted hex string
32 Composite Algorithm: sha1(username + password) Hex string


curl --header "authorization: basic {your auth string}" "https://api.enzoic.com/accounts?username=eicar@enzoic.com&includePasswords=1"
  "lastBreachDate": "2020-01-24T23:45:48.000Z",
  "passwords": [
      "hashType": 0,
      "password": "password123",
      "passwordSalt": ""
      "hashType": 2,
      "password": "cbfdac6008f9cab4083784cbd1874f76618d2a97",
      "passwordSalt": ""