Initial implementation of C++ password checker

[rtobar]

This is a first working version of a password checker written in C++. It uses the Boost Asio and Beast libraries for asynchronous networking and HTTP, and both threads and the Asio support for Boost Coroutines for concurrency. Like the python tool, it has command line toggles to specify the number of threads and workers per thread (or concurrent requests per thread) to use.

This tool implements an in-memory cache, but for the time being there's no loading or dumping of the cache -- it only works for the current session.

In terms of speed, when not using cache I've been able to check passwords at rates of ~25k passwords a second, which amounts to downloading data at ~750 MB/s. When using cache, and while the cache is cold, filling it is rather slow as all threads create contingency to write into it, and thus the maximum initial download speeds go only up to ~400 MB/s. Once the cache is hot the tool can check ~200k passwords per second, if not more. All in all, when using 16 threads and 100 workers per thread, I've been able to check the RockYou database in 1:50 minutes when caching, and 10 minutes without (so caching helps). On the other hand the top 100k passwords can be checked in 9 seconds with caching, and 5 seconds without (so caching pushes down):

$> ppsc rockyou.txt -w 100 -t 16 -o output.csv -T 40000
Read 14344391 passwords in 1.805 [s]
[■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ ] [01m:51s<00m:00s]  28.13 MB/s, 92105.00 req/s, E:0/T:3200/R:3200 - 14344391/14344391    
Processed 14344391 passwords in 112.735 [s] at 127239.91 req/s, 283.47 MB/s
Cache hits: prefix=12676711 (88.37%), full=12698202 (88.52%)
Writing results to output.csv
Results written to output.csv in 1.514 [s]

For convenience I've also added a Dockerfile that will build an image containing an optimised build of the tool ready to use. This is based on the latest ubuntu:21.10 image, and it adds only a couple of megabytes on top of that, being as lightweight as possible.

Other notes of things I found while testing this tool:

• Some requests time out for a very long time when hitting the service hard. This can be even in the orders of > 10 minutes or so. The tool thus adds an option to specify a request timeout, defaults to no timeout.
• Sometimes Cloudflare sends back a 'Connection: close' header, which I wasn't expecting, so the tool has to handle the re-connection. This and the previous are reported in the progress bar as "T" and "R". There's also an "E" for any other unexpected errors, but nothing really shows up (yet).
• As noted, caching indeed plays a great effect when checking > 1M passwords, as expected; otherwise it has an impact, but not as big, and using cache can be detrimental (speed-wise) depending on network speed and CPU count. The tool reports on cache hits (prefix- and full-hits). With the RockYou dataset there are some prefix-only hits, meaning that some values in the dataset are not in PwnedPasswords (but we already saw some of that earlier on with in Initial version of python async code #4).

Some things to improve in the future:

• The cache is based on the hex digest rather than the binary digest, which is one of the points I previously discussed could be used to save space. Changing it to use the binary digest should provide some improvements.
• Save/restore the cache for future runs
• Report on Cloudflare hits
• Report on request timing
• Works only on Linux (and maybe even some distros only, Ubuntu for sure) because it hardcodes the path where the TLS root certificates are loaded from.

[stebet]

This is awesome! My C++ foo isn't exactly up to par though so my review is somewhat lacking.