Troy won’t store the passwords associated with the username, which is a choice I can absolutely respect.
But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.
So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.
I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.
I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.
He has the "Pwned Password" search to allow you to narrow it down and he has a really good article that he links to explaining why despite its inconvenience.
If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.
At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.
There wouldn't be any inconvenience if your password manager did its job of helping you manage your passwords. 1Password has implemented a feature that helps you easily check all your passwords, I'm honestly surprised it's taking so long for the others to do too. The data is there, there's a super easy API, it doesn't take that much effort...
I am not sure you should put too much confidence in the "pwned password" search.
I know one of the weak password I stupidly reuse everywhere was compromised since I had someone buy something with my paypal account. But it comes up as clean in the password search. So it was probably cracked from one of the leaked hashes but the plain text was never entered into the public dumps.
The slightly annoying thing here is that I already use a password manager, so while the impact to me is minimal, I wish I knew which password specifically I have to rotate, instead of assuming that I need to rotate, like, all of them...
What we may need is the next step: a standardized way of changing passwords that would allow us to rotate them in bulk directly from the password manager.
(Not affiliated with, just a happy user of) 1Password does a pretty good job at this, you can find all HIBP-passwords in a single location: https://support.1password.com/watchtower/
Seems really weird to advocate people reveal their passwords to a random untrusted 3rd party.
They do have an API that allows you to search for your password based on a truncated checksum, so you can find out if your password was leaked, without revealing the password.
You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]
It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.
If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.
So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.
Well it does, if you have javascript off, from the source (page says "If you submit a password in the form below, it will not be anonymised first")
Troy seems to have a fine reputation, but I don't want to trust the crown jewels (my passwords to everything) on Troy's reputation, the security of his site, cloudflare, and random javascript bits hosted in various places.
So sure the design and explanation of the page is that passwords are not uploaded. But since I can't practically verify that myself, I wouldn't upload passwords there. What's worse is even if I could audit every line of code, I couldn't guarantee other people wouldn't get a malicious version of the site.
So generally saying "Sure, type your password into a form on this webpage, I found an explanation that says it's not uploading it." is a very bad idea.
There's similarly plausible pages for things like generating SSL certs (not just CSRs), ssh keys, generating passwords for you, and similar that often have reassuring explanations that their security is just fine.
So generally never put your private key or plaintext password where a random 3rd party might read it. The promise that some anonymization process will be applied should not be enough to get you to risk it.
I claimed your initial unqualified statement, that it uploaded your password, was inaccurate, with both an explanation of what it was doing and the claim that I had not seen any evidence of it doing anything else.
I did not claim the site was not vulnerable to MITM or other injection attacks.
I did not claim you should trust this or any other resource with your password or any other data.
A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.
How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?
Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.
Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..
Please don't make false assertions about what I was suggesting without any evidence.
Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.
I would certainly not put any live passwords into the webform.
You replies in general have be combative and seeked to push people into positions that you could argue against for internet points.
You could have made your points in a much more constructive and concise manner:
Pwned Passwords is a great data set, I would recommend against using the webform to check your password, instead download the hash file or utilize the extremely simple api. The webform is insecure because...
I'm not sure if you're a 1Password user (or whether your alternative supports similar functionality) but the former has a feature called Watchtower which then groups your compromised logins.
Troy's site does indicate which site breach it came from generally. I ran my emails and found it funny when myspace came up (and others I was aware of). I guess I did have an account there after all but I've used password safe for over a decade and always have unique passwords including that one from 2007.
But most of these breaches are just aggregation of passwords he found like in this particular example. It doesn't tell you which website got hacked originally.
If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.
For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".
---------
Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.
I assume he was sending in the SHA-1s. And yeah, it looks like he (Troy Hunt / site operator) disabled the direct search by SHA-1 now that he's enabled the k-anonymity API. Was able to edit and update my original post to reflect this.
I wrote a Ruby script to check passwords back when the Pwned Passwords V2 API was introduced. I've added a second script to check a bulk list of passwords in a plain-text file.
>So I guess just assume all your passwords are cracked and use a password manager.
I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.
I know which passwords were breached by all the emails I get telling me "we know your password is XXXXXXXXX. Pay up or else". There's 4 or 5 in the first 30 messages in my email spam folder. >:(
> So I guess just assume all your passwords are cracked and use a password manager.
Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.
I took the habit of giving a unique random alias to every website or service who requires my email. The additional benefit is that I can single out where the breach (or spam) came from if I see that unique alias. I only started doing that about 3-4 years ago and so far only the dailymotion breach popped up.
You can also do that with gmail by using the login+alias@gmail.com syntax but it's well known and trivial for a hacker to defeat.
Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.
And yet they get pwned so easily.
So much effort into violating user privacy, so little effort into enforcing user security.
and receive no meaningful legal consequences. These people should be on the hook for all damage done with this dump, but they won't be, so it doesn't really matter. It's not ironic, it's just business as usual.
Collecting data on users should be extremely risky, even if they consent to it's collection.
I think it's time for an external, trustworthy entity to spawn that would vet and endorse companies that respect their users. Something like the "USDA Organic" label but for user privacies. Maybe it'd be an EFF-like entity that audits companies in exchange for a fee and endorse that "Company X, and the product/services it uses, are respecting user privacy". We could then derive a chain of trust between companies, maybe have a browser extension that tells when we're using a website that is endorsed by such entity?
I recently started setting up a phpBB forum for a personal project. Because I wanted to respect people's privacy as much as possible, I removed certain fields like the birthday so that they can't be entered. I disabled private messages to avoid keeping unneeded nominally private data. To contact a specific user, I allowed only emails sent via a form to prevent leaking a user's email address. And I installed an extension to allow users to delete their accounts. I was pleasantly surprised with how easy disabling birthdays and other profile fields were, but somewhat disappointed that allowing users to delete their own accounts wasn't built in yet. Would be nice for forum softwares to have a standard set of features and default behaviors that respect privacy. I doubt many people change the configuration settings I did. (If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.)
I don't see why a forum should have a birthday field in particular. If COPPA compliance is a concern, just ask if the user is 13 or older at registration.
> If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.
Tell the software vendor! They need to supply sane and private defaults, so that every admin who deploys an instance benefits automatically.
You could drive home the point by saying that if you were to run the software in the EU, it becomes a ticking time bomb and is an invitation for getting a forum admin into obnoxious manual cleaning work at best, legal trouble at worst.
I've gone back and forth on this. The very likely outcome of such a thing in practice is another PCI-like process. We both know an "EFF-like" organisation selected by a Government will one of the big accounting firms or similar in practice.
Particularly once there's a certification fee, it quickly becomes a racket, where people with strong ethics and skills get pushed aside by someone who paid a fortune to sit a course. Language lawyers will find ways to sign off on major issues, and some largely irrelevant thing ends up becoming the majority of the process.
You're catastrophizing by jumping to a negative outcome, similar to a cognitive distortion. It doesn't have to become a racket; that is a leadership choice. Individual identity issuing, public key certifying authority, banking, news, healthcare, truth-worthiness and many more areas would all be served best by non-profits that are funded by a combination of grants, modest fees and/or donations. There are some human activities that are too important to be privatized, like the fire department and the NTSB... whether the government should or shouldn't be responsible for running X is a topic for another time.
Have you ever implemented a standard before? The process is usually a bureaucratic joke. There will always be auditors that will certify you for essentially just paying them. This is not only a privacy problem, it’s also a security problem. ISO 27001 and other standards have been around for a long time, and getting certified has always meant little, and companies still get breached. ISO are working on a privacy standard right now, and when that’s finalized, I guarantee you that consumers are going to take no interest in it, and that people will still be tracked and companies will still be breached. The system you’re describing would only ever be noticed by a very small subset of privacy conscious and educated users, and even then it would likely achieve nothing.
Or you could follow the EU example and make it mandatory with national agencies empowered to levy fines?
The history of "web page endorsements" is pretty lousy. The only one that really stuck was SSL enhanced verification, and all that does is tie a cert to a business entity.
Correct, which is why we need laws and regulations that make it risky by shifting the cost of losing the data to those who collected and lost it in the first place, instead of those whose data were collected.
It could be ML prediction based on scrolling + mouse movements or just old-school code which finds the closest and brightest div next to mouse coordinates. Maybe it's slightly more useful than plain mouse heat map which all competitors use, even if it's a crude approximation.
I assume they ran experiments with test subjects navigating websites with both eye and mouse movement tracking, and then trained a model to predict eye tracking from the mouse movement.
>> “and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.”
Emphasis on ‘claim’. Considering he built this product, it would insinuate they don’t actually have this capability and are instead selling lies, pipe dreams and bullshit.
What's the latest consensus on the best password manager these days. I see he is recommending 1Password, but I recently found Bitwarden which looks quite good.
Bitwarden (https://bitwarden.com/) is great and scores well in feature comparisons -- there was one on here recently. It's open source and has recently been audited too. It's free for the basic service, and really cheap for additional features. Great mobile apps and a web vault. And you can self-host. No bad points really.
The things that held me back from Bitwarden is the relatively short age of the company at 2~ years and the fact that there is only one dev. I'm reaching here. But even though the code is open source, he still owns the distribution. He can potentially be compromised (whether maliciously or not) and release an update that uploads the entire vault to him unencrypted. It could take a while before the internet caught on that the source code doesn't match the release build.
This of course could happen in a company like 1Password and there is at some point that I need to make the call and trust the person(s) coding the password manager. I feel that with 1Password there's at least the large size of the company which would mean more eyeballs and accountability. There is also the history of the company at 12~ years. This includes vetting and buy in from larger companies, which inspires a vote of confidence.
FWIW Bitwarden checks off nearly all the other boxes for me and I think the single dev has done a seriously bang up job.
- long history - to me it's the original password manager
- frequent updates and always keeping up with relevant OS features, like iOS AutoFill which allows 1Password to be set as the default iOS password store: https://support.1password.com/ios-autofill/
I used to think this, but I think this is actually bad advice for a few reasons.
1. People are bad at making new passwords
2. Someone might clear their browser history and delete the logins as a result.
3. Lock-in into the Chrome ecosystem.
I personally use KeePass, but I understand it is a bit cumbersome to carry around a USB stick.
I'd recommend LastPass to those who don't understand simply because it has a free tier, but everyone else should seriously consider paying the 2$ a month for whichever service they use.
Chrome now has a "generate password" option in password fields, and a page where the passwords can be managed.
For the people I'm talking about, installing and maintaining a "real" password manager isn't going to happen. The alternative is for them to continue using "Nameofcat1" for every damn site.
I tried using Chrome's built in feature but I found the password field was set up wrong on many sites and therefore the "Generate Strong Password" wouldn't be an option. I've since started using BitWarden.
Funny, I downloaded about 700GB of password dumps last week trying to figure out how someone got one of my passwords (no big deal, they never managed to access anything)
Got a few 'hacker' emails on one of my throwaway addresses on this list the last few days. That account was leaked before in another list so this was not worrisome as I get those all the time for this address.
What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?
Gmail, and other large providers, use filters that adapt based on user input. If you report the messages as spam then the filter will learn, and hopefully catch them the next time.
It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.
Please donate big bucks to the guy who loves to show off his wealth on Twitter. Troy surely doesn't miss an opportunity to brag about having a portfolio of properties, a mansion on the gold coast, expensive cars, a jet ski, a boat, etc. I'm sure poor Troy needs your pocket money to pay for an estimated bill which is actually substantially less than what it actually will be.
After that please also donate your hard earned money to Bill Gates. He voluntarily spends 100% of his time being a philanthropist. He also desperately needs some poor people to pay for his coffee.
Same here. I had never heard of them. Turns out they're a YC'15 startup (https://www.apollo.io/company/). There are no passwords in the data they lost according to HIBP. They seem to collect personal data from various sources and help other companies increase sales.
So not only do we have to worry about websites we actually use being compromised, but we also have to worry about these sketchy third-party companies that have purchased our data being hacked.
> Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that's a sizeable amount more than a 32-bit integer can hold.)
I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.
From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.
Someone from a well-known leak forum is claiming that the "Collection #1" discovered by Troy Hunt is only part #1 of all available collections (there are at least 5, and additional other dumps).
He also posted a screenshot of the original sales thread of the owner.
The dumps together seem to have a total size of almost 1TB.
Not sure whether it's cool to post any links here.
There is the rumor that it is called Collection #1 because it was part of a larger dump consisting of Collection #1, Collection #2, etc. There is also the rumor that the whole set was sold for - now hold on tight - the ginormous sum of $45.
HIBP doesn't protect the privacy of searched passwords!
Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.
Let say my email appeared on Pwned list. And given most ( at least I think most ) people have zillions of web forums, services, sites, services using the email address.
What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.
I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?
Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.
Oh, it must be Tuesday. I've just updated my blog post[0] with some password best practices and it's amazing how little has changed in the last 4 years.
But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.
So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.
I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.
I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.
reply