#1 2019-01-28 17:10:33

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 64.0

Pwned Passwords

Pwned Passwords are real world passwords previously exposed in data breaches. You should check your passwords in this website: https://haveibeenpwned.com/Passwords

If you have a leaked password, you should change it right away. To change this forum password, go to Profile > Essentials > Change password.

Offline

    Positive reputation 4   Negative reputation 0

#2 2019-01-28 17:53:49

joint
Member
Ukraine
Reputation: +1378
Location: Dnepropetrovsk, Ukraine
Registered: 2012-05-24
Posts: 5,940
Windows 7 Firefox 64.0

Re: Pwned Passwords

i'd like to keep my phone number as pass

Offline

    Positive reputation 1   Negative reputation 0

#3 2019-01-28 20:42:52

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 71.0

Re: Pwned Passwords

I feel like one of those 1960's movie robots with smoke coming out of their ears while repeating "does. not. compute." when trying to reconcile "check whether your current live password has been compromised or not" by asking people to "please enter your password into this web site you've never seen before."

Yes, I have read the process, and understand the math, the API, and how we've been promised that our clear text passwords are "not going to be submitted or logged."  So I should trust what's written on this web site I've never seen before and give it my current passwords?  Cue ear smoke and robotic arm spinning.

So you could download the entire 11GB list from them, generate an SHA1 hash the password yourself (LOCALLY -- not using an online SHA1 hash generator, or else you might as well have gone ahead and entered your password into this site), and search that 11GB list entirely locally without anyone knowing what you did.

If downloading or searching an 11GB list of hashes doesn't sound like fun, the API haveibeenpwned.com provides isn't that bad to use manually, and the k-anonymity approach of sending only a prefix of your SHA1 hash gives "some" sense of not being totally compromised.  You're still providing "an unknown external entity" some hints about what your passwords might be, though.

Regardless of which approach you want to use, the first step is to create an SHA-1 hash of your password, without sending your password to anyone.   If you're on a current version of Windows 10, you can open up a PowerShell command prompt and enter the following two PowerShell commands to generate an SHA1 hash of your password:

[Reflection.Assembly]::LoadWithPartialName("System.Web")
[System.Web.Security.FormsAuthentication]::HashPasswordForStoringInConfigFile("ThisIsMyPassword", "SHA1")

This creates an SHA-1 hash of a UTF-8 representation of your password string.  (Which, troyhunt.com doesn't currently appear to confirm what exact form the passwords were in when he hashed them, but we're assuming UTF-8.)

For example in my case the entry and output of these commands was:

PS C:\Files> [Reflection.Assembly]::LoadWithPartialName("System.Web")

GAC    Version        Location
---    -------        --------
True   v4.0.30319     C:\WINDOWS\Microsoft.Net\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll

PS C:\Files> [System.Web.Security.FormsAuthentication]::HashPasswordForStoringInConfigFile("ThisIsMyPassword", "SHA1")
30B8BD5829888900D15D2BBE6270D9BC65B0702F

So now you have the SHA1 hash, "30B8BD5829888900D15D2BBE6270D9BC65B0702F", that represents the password, "ThisIsMyPassword".

If you downloaded the 11GB offline file, now you can go search the file for that entire hash.

To instead use the k-anonymity approach to invoking the online API, take the first five characters of that SHA1 hash, and add it to the URL https://api.pwnedpasswords.com/range/.  Such as in the case of the "ThisIsMyPassword" example, this would be 30B8B, and the resulting URL is:

https://api.pwnedpasswords.com/range/30B8B

This returns you a list of 527 password hashes that exist in the list, and share these same first five characters in the SHA1 hash.  By searching for the remaining 35 characters in your SHA-1 hash value, you end up seeing that this password exists in the list and has been encountered in the black market data twenty-seven times:

D5829888900D15D2BBE6270D9BC65B0702F:27

So there, that's one way you could check for your passwords in the list, without "entering your password into an unknown third-party web site."  It's still not 100% safe, since even using this approach, if the haveibeenpwned.com site itself -- or someone in a position to know the URLs you have entered -- was actually malicious, you've now narrowed down the list of passwords they should try for your accounts to a list of only 527.

The only way to prevent that is to download the 11GB list yourself and search 100% locally for your SHA-1 hashes.

Offline

    Positive reputation 3   Negative reputation 0

#4 2019-01-28 20:44:48

YoMama
Player
Serbia
Reputation: +64
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

That's one long ass message and I'm too lazy to read it

Offline

    Positive reputation 2   Negative reputation 0

#5 2019-01-28 21:00:53

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 71.0

Re: Pwned Passwords

YoMama wrote:

That's one long ass message and I'm too lazy to read it

Yeah, we know.  This is how we have been hiding information from you all along. wink

Trench wrote:

So you could download the entire 11GB list from them...

Edit: I was wrong; the list is 22.6GB.  11GB is the 7-Zip archive size.  Notepad++ won't touch anything that size, but Microsoft Windows' built-in findstr.exe utility was able to do it, as was HxD for what it's worth.

Last edited by Trench (2019-01-28 22:01:13)

Offline

    Positive reputation 1   Negative reputation 0

#6 2019-01-29 00:35:50

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 64.0

Re: Pwned Passwords

boobs - This password has been seen 24,626 times before sad

Offline

    Positive reputation 0   Negative reputation 0

#7 2019-01-29 00:36:39

Sunshine
Empress of Doom
United States
Reputation: +4706
Registered: 2012-08-14
Posts: 6,727
Website
Android Opera 49.2

Re: Pwned Passwords

Wow... even one of my passwords that I thought was strong was found 3 times -.-

Is that 1password something to look into?

Last edited by Sunshine (2019-01-29 00:41:04)

Offline

    Positive reputation 0   Negative reputation 0

#8 2019-01-29 02:29:48

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 71.0

Re: Pwned Passwords

Sunshine wrote:

Is that 1password something to look into?

In my opinion, that's simply a sponsor who is helping him pay for the site, and not some assertion that "clearly this is the best way to solve password security."  Presumably they would just like the opportunity to keep their hand in your wallet under the pretense of helping you pick better passwords & having a "secure" place to save passwords that are so strong you can't possibly remember them all.

1Password does claim to be providing other services, such as alerting you when Amazon has had a data breach and guiding you to change your saved Amazon password.  Kind of a "credit monitoring, but for passwords" service.

The end-game of searching this haveibeenpwned.com list is to determine "has someone who is using the same password that I am using had their information captured and compromised before."  It's not really any kind of assertion of whether the password itself was "poor" or "strong", because it could have been compromised by a poor system used for storing or verifying the password.  Which has nothing to do with how strong the password itself was, and means an exceedingly strong password can still be present in this list; not just "bad passwords".

You want to pick exceedingly strong passwords.  After picking an exceedingly strong password, the reason you would search this haveibeenpwned.com list is to make sure you didn't pick an exceedingly strong password which just happens to be a password that is known to have been compromised as part of someone else's data.  ...or maybe even as part of your own data!  smile

Offline

    Positive reputation 2   Negative reputation 0

#9 2019-01-29 03:22:26

seventy
Playor
North Korea
Reputation: +809
Location: Pyongyang
Registered: 2014-03-06
Posts: 1,842
Ubuntu Firefox 64.0

Re: Pwned Passwords

Should I change my password now that I have entered it on that website?

Offline

    Positive reputation 0   Negative reputation 0

#10 2019-01-29 06:11:12

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 71.0

Re: Pwned Passwords

seventy wrote:

Should I change my password now that I have entered it on that website?

Nah, "chances are" everything is fine, same as the normal gambles we take with our identity and financial data every day.

It was just a bit ironic to have a premise of "Hey, we know a bunch of passwords that folks have been tricked into entering into phishing sites or otherwise compromised....  So check whether your important passwords are on this list, by entering your current passwords into this unknown web site."

Even the guy who designed the site said in his v1 implementation,

https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#queryingthedataonline wrote:

...being conscious of not wanting to send the wrong message to people, immediately before the search box I put a very clear, very bold message:

"Do not send any password you actively use to a third-party service - even this one!"

But people don't always read these things. The service got a heap of press and millions of people descended on the site to check their passwords.

All the steps for checking your password locally are for anyone who doesn't want to take the risk, and was not because "we know there is an issue with haveibeenpwned.com."  Everyone should just have a very health skepticism about being asked "please enter your passwords into this site you never heard of before two minutes ago."

Offline

    Positive reputation 3   Negative reputation 0

#11 2019-01-29 10:35:28

YoMama
Player
Serbia
Reputation: +64
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

I just checked that link out, my password wasn't found at all, nice

Offline

    Positive reputation 0   Negative reputation 0

#12 2019-01-29 12:15:33

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 64.0

Re: Pwned Passwords

If you are concerned of typing your passwords in an "unknown" website to check if they are leaked, your sensible choice would be to create the SHA1 hash of your password and send the first 5 digits of that hash to the Pwned Passwords website, like Trench explained.

You can create SHA1 hash of any text in Windows with QuickHash GUI program instead. Then, send just the first 5 digits of the hash to api.pwnedpasswords.com/range/ and check if the rest of the hash is present in the response. If it is not, your password is not leaked.

An example, suppose the password you want to check is "12345678". The SHA1 hash is 7C222FB2927D828AF22F592134E8932480637C0D, and then you type in your browser tab api.pwnedpasswords.com/range/7c222 and you will see in the text response that the rest of the hash is there:

FB2927D828AF22F592134E8932480637C0D:2889079

2889079 leaks of "12345678" password is not surprising, since most people use these weak, easy to remember, passwords.

I use 3 different passwords for all accounts, but the usual recommendation is to use a different strong password for every account and have a password manager, like KeePass for example, to save them. In case one password gets leaked the other accounts are not at risk.

Offline

    Positive reputation 0   Negative reputation 0

#13 2019-01-29 12:37:22

YoMama
Player
Serbia
Reputation: +64
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

Did you know if you type your password it will be censored like this ***************

Offline

    Positive reputation 0   Negative reputation 0

#14 2019-01-29 12:50:58

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 64.0

Re: Pwned Passwords

Yes, but that is just visually, the Pwned Passwords website can log and store your password, which I do not believe it does.

Offline

    Positive reputation 0   Negative reputation 0

#15 2019-01-29 14:35:53

Arkos
Sedmin
Switzerland
Reputation: +2778
Registered: 2014-06-06
Posts: 7,041
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

Testing your password online sounds a bit surreal smile

...

Offline

    Positive reputation 6   Negative reputation 0

#16 2019-01-30 16:58:58

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 10 Firefox 65.0

Re: Pwned Passwords

There should be a website where you can test your plastic card by entering its number, month, year, holder's name and CVC/CVV.

Offline

    Positive reputation 1   Negative reputation 0

#17 2019-01-30 18:57:06

YoMama
Player
Serbia
Reputation: +64
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

nämeless wrote:

There should be a website where you can test your plastic card by entering its number, month, year, holder's name and CVC/CVV.

You just gave me an idea to make that, with my basic knowledge of programing I might actually try to do it XD

Offline

    Positive reputation 0   Negative reputation 0

#18 2019-01-30 20:01:43

Arkos
Sedmin
Switzerland
Reputation: +2778
Registered: 2014-06-06
Posts: 7,041
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

"Test online if your Credit card is still secure!" Or "Test online if your PinCode has been stolen!"

I bet hundreds of people would test their cards smile

...

Offline

    Positive reputation 0   Negative reputation 0

#19 2019-01-30 23:54:03

YoMama
Player
Serbia
Reputation: +64
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

Arkos wrote:

...

"Test online if your Credit card is still secure!" Or "Test online if your PinCode has been stolen!"

I bet hundreds of people would test their cards smile

...

You're a fu cking genius, thanks for the idea homie

Offline

    Positive reputation 0   Negative reputation 0

#20 2019-01-31 11:09:33

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 65.0

Re: Pwned Passwords

You are spreading fear, uncertainty and doubt (FUD). Do not type your password in that website, if you are that worried, you just have to send the first 5 digits of the SHA1 hash of your password to check it, how hard is that?

Actually, I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:

<?php
/*
 * Simple method to use the API from https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
 * Written by Jim Westergren and released to public domain
 * @return int count
 */
function checkPwnedPasswords(string $password) : int
{
    $sha1 = strtoupper(sha1($password));
    $data = file_get_contents('https://api.pwnedpasswords.com/range/'.substr($sha1, 0, 5));
    if (FALSE !== strpos($data, substr($sha1, 5))) {
        $data = explode(substr($sha1, 5).':', $data);
        $count = (int) $data[1];
    }
    return $count ?? 0;
}

Offline

    Positive reputation 1   Negative reputation 0

#21 2019-01-31 12:22:51

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 10 Firefox 65.0

Re: Pwned Passwords

tuia wrote:

You are spreading fear, uncertainty and doubt (FUD). Do not type your password in that website, if you are that worried, you just have to send the first 5 digits of the SHA1 hash of your password to check it, how hard is that?

Actually, I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:

<?php
/*
 * Simple method to use the API from https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
 * Written by Jim Westergren and released to public domain
 * @return int count
 */
function checkPwnedPasswords(string $password) : int
{
    $sha1 = strtoupper(sha1($password));
    $data = file_get_contents('https://api.pwnedpasswords.com/range/'.substr($sha1, 0, 5));
    if (FALSE !== strpos($data, substr($sha1, 5))) {
        $data = explode(substr($sha1, 5).':', $data);
        $count = (int) $data[1];
    }
    return $count ?? 0;
}

Tuia, don't get me wrong but try to think a bit deeper.

You have a password, an insecure password like "monkey", for example. It's a typical thing for people to get passwords like this one to always remember them. As far as you know, it's possible to get hash from the string but it's not possible to get string from the hash. I believe you will never get something like "iwrestledapolarbeartwice" from any hash but it doesn't work for insecure passwords like "monkey" because it's a very common issue. There are bases of stolen passwords, no hashes, no salt. If you have a table of passwords, you can get another column in this table with hashes of these passwords.

For example.

http://foxtools.ru/Hash

md5(monkey) is d0763edaa9d9bd2a9516280e9044d885

https://md5.web-max.ca

WIYyUaZ.png

If there is a base of stolen passwords, there are also a table of stolen usernames, addresses, locations etc. In case of request for checking the passwords, the script can seek somewhere to get usernames and addresses associated with this password or hash. There could be a lot of records but only a few with the same IP or another address from the same range.

Offline

    Positive reputation 0   Negative reputation 0

#22 2019-01-31 12:27:50

ABAS
disciple of Jeff
Pahlavi Iran
Reputation: +1960
Registered: 2015-12-10
Posts: 2,322
Website
Android Chrome 57.0

Re: Pwned Passwords

What a good vodka that was

Offline

    Positive reputation 0   Negative reputation 0

#23 2019-01-31 12:30:01

Arkos
Sedmin
Switzerland
Reputation: +2778
Registered: 2014-06-06
Posts: 7,041
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

Just add some special symbols to your PW and the hack would take ~5 years or so.

...

Offline

    Positive reputation 0   Negative reputation 0

#24 2019-01-31 13:07:40

Black Mamba
Member
Canada
Reputation: +1449
Registered: 2012-12-01
Posts: 4,231
iOS Safari 12.0

Re: Pwned Passwords

Arkos wrote:

...

Just add some special symbols to your PW and the hack would take ~5 years or so.

...

That, and make it as long as possible.

Offline

    Positive reputation 0   Negative reputation 0

#25 2019-01-31 13:19:45

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 65.0

Re: Pwned Passwords

nämeless wrote:

Tuia, don't get me wrong but try to think a bit deeper.

You have a password, an insecure password like "monkey", for example. It's a typical thing for people to get passwords like this one to always remember them. As far as you know, it's possible to get hash from the string but it's not possible to get string from the hash. I believe you will never get something like "iwrestledapolarbeartwice" from any hash but it doesn't work for insecure passwords like "monkey" because it's a very common issue. There are bases of stolen passwords, no hashes, no salt. If you have a table of passwords, you can get another column in this table with hashes of these passwords.

For example.

http://foxtools.ru/Hash

md5(monkey) is d0763edaa9d9bd2a9516280e9044d885

https://md5.web-max.ca

https://i.imgur.com/WIYyUaZ.png

If there is a base of stolen passwords, there are also a table of stolen usernames, addresses, locations etc. In case of request for checking the passwords, the script can seek somewhere to get usernames and addresses associated with this password or hash. There could be a lot of records but only a few with the same IP or another address from the same range.

I know about brute-force, rainbow tables and that MD5 and SHA1 hashes are insecure, but what are you failing to realize is that the complete SHA1 hash of a password is not sent to that Pwned Passwords website, it is just the first 5 digits of that hash. So, that means there are 16^35 combinations remaining. In other words, your password is still safe, if you check by that method.

Offline

    Positive reputation 0   Negative reputation 0

#26 2019-01-31 13:35:19

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 10 Firefox 65.0

Re: Pwned Passwords

tuia wrote:
nämeless wrote:

Tuia, don't get me wrong but try to think a bit deeper.

You have a password, an insecure password like "monkey", for example. It's a typical thing for people to get passwords like this one to always remember them. As far as you know, it's possible to get hash from the string but it's not possible to get string from the hash. I believe you will never get something like "iwrestledapolarbeartwice" from any hash but it doesn't work for insecure passwords like "monkey" because it's a very common issue. There are bases of stolen passwords, no hashes, no salt. If you have a table of passwords, you can get another column in this table with hashes of these passwords.

For example.

http://foxtools.ru/Hash

md5(monkey) is d0763edaa9d9bd2a9516280e9044d885

https://md5.web-max.ca

https://i.imgur.com/WIYyUaZ.png

If there is a base of stolen passwords, there are also a table of stolen usernames, addresses, locations etc. In case of request for checking the passwords, the script can seek somewhere to get usernames and addresses associated with this password or hash. There could be a lot of records but only a few with the same IP or another address from the same range.

I know about brute-force, rainbow tables and that MD5 and SHA1 hashes are insecure, but what are you failing to realize is that the complete SHA1 hash of a password is not sent to that Pwned Passwords website, it is just the first 5 digits of that hash. So, that means there are 16^35 combinations remaining. In other words, your password is still safe, if you check by that method.

The first five digits are already enough to exclude a lot of coincidences but the website offers to enter your password "as is".

Offline

    Positive reputation 0   Negative reputation 0

#27 2019-01-31 13:38:46

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 65.0

Re: Pwned Passwords

Here is the first five digits of my super secret password hash:  4BC4A

Find the password, if you think it is possible. smile

Offline

    Positive reputation 0   Negative reputation 0

#28 2019-01-31 13:55:59

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 10 Firefox 65.0

Re: Pwned Passwords

There is no result which starts with 4BC4A.

Offline

    Positive reputation 0   Negative reputation 0

#29 2019-01-31 14:01:13

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 65.0

Re: Pwned Passwords

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Offline

    Positive reputation 0   Negative reputation 0

#30 2019-01-31 14:20:45

Black Mamba
Member
Canada
Reputation: +1449
Registered: 2012-12-01
Posts: 4,231
iOS Safari 12.0

Re: Pwned Passwords

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

Last edited by Black Mamba (2019-01-31 14:21:07)

Offline

    Positive reputation 0   Negative reputation 0

Board footer