You are not logged in.
Pwned Passwords are real world passwords previously exposed in data breaches. You should check your passwords in this website: https://haveibeenpwned.com/Passwords
If you have a leaked password, you should change it right away. To change this forum password, go to Profile > Essentials > Change password.
i'd like to keep my phone number as pass
I feel like one of those 1960's movie robots with smoke coming out of their ears while repeating "does. not. compute." when trying to reconcile "check whether your current live password has been compromised or not" by asking people to "please enter your password into this web site you've never seen before."
Yes, I have read the process, and understand the math, the API, and how we've been promised that our clear text passwords are "not going to be submitted or logged." So I should trust what's written on this web site I've never seen before and give it my current passwords? Cue ear smoke and robotic arm spinning.
So you could download the entire 11GB list from them, generate an SHA1 hash the password yourself (LOCALLY -- not using an online SHA1 hash generator, or else you might as well have gone ahead and entered your password into this site), and search that 11GB list entirely locally without anyone knowing what you did.
If downloading or searching an 11GB list of hashes doesn't sound like fun, the API haveibeenpwned.com provides isn't that bad to use manually, and the k-anonymity approach of sending only a prefix of your SHA1 hash gives "some" sense of not being totally compromised. You're still providing "an unknown external entity" some hints about what your passwords might be, though.
Regardless of which approach you want to use, the first step is to create an SHA-1 hash of your password, without sending your password to anyone. If you're on a current version of Windows 10, you can open up a PowerShell command prompt and enter the following two PowerShell commands to generate an SHA1 hash of your password:
[Reflection.Assembly]::LoadWithPartialName("System.Web")
[System.Web.Security.FormsAuthentication]::HashPasswordForStoringInConfigFile("ThisIsMyPassword", "SHA1")
This creates an SHA-1 hash of a UTF-8 representation of your password string. (Which, troyhunt.com doesn't currently appear to confirm what exact form the passwords were in when he hashed them, but we're assuming UTF-8.)
For example in my case the entry and output of these commands was:
PS C:\Files> [Reflection.Assembly]::LoadWithPartialName("System.Web")
GAC Version Location
--- ------- --------
True v4.0.30319 C:\WINDOWS\Microsoft.Net\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
PS C:\Files> [System.Web.Security.FormsAuthentication]::HashPasswordForStoringInConfigFile("ThisIsMyPassword", "SHA1")
30B8BD5829888900D15D2BBE6270D9BC65B0702F
So now you have the SHA1 hash, "30B8BD5829888900D15D2BBE6270D9BC65B0702F", that represents the password, "ThisIsMyPassword".
If you downloaded the 11GB offline file, now you can go search the file for that entire hash.
To instead use the k-anonymity approach to invoking the online API, take the first five characters of that SHA1 hash, and add it to the URL https://api.pwnedpasswords.com/range/. Such as in the case of the "ThisIsMyPassword" example, this would be 30B8B, and the resulting URL is:
https://api.pwnedpasswords.com/range/30B8B
This returns you a list of 527 password hashes that exist in the list, and share these same first five characters in the SHA1 hash. By searching for the remaining 35 characters in your SHA-1 hash value, you end up seeing that this password exists in the list and has been encountered in the black market data twenty-seven times:
D5829888900D15D2BBE6270D9BC65B0702F:27
So there, that's one way you could check for your passwords in the list, without "entering your password into an unknown third-party web site." It's still not 100% safe, since even using this approach, if the haveibeenpwned.com site itself -- or someone in a position to know the URLs you have entered -- was actually malicious, you've now narrowed down the list of passwords they should try for your accounts to a list of only 527.
The only way to prevent that is to download the 11GB list yourself and search 100% locally for your SHA-1 hashes.
That's one long ass message and I'm too lazy to read it
That's one long ass message and I'm too lazy to read it
Yeah, we know. This is how we have been hiding information from you all along.
So you could download the entire 11GB list from them...
Edit: I was wrong; the list is 22.6GB. 11GB is the 7-Zip archive size. Notepad++ won't touch anything that size, but Microsoft Windows' built-in findstr.exe utility was able to do it, as was HxD for what it's worth.
Last edited by Trench (2019-01-28 23:01:13)
Is that 1password something to look into?
In my opinion, that's simply a sponsor who is helping him pay for the site, and not some assertion that "clearly this is the best way to solve password security." Presumably they would just like the opportunity to keep their hand in your wallet under the pretense of helping you pick better passwords & having a "secure" place to save passwords that are so strong you can't possibly remember them all.
1Password does claim to be providing other services, such as alerting you when Amazon has had a data breach and guiding you to change your saved Amazon password. Kind of a "credit monitoring, but for passwords" service.
The end-game of searching this haveibeenpwned.com list is to determine "has someone who is using the same password that I am using had their information captured and compromised before." It's not really any kind of assertion of whether the password itself was "poor" or "strong", because it could have been compromised by a poor system used for storing or verifying the password. Which has nothing to do with how strong the password itself was, and means an exceedingly strong password can still be present in this list; not just "bad passwords".
You want to pick exceedingly strong passwords. After picking an exceedingly strong password, the reason you would search this haveibeenpwned.com list is to make sure you didn't pick an exceedingly strong password which just happens to be a password that is known to have been compromised as part of someone else's data. ...or maybe even as part of your own data!
Should I change my password now that I have entered it on that website?
Should I change my password now that I have entered it on that website?
Nah, "chances are" everything is fine, same as the normal gambles we take with our identity and financial data every day.
It was just a bit ironic to have a premise of "Hey, we know a bunch of passwords that folks have been tricked into entering into phishing sites or otherwise compromised.... So check whether your important passwords are on this list, by entering your current passwords into this unknown web site."
Even the guy who designed the site said in his v1 implementation,
...being conscious of not wanting to send the wrong message to people, immediately before the search box I put a very clear, very bold message:
"Do not send any password you actively use to a third-party service - even this one!"
But people don't always read these things. The service got a heap of press and millions of people descended on the site to check their passwords.
All the steps for checking your password locally are for anyone who doesn't want to take the risk, and was not because "we know there is an issue with haveibeenpwned.com." Everyone should just have a very health skepticism about being asked "please enter your passwords into this site you never heard of before two minutes ago."
I just checked that link out, my password wasn't found at all, nice
If you are concerned of typing your passwords in an "unknown" website to check if they are leaked, your sensible choice would be to create the SHA1 hash of your password and send the first 5 digits of that hash to the Pwned Passwords website, like Trench explained.
You can create SHA1 hash of any text in Windows with QuickHash GUI program instead. Then, send just the first 5 digits of the hash to api.pwnedpasswords.com/range/ and check if the rest of the hash is present in the response. If it is not, your password is not leaked.
An example, suppose the password you want to check is "12345678". The SHA1 hash is 7C222FB2927D828AF22F592134E8932480637C0D, and then you type in your browser tab api.pwnedpasswords.com/range/7c222 and you will see in the text response that the rest of the hash is there:
FB2927D828AF22F592134E8932480637C0D:2889079
2889079 leaks of "12345678" password is not surprising, since most people use these weak, easy to remember, passwords.
I use 3 different passwords for all accounts, but the usual recommendation is to use a different strong password for every account and have a password manager, like KeePass for example, to save them. In case one password gets leaked the other accounts are not at risk.
Did you know if you type your password it will be censored like this ***************
...
Testing your password online sounds a bit surreal
...
There should be a website where you can test your plastic card by entering its number, month, year, holder's name and CVC/CVV.
There should be a website where you can test your plastic card by entering its number, month, year, holder's name and CVC/CVV.
You just gave me an idea to make that, with my basic knowledge of programing I might actually try to do it XD
...
"Test online if your Credit card is still secure!" Or "Test online if your PinCode has been stolen!"
I bet hundreds of people would test their cards
...
...
"Test online if your Credit card is still secure!" Or "Test online if your PinCode has been stolen!"
I bet hundreds of people would test their cards
...
You're a fu cking genius, thanks for the idea homie
You are spreading fear, uncertainty and doubt (FUD). Do not type your password in that website, if you are that worried, you just have to send the first 5 digits of the SHA1 hash of your password to check it, how hard is that?
Actually, I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:
<?php
/*
* Simple method to use the API from https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
* Written by Jim Westergren and released to public domain
* @return int count
*/
function checkPwnedPasswords(string $password) : int
{
$sha1 = strtoupper(sha1($password));
$data = file_get_contents('https://api.pwnedpasswords.com/range/'.substr($sha1, 0, 5));
if (FALSE !== strpos($data, substr($sha1, 5))) {
$data = explode(substr($sha1, 5).':', $data);
$count = (int) $data[1];
}
return $count ?? 0;
}
You are spreading fear, uncertainty and doubt (FUD). Do not type your password in that website, if you are that worried, you just have to send the first 5 digits of the SHA1 hash of your password to check it, how hard is that?
Actually, I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:
<?php /* * Simple method to use the API from https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ * Written by Jim Westergren and released to public domain * @return int count */ function checkPwnedPasswords(string $password) : int { $sha1 = strtoupper(sha1($password)); $data = file_get_contents('https://api.pwnedpasswords.com/range/'.substr($sha1, 0, 5)); if (FALSE !== strpos($data, substr($sha1, 5))) { $data = explode(substr($sha1, 5).':', $data); $count = (int) $data[1]; } return $count ?? 0; }
Tuia, don't get me wrong but try to think a bit deeper.
You have a password, an insecure password like "monkey", for example. It's a typical thing for people to get passwords like this one to always remember them. As far as you know, it's possible to get hash from the string but it's not possible to get string from the hash. I believe you will never get something like "iwrestledapolarbeartwice" from any hash but it doesn't work for insecure passwords like "monkey" because it's a very common issue. There are bases of stolen passwords, no hashes, no salt. If you have a table of passwords, you can get another column in this table with hashes of these passwords.
For example.
md5(monkey) is d0763edaa9d9bd2a9516280e9044d885
If there is a base of stolen passwords, there are also a table of stolen usernames, addresses, locations etc. In case of request for checking the passwords, the script can seek somewhere to get usernames and addresses associated with this password or hash. There could be a lot of records but only a few with the same IP or another address from the same range.
...
Just add some special symbols to your PW and the hack would take ~5 years or so.
...
...
Just add some special symbols to your PW and the hack would take ~5 years or so.
...
That, and make it as long as possible.
Tuia, don't get me wrong but try to think a bit deeper.
You have a password, an insecure password like "monkey", for example. It's a typical thing for people to get passwords like this one to always remember them. As far as you know, it's possible to get hash from the string but it's not possible to get string from the hash. I believe you will never get something like "iwrestledapolarbeartwice" from any hash but it doesn't work for insecure passwords like "monkey" because it's a very common issue. There are bases of stolen passwords, no hashes, no salt. If you have a table of passwords, you can get another column in this table with hashes of these passwords.
For example.
md5(monkey) is d0763edaa9d9bd2a9516280e9044d885
https://i.imgur.com/WIYyUaZ.png
If there is a base of stolen passwords, there are also a table of stolen usernames, addresses, locations etc. In case of request for checking the passwords, the script can seek somewhere to get usernames and addresses associated with this password or hash. There could be a lot of records but only a few with the same IP or another address from the same range.
I know about brute-force, rainbow tables and that MD5 and SHA1 hashes are insecure, but what are you failing to realize is that the complete SHA1 hash of a password is not sent to that Pwned Passwords website, it is just the first 5 digits of that hash. So, that means there are 16^35 combinations remaining. In other words, your password is still safe, if you check by that method.
nämeless wrote:Tuia, don't get me wrong but try to think a bit deeper.
You have a password, an insecure password like "monkey", for example. It's a typical thing for people to get passwords like this one to always remember them. As far as you know, it's possible to get hash from the string but it's not possible to get string from the hash. I believe you will never get something like "iwrestledapolarbeartwice" from any hash but it doesn't work for insecure passwords like "monkey" because it's a very common issue. There are bases of stolen passwords, no hashes, no salt. If you have a table of passwords, you can get another column in this table with hashes of these passwords.
For example.
md5(monkey) is d0763edaa9d9bd2a9516280e9044d885
https://i.imgur.com/WIYyUaZ.png
If there is a base of stolen passwords, there are also a table of stolen usernames, addresses, locations etc. In case of request for checking the passwords, the script can seek somewhere to get usernames and addresses associated with this password or hash. There could be a lot of records but only a few with the same IP or another address from the same range.
I know about brute-force, rainbow tables and that MD5 and SHA1 hashes are insecure, but what are you failing to realize is that the complete SHA1 hash of a password is not sent to that Pwned Passwords website, it is just the first 5 digits of that hash. So, that means there are 16^35 combinations remaining. In other words, your password is still safe, if you check by that method.
The first five digits are already enough to exclude a lot of coincidences but the website offers to enter your password "as is".
There is no result which starts with 4BC4A.
There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.
Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?
Last edited by Black Mamba (2019-01-31 15:21:07)