Want to know if your password is secure? Then you should probably never ever enter it into a website that promises to let you know.
But if you suspect that someone may have accessed a password you’re using, the first thing you should probably do is change it. And the second thing you might want to do is check it against a newly published database to see if that password has been compromised.
Troy Hunt, the developer behind the Have I Been Pwned website has just added a new passwords section that lets you compare a password against a list of 306 million passwords that have been compromised. Again, do not enter your current passwords on this website. But it could be useful in a few different ways.
First, as mentioned above, it lets you check to see if you previous passwords have been compromised. That doesn’t necessarily mean that you have been hacked: the database doesn’t check the password against your usernames or email addresses. But it does tell you that there’s a list of passwords floating around the internet, and your old password is on it.
Second, Hunt is making the entire list of passwords available for download (in a form that doesn’t show the plain text of the passwords). It’s a 5.3GB archive that takes up 11.9GB when uncompressed, so you should probably only download the list if you know what you plan to do with it.
But Hunt has a few ideas. For example, websites or applications that require users to register for new accounts can check against the list when you’re entering a password and either prevent you from using one that’s on the list, or at least let you know that it’s been found in a previous data breach.
Likewise, developers could provide that kind of information to users when they change passwords for existing accounts, or even when the login.
It’s worth noting that this password list is huge, but it’s probably not comprehensive. It’s probably impossible to compile a list of every password that’s ever been compromised. But at least this is a start.
Meanwhile, if you want to know if your username has ever been involved in a data breach (where hackers illegally obtained data from a website or service and then released it), Have I Been Pwned is a good place to start.
Probably the best thing you can do to protect yourself from this kind of data breach is to use different, strong passwords for every site you access. That can be a pain in the behind, but a good password manager can ease the pain (although some may introduce their own issues — personally I love the convenience of online password managers like LastPass and Dashlane, but they’re not immune to security issues).
via Hacker News