Want to know if your password is secure? Then you should probably never ever enter it into a website that promises to let you know.
But if you suspect that someone may have accessed a password you’re using, the first thing you should probably do is change it. And the second thing you might want to do is check it against a newly published database to see if that password has been compromised.
Troy Hunt, the developer behind the Have I Been Pwned website has just added a new passwords section that lets you compare a password against a list of 306 million passwords that have been compromised. Again, do not enter your current passwords on this website. But it could be useful in a few different ways.
First, as mentioned above, it lets you check to see if you previous passwords have been compromised. That doesn’t necessarily mean that you have been hacked: the database doesn’t check the password against your usernames or email addresses. But it does tell you that there’s a list of passwords floating around the internet, and your old password is on it.
Second, Hunt is making the entire list of passwords available for download (in a form that doesn’t show the plain text of the passwords). It’s a 5.3GB archive that takes up 11.9GB when uncompressed, so you should probably only download the list if you know what you plan to do with it.
But Hunt has a few ideas. For example, websites or applications that require users to register for new accounts can check against the list when you’re entering a password and either prevent you from using one that’s on the list, or at least let you know that it’s been found in a previous data breach.
Likewise, developers could provide that kind of information to users when they change passwords for existing accounts, or even when the login.
It’s worth noting that this password list is huge, but it’s probably not comprehensive. It’s probably impossible to compile a list of every password that’s ever been compromised. But at least this is a start.
Meanwhile, if you want to know if your username has ever been involved in a data breach (where hackers illegally obtained data from a website or service and then released it), Have I Been Pwned is a good place to start.
Probably the best thing you can do to protect yourself from this kind of data breach is to use different, strong passwords for every site you access. That can be a pain in the behind, but a good password manager can ease the pain (although some may introduce their own issues — personally I love the convenience of online password managers like LastPass and Dashlane, but they’re not immune to security issues).
via Hacker News
I don’t see the value of this search without matching the password to the login. Without that you’d not know whether the compromised password was your password.
Matching it poses a much greater threat… and simply knowing that the password is not only not unique, but is also in a list of breached passwords is a pretty good reason to change your password.
If you’re only worried about whether someone literally has your username and password combination, this won’t tell you. But this list is out there, and while Hunt is making it available for folks to help secure their data, less altruistic folks might use the data (which, again, was already in the wild) to speed up the process of cracking passwords.
But passwords don’t have to be unique and probably very few are. Maybe if you have very long very complex passwords a match would mean something. The original site that looks for usernames seems much more useful. If your email appears on that site you have a problem.
I think not having a password on the compromised list is a good start for uniqueness; if your password is compromised and it wasn’t your account, that means your password is effectively guessable, in that some person came up with it, and it’s now going to be an entry in dictionary attacks from now on. And if you find that passwords you use are compromised *and* your usernames have been in published lists of pwned accounts, well that’s a stronger indication that you need to take some action. No point in using one tool in a vacuum if you don’t have to.
I would agree that would be a good test for uniqueness, but passwords do not need to be unique. I would also agree though that if both your user name and password show up on those two sites, it would probably be a good idea to act. My original comment was just about the password by itself being compromised.
I’d also add that a shorter less secure password that you might use on a less important site (e.g. a weather site) is more likely to show up on the second site than if your password is dtgKES#652%@?.3ixztw52bZ! If you used that as a password and it shows up, the chances are greater that it’s you’re password.
It doesn’t matter whether it’s “your” password or not – if it’s the same, it’ll still unlock your account no matter where the password was originally leaked from.
A technique hackers use is to run through lists of leaked passwords like this. 306 million may sound a lot, but it’s nothing compared to trillions of combinations that you’d get with a secure password not on this list (306 million combinations in roughly equivalent to a 6 character password with only lower case letters – i.e., weak).
Yes, this is nowhere near as bad as a list that has usernames and passwords matched, as then they only have 1 combination to try. But it would mean you’re losing a level of protection.