Check your password security with Have I Been Pwned?

There are several ways to authenticate users to information systems. One of them is to use a combination of an email address and a login password. Like any method, this one has some problems and weaknesses.

Password security covers a broad set of practices, and not all of them are appropriate or possible for all. Users often do not see the dangers of a weak password.

What does it mean that the password is secure? What should we protect ourselves from? Maybe all these topics are just conspiracy theories of people who earn money on security and need to promote services?

In fact, we protect a lot. For example, a profile on social media often allows you to log in to many other websites. Also, like a specific person (you), it is possible to send unsafe links to all your friends. They may be more likely to follow the link than if they received it from a completely unknown person.

One way to discover a user’s password is to use the dictionary method. The attacker has a set of passwords that check to see if they are appropriate one by one. Such collections are available for purchase in certain places, or the attacker can build them based on public data leaks.

It is a big responsibility of the login system to limit the possibility of checking many passwords in a short time (rate-limiting). The blocking of logging in after an incorrect password may also be recommended after a specified number of attempts. Unblocking login requires, for example, unblocking the account by opening a message sent to the email address. Without it, even entering the correct password will not allow you to log into the system.

Before this method of attack, good protection will be to use different case characters and special characters. It will also be worth avoiding passwords on known password lists (from various leaks). But how to obtain such lists?

Over time, the industry realized that complex password composing rules (requiring a minimum number of special characters) did only a slight improvement. Users often reuse the same passwords on different sites to make their daily life easier.

Have I Been Pwned? (I will use the HIBP abbreviation) created by Troy Hunt is an excellent tool for verifying already known passwords. The site itself does not publish this data in plain text, but password hashes are available. It does not have to do this because it is assumed that this data is already public (part of numerous data leaks). Attackers do not have access to text form, so they cannot use this information in attacks on unaware users.

You can use the option of checking your email address for leaks. The same is possible for usernames and phone numbers. Many famous and highly recommended password managers use the options offered by HIBP to check the security of passwords.

The FBI and the British National Crime Agency joined the project. These are massive datasets about leaks, often inaccessible to a regular company.

Additionally, it is possible to download the entire database. It will enable completely local searches of data and eliminate network communication. It may be necessary for specific applications (for example, isolated banking systems).

The SHA-1 of my password is E0FCB1C9A40818E6155C1F09BBC1D0F211E07A88. By shortening them to a certain number of characters (5 by default), I will get the prefix E0FCB. This hash prefix is then used to query the remote database for all hashes starting with that prefix. Then the entire list of abbreviations starting with that prefix is downloaded. Each downloaded hash is then compared to see if any matches the locally generated hash. If so, you know your password has been leaked. It turns out that no one has used such a password.

The algorithm used for the hash is a one-way transformation, so it is challenging to determine from the result what data was used. HIBP returns additional information in its data: the number of times the data breaches contain the password. You can use it, for example, to systematically review which of your customers’ passwords are very vulnerable to attacks.

Security is one of the critical aspects of any project. Sometimes the user is unaware of all the features offered by good-quality and trusted sites like Have I Been Pwned?. It will not be a challenge and long work for the programmer to prepare a system that, instead of checking the password length (number of characters) and the use of special characters, also ask the external HIBP system to make sure that the password was not found in explicit data leaks.

Let’s take care of the safety of our users as best we can. It can also be a strong advantage for our system in the eyes of more advanced users who care about their safety.

Related posts:

She struggled and fumbled in her pouch for her token. She must have accidentally dropped it when she found her pouch momentarily unzipped outside a cafe. Instead and finally, her phone finished…

This month Organize Agile celebrated her 5th year anniversary. Our founders decided to take the team on a trip to London. It was filled with inspiring visits and meetings with interesting people, for…

Compter son souffle. Maître Hakuin dit : Asseyez vous sur un coussin épais dans la position du lotus. Desserrez votre ceinture. Tenez votre colonne vertébrale….