Welcome to Open Carnage

A resource for gamers and technology enthusiasts, with unique means of rewarding content creation and support. Have a wander to see why we're worth the time!

Krazychic

There's a Simple New Way to Find Out if Hackers Already Have Your Password

150227567589831.jpg

 

Passwords suck. They're hard to remember, we all have about a million of them, and they're not supposed to be anything easy or memorable like your cat's name (sorry Furball1).

 

Spoiler

Worst of all, when massive data breaches happen to the companies we actually trust with our online credentials, our usernames and passwords can become totally exposed – but luckily, there's now a simple way to find out if you've been compromised like this.

 

Troy Hunt is an Australian security researcher and the man behind Have I Been Pwned (HIBP), a website that lets people check if their email addresses and usernames have been involved in some of the biggest data breaches ever – involving companies like Myspace, LinkedIn, Adobe, Dropbox (and sadly hundreds more).

 

Now, Hunt has approached the same problem from the opposite perspective, building a new tool called Pwned Passwords that does the same kind of thing, but this time it lets you enter just your passwords to see if they've been leaked in any of the aforementioned hacks.

 

There's a staggering 320 million leaked passwords stored in this database, and if you're wondering whether it's maybe irresponsible to collect them all in one place like this, there are a couple of things to bear in mind.

 

One, none of the passwords here are stored alongside the email addresses or usernames that they pair with, so if any people are still using these long-exposed passwords, their anonymised listing here shouldn't make things any easier for hackers.

 

Two, Hunt's whole point with Pwned Passwords is to draw attention to the issue of how just how many of our passwords have been outed by hackers up until now – by letting people check if one of their passwords is out there on the big bad internet.

 

Again, all of these passwords are already out in the wild – some have been for a long time – so hopefully most users have already changed them.

 

There are two ways of using Pwned Passwords: an online search tool on the website itself, and by downloading the whole list of 320 million leaked passwords, which are stored across three separate text files (note: you're looking at more than 5GB in total, as the list is very long).

 

Before we go any further, a word of warning. You really shouldn't type any active passwords you're currently using in to the online search tool, because it goes against the whole principle of never sharing or distributing your passwords, even if it's with a website set up by a professional security researcher.

 

As Hunt explains on his blog:

"It goes without saying (although I say it anyway on that page), but don't enter a password you currently use into any third-party service like this! I don't explicitly log them and I'm a trustworthy guy but yeah, don't.

The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it's not one they should be using any more."

What this means is that if you want to see if any of your current passwords have been exposed, you really ought to download the whole list and search through it from the privacy and security of your own device.

 

It's an extra step of hassle, sure, but it's worth it, guys, and it's still a pretty simple thing to do.

 

For extra security – and to protect anybody still using these leaked passwords – the passwords in the list files have been encrypted with SHA–1 hashes, so you'll need to generate the hash of your password before you search for it in the list (instructions for generating SHA–1 hashes are easily found online).

 

Hopefully, whichever way you choose to use the service, you'll find that none of your passwords have been leaked, but if they are, now's as good a time as any to change them – and if you don't already, you should really consider using a password manager to store and generate your passwords.

 

For more on how to make the most of Pwned Passwords, check the instructions on the site, and have a read of Hunt's blog post introducing the service.

 

One last thing, if searching the service doesn't bring up any of your passwords, that's good news for sure, but it doesn't necessarily mean your password hasn't been leaked at some point – just that it's not included as part of this database.

 

"One quick caveat on the search feature: absence of evidence is not evidence of absence," as Hunt explains, "or in other words, just because a password doesn't return a hit doesn't mean it hasn't been previously exposed."

 

Source


Rumors are carried by haters
Spread by fools
and
Accepted by idiots

Share this post


Link to post
Share on other sites

Members of Open Carnage enjoy an ad-free experience!

I don't get what this is supposed to do in the long run. A user has little to no control of their password on the side of storing credentials, because you're pretty much putting all faith in the provider to hash their passwords and salt them properly. But it's also pointless to salt and hash a password that's so common that it can be broken easily by a brute force. It's really a matter of password complexity requirements, rotations and not allowing people to use stupid shit like p@$$w0rd! for a password.

DiSiAC and WaeV like this

Linux/Unix | InfoSec | Electronics | Radios

Share this post


Link to post
Share on other sites

Everyone should be using a password manager.

 

Good passwords * lots of websites = too hard to remember.

 

Password managers can generate really strong passwords.

 

I recommend either KeePass or PasswordSafe.

Solaris and Krazychic like this

Share this post


Link to post
Share on other sites
12 hours ago, Solaris said:

I don't get what this is supposed to do in the long run. A user has little to no control of their password on the side of storing credentials, because you're pretty much putting all faith in the provider to hash their passwords and salt them properly. But it's also pointless to salt and hash a password that's so common that it can be broken easily by a brute force. It's really a matter of password complexity requirements, rotations and not allowing people to use stupid shit like p@$$w0rd! for a password.

 

So 1234 is out of the question?


Rumors are carried by haters
Spread by fools
and
Accepted by idiots

Share this post


Link to post
Share on other sites

I already heard my password was secure when this site said to enter my passwords to find out if anyone has found them out.

Tucker933 likes this

Umh7x1l.gif

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.