New tool safely checks your passwords against a half-billion pwned passwords

Discussion in 'other security issues & news' started by hawki, Feb 23, 2018.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "New tool safely checks your passwords against a half-billion pwned passwords

    1Password uses first five characters of a hash to compare passwords to breaches...

    Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API..."

    [Link: https://haveibeenpwned.com/Passwords ]

    https://arstechnica.com/information...words-against-a-half-billion-pwned-passwords/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    https://www.forbes.com/sites/leemat...sswords-probably-contains-yours/#2ce8f72029cf
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I checked my old passwords that I was guilty of re-using a lot, it says I'm not owned.
     
  4. plat1098

    plat1098 Guest

    Bad news: One of my passwords is pwned
    Good news: It's only used for this website.

    :)
     
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Well I'm sure not punching my current PWs in to any box. At best I'd punch in what would err on the obvious just to check how stupid people are. That is, if I didn't have anything else to do.

    Edit: - meaning the REALLY stupid passwords they use such as Password123
     
    Last edited: Feb 25, 2018
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Same here. Coincidence?
     
  7. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    I been on the Net so long, I have many emails and password pwned. Much of it due to breeches - not my own doing.
    Part of the problem these days is that with Generator SW one can gen up millions of emails in short order.
     
  8. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Hmmmm I didn't check the one I used for Wilders for the longest time, but I did now and...
    Oh no — pwned!
    This password has been seen before
    This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!

    More recently I've been generating and changing passwords regularly. I checked the last old I had for here, that site had not seen it before.
     
    Last edited: Feb 25, 2018
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    My password for this forum doesn't seem to be pwned.
     
  10. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    The only “passwords” from my password manger export that I could find in the v2 file are actually pin codes...
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    I usually use a password of 10 alphanumeric characters.
    Also for this website:


    Immagine.jpg
     
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    +1 I'm definitely not going to enter my password there.
     
  13. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    917
    Let me think...
    I wanna feel secure, thus not gonna put in any of my passwords.
    I wanna feel extra secure, hence I am onto replacing some of the weaker ones with stronger ones.

    Now I feel secure enough to go on wink
    Not sure it was the concept behind the aforementioned tool, though.
     
  14. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    My password from Wilders isn't pwned. I would have been worried if that had been the case, since I've had it since the day I registered.

    LastPass ftw.
     
  15. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
  16. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Something on this order im sure is useful and not to take anyway it is trusted, but in all honesty what's to say you enter passwords to be checked and they are STORED or worse yet another entity has some tie-in to the website itself. Just Saying as a highly suspicious user when it comes to entering private data online anything. Again Just saying.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    If that site doesn't have other information (username or email) is entering password manually really that risky?
    As precaution, password can also be changed after submitted for check.
     
  20. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Exactly why I wouldn't do it. :cautious:
    9GB :eek: but much safer to do it locally of course with no internet connection.
     
  21. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    What about your ip address and other identifiers that your browser sends. Why give them any piece of the puzzle and why should I increase their database.
     
  22. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Bottom line - like SO many things on the Net is TRUST.

    If Trust = .T.
    submit
    else
    Don't Submit
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    My signal speed isn't the best these days but I am sure gonna try.

    I always been in favor of LOCAL checks, even when it came to AV's when I used them, and especially since there are way too many loose feelers tied on and into the world internet in one form or another, it just seemed more practical for this user to do those things in the same room as the machine rather then relaying it throughout hops, jumps, skips or whatever.

    And especially where passwords are concerned. Too many breaches happen all the time where they think things are secured only to discover much too late that data was channeled into other destinations where they are scooped into a base etc.
     
  24. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Haha right. Tentacles like an octopus. Haven't used an AV for years, but I have recently used Clamwin offline.
    I'm sure my isp is throttling. I'm on a cap so wonder if isp would balk at 9GB.
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, I agree less info is better. Of course I was using VPN when submitting (like for most browsing nowadays), and even if they new who I was, they wouldn't know for which of my accounts I gave them my password. Enabling 2FA for important accounts helps also.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.