Mastodon

Pwned Passwords

A 19-post collection

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature [https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/] used by Mozilla, 1Password and a handful of other paying subscribers. It works beautifully; it's ridi...

Downloading Pwned Passwords Hashes with the HIBP Downloader

Just before Christmas, the promise to launch a fully open source Pwned Passwords fed with a firehose of fresh data from the FBI and NCA finally came true [https://www.troyhunt.com/open-source-pwned-passwords-with-fbi-feed-and-225m-new-nca-passwords-is-now-live/] . We pushed out the code, published the blog post, dusted ourselves off and that was that. Kind of - there was just one thing remaining... The k-anonymity API is lovely and that's not just me saying that, that's people voting with their...

I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?

I feel the need, the need for speed. Faster, Faster, until the thrill of speed overcomes the fear of death. If you're in control, you're not going fast enough. And so on and so forth. There's a time and a place for going fast, and there's no better place to do that than when querying Have I Been Pwned's Pwned Passwords service. (Ok, a lot less glamorous than the context of the previous statements, but also less likely to have a catastrophic outcome.) In December last year, Pwned Passwords sa...

Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API [https://haveibeenpwned.com/Passwords]. 99.7% of the time, that check went no further than one of hundreds of Cloudflare edge nodes [https://www.cloudflare.com/network/] spread around the world (95% of the world's population is within 50ms of one). It looks like this: There are all sorts of amazing Pwned Passwords use cases out there. For e...

Expanding the Have I Been Pwned Volunteer Community

Ever notice how there was a massive gap of almost 9 months between announcing the intention to start open sourcing Have I Been Pwned [https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/] (HIBP) in August last year and then finally a couple of weeks ago, actually taking the first step with Pwned Passwords [https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/] ? Many people certainly noticed the time because I kept getting...

Inside the Cit0Day Breach Collection

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data [https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/] . The hard bit for me is figuring out whether it's pwn-worthy enough to justify loading it into Have I Been Pwned (HIBP) or if it's just more noise that ultimately doesn'...

Pwned Passwords, Version 6

Today, almost one year after the release of version 5 [https://www.troyhunt.com/pwned-passwords-version-5/], I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964‬ (just over 3%). As with previous releases, I've made the call to push the data now simply because there were enough new records to justify the overhead in doing so. Also as with previous releases, version 6 not on...

Enhancing Pwned Passwords Privacy with Padding

Since launching version 2 of Pwned Passwords with the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep passwords from previous data breaches from being used again and subsequently, putting their customers at heightened risk. For example, this just a...

Pwned Passwords, Version 5

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era [https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/]. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: 1. Do...

The 773 Million Record "Collection #1" Data Breach

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a...