[zaroth]

Troy won’t store the passwords associated with the username, which is a choice I can absolutely respect.

But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.

So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.

I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.

I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.

[NoPicklez]

He has the "Pwned Password" search to allow you to narrow it down and he has a really good article that he links to explaining why despite its inconvenience.

If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.

At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.

Too risky.

[zawerf]

I am not sure you should put too much confidence in the "pwned password" search.

I know one of the weak password I stupidly reuse everywhere was compromised since I had someone buy something with my paypal account. But it comes up as clean in the password search. So it was probably cracked from one of the leaked hashes but the plain text was never entered into the public dumps.

[M2Ys4U]

Well one can't prove a negative, that is that your password _hasn't_ been leaked.

Knowing that - for sure - a password has appeared in a breach is very useful.

[113]

It would be impossible for the site to have every password ever compromised.

It can only check against a database of known password leaks.

[ehsankia]

There wouldn't be any inconvenience if your password manager did its job of helping you manage your passwords. 1Password has implemented a feature that helps you easily check all your passwords, I'm honestly surprised it's taking so long for the others to do too. The data is there, there's a super easy API, it doesn't take that much effort...

[rerx]

Enpass has such a feature too. I just had it check all my passwords in the light of this new breach.

[rjf72]

You can search by password here: https://haveibeenpwned.com/Passwords

If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.

For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".

---------

Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.

[schmich]

I wrote a Ruby script to check passwords back when the Pwned Passwords V2 API was introduced. I've added a second script to check a bulk list of passwords in a plain-text file.

https://gist.github.com/schmich/aeaffac922271a11b70e9a79a5fe...

[sah2ed]

Troy Hunt explained how to find out if your password is pwned using the API in a comment [0]:

You need to look at the request being generated. Here's how to do it:

1) The SHA-1 of P@ssw0rd is 21BD12DC183F740EE76F27B78EB39C8AD972A757: https://passwordsgenerator.net/sha1-hash-generator/

2) Pass the first 5 chars to the API here: https://api.pwnedpasswords.com/range/21BD1

3) Find the suffix in the response and it has the count next to it: 2DC183F740EE76F27B78EB39C8AD972A757:51259

[0]: https://www.troyhunt.com/the-773-million-record-collection-1...

[jancsika]

Weird, I don't see any entries for password or password1 in there.

[umeshunni]

I get this when I try 'password':

Oh no — pwned! This password has been seen 3,645,804 times before

[rjf72]

I assume he was sending in the SHA-1s. And yeah, it looks like he (Troy Hunt / site operator) disabled the direct search by SHA-1 now that he's enabled the k-anonymity API. Was able to edit and update my original post to reflect this.

[AdmiralAsshat]

The slightly annoying thing here is that I already use a password manager, so while the impact to me is minimal, I wish I knew which password specifically I have to rotate, instead of assuming that I need to rotate, like, all of them...

[andrewmackrodt]

I'm not sure if you're a 1Password user (or whether your alternative supports similar functionality) but the former has a feature called Watchtower which then groups your compromised logins.

[jarfil]

What we may need is the next step: a standardized way of changing passwords that would allow us to rotate them in bulk directly from the password manager.

[Rychard]

You might be interested in this, from just over a month ago:

https://news.ycombinator.com/item?id=18618193

[Groxx]

(Not affiliated with, just a happy user of) 1Password does a pretty good job at this, you can find all HIBP-passwords in a single location: https://support.1password.com/watchtower/

[shkkmo]

Why not use Pwned Passwords to check your passwords to see if any of them need to be rotated due to this breach or any other?

[sliken]

Seems really weird to advocate people reveal their passwords to a random untrusted 3rd party.

They do have an API that allows you to search for your password based on a truncated checksum, so you can find out if your password was leaked, without revealing the password.

[bbernoulli]

The password itself is not sent. You can read about it here:

https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[sliken]

He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Which does upload your password, which I think is an unacceptable risk.

[sliken]

Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.

[rincebrain]

You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.

If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[clort]

How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?

Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.

Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..

[shkkmo]

> He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Please don't make false assertions about what I was suggesting without any evidence.

Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.

I would certainly not put any live passwords into the webform.

[shkkmo]

You replies in general have be combative and seeked to push people into positions that you could argue against for internet points.

You could have made your points in a much more constructive and concise manner:

Pwned Passwords is a great data set, I would recommend against using the webform to check your password, instead download the hash file or utilize the extremely simple api. The webform is insecure because...

[garaetjjte]

I just use diffirent email for each service, so I could identify leaks.

[jethro_tell]

>So I guess just assume all your passwords are cracked and use a password manager.

I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.

[x0x0]

For me, it was leaked through boltcd, elance, and reseller ratings. All those emails had been regularly leaked.

I know because every time I register for a site I use site@mydomain.com as my email.

[tfigment]

Troy's site does indicate which site breach it came from generally. I ran my emails and found it funny when myspace came up (and others I was aware of). I guess I did have an account there after all but I've used password safe for over a decade and always have unique passwords including that one from 2007.

[cm2187]

But most of these breaches are just aggregation of passwords he found like in this particular example. It doesn't tell you which website got hacked originally.

[cm2187]

I took the habit of giving a unique random alias to every website or service who requires my email. The additional benefit is that I can single out where the breach (or spam) came from if I see that unique alias. I only started doing that about 3-4 years ago and so far only the dailymotion breach popped up.

You can also do that with gmail by using the login+alias@gmail.com syntax but it's well known and trivial for a hacker to defeat.

[giarc]

I've found that a lot of sites will not accept an email with a + in it nowadays.

[damontal]

He has a service that lets you enter a password to check if it’s been pwned though. I guess these are disassociated from user emails?

[sliken]

Still seems insane to upload your password.

[rbanffy]

> So I guess just assume all your passwords are cracked and use a password manager.

Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.

[tokyodude]

I know which passwords were breached by all the emails I get telling me "we know your password is XXXXXXXXX. Pay up or else". There's 4 or 5 in the first 30 messages in my email spam folder. >:(

[Angostura]

Hmmm? He tells you which breach it came from, so in my case I know LinkedIn, Adobe, Dropbox, Binweevils (thanks kids!)

[hadrien01]

In my case I have an email that was found in Collection #1, but without knowing which site(s). It's an information I'd like to know.

[mpeg]

You can check the sites involved in the pastebin directory list though.