[shkkmo]

Why not use Pwned Passwords to check your passwords to see if any of them need to be rotated due to this breach or any other?

[sliken]

Seems really weird to advocate people reveal their passwords to a random untrusted 3rd party.

They do have an API that allows you to search for your password based on a truncated checksum, so you can find out if your password was leaked, without revealing the password.

[bbernoulli]

The password itself is not sent. You can read about it here:

https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[sliken]

He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Which does upload your password, which I think is an unacceptable risk.

[sliken]

Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.

[brennebeck]

Not trying to be a pedant, but wouldn’t “[...]it’s far from clear[...]” be (more?) correct?

If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.

[npongratz]

I completely agree. Maybe this was the mental model:

    far from unclear           unclear      clear   far from unclear
          ^                                               ^
          |                                               |
          -------------------------------------------------

[sliken]

Heh, sure, "far from clear" is what I meant to say.

It would take substantial time, expertise, and effort to audit that single web page. Even then any of the numerous pieces could change at any time.

So the risk is high, especially for something you are putting trusted passwords into.

[rincebrain]

You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.

If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[sliken]

So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.

There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

Note the lack of https.

You are going to trust a page with that code with your important passwords?

Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.

Much like trusting curl https://whatever.com | sudo /bin/bash

Crazy.

[romellem]

If you are that distrusting, then do the SHA1 conversion yourself. It isn't that complicated:

  sha1=$(echo -n 'happy123' | tr -d '\n' | openssl sha1)
  result=$(curl https://api.pwnedpasswords.com/range/${sha1:0:5} 
    2>/dev/null | grep $(echo ${sha1:5:35} | tr '[:lower:]' '[:upper:]'))
  echo "Count: ${result#*:}"

With that, I can see that the password 'happy123' has been "pwn'd" 70,617 times.

[rincebrain]

So your claim has gone from "it uploads the password to the server" to "you trust unverified Javascript".

No, I don't have any particular reason to trust it.

I was just pointing out that the claim you made was inaccurate.

[clort]

How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?

Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.

Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..

[shkkmo]

> He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Please don't make false assertions about what I was suggesting without any evidence.

Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.

I would certainly not put any live passwords into the webform.

[shkkmo]

You replies in general have be combative and seeked to push people into positions that you could argue against for internet points.

You could have made your points in a much more constructive and concise manner:

Pwned Passwords is a great data set, I would recommend against using the webform to check your password, instead download the hash file or utilize the extremely simple api. The webform is insecure because...