General > General Technical Chat

Check your email address(s) and passwords for cyber security breaches

<< < (3/22) > >>

RoGeorge:
The same recommended website can also check for compromised passwords:
https://haveibeenpwned.com/Passwords

I know that the databases of leaked emails and/or passwords are supposed to be in hashed form and not in clear.  I know that the checking webpage is supposed to hash locally (in your computer) the email or password you typed, then only send the hashed value (not the clean text) to be checked against the online databases.

That is how the check is supposed to be working, assuming there are no bugs and no bad actors involved.  Yet we all know software use to have bugs, and the world use to have bad actors.  So don't spill info.

The whole idea of checking against a known list is kind of useless.  If you are not in the databases, that doesn't mean you haven't been pwned.  It only means you are not in that database.  You pass or email might still have been compromised.  And if you find yourself in such databases, then you probably already noticed you have been hacked.

Such databases usually goes exploited before going public.  And most often they never go public.  Hackers do not just steal passwords only to upload them next day to a public pwned checker.

SiliconWizard:
Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea! :-DD

alexanderbrevig:
How do you use a password that you never spill? You enter it on this site, don't you?

I get the criticism here, and to never spill is a good advice. Though, if you care to research the linked site you will come to trust it _more_ than you trust whatever site you use that password for. I trust haveibeenpwned to keep my entry safe during transit much more than I trust this forum install to keep it safe at rest.

BTW: They actually buy leaks early from the same marketplaces that threat actors would, so it's not getting information any later. This means routinely checking with this particular respected service (or signing up for an alert on email leaks) is _good_ advice. Much better than never spilling hoping for the best and not knowing before it's too late.


I think your advice is good in general, but the outcry here is misplaced in my opinion.

SiliconWizard:
I looked at the source code of the above site.

The password is part of a very simple HTML form which directly submits the password through a post method. The site is on a https connection, so your password is relatively safe until it reaches the server, which then gets it in full clear. What could go wrong? Seriously. Through this site, you are submitting passwords in CLEAR to them. They are not hashed before being sent. You may argue that this is how most sites handle passwords, but one that is *dedicated* to collecting passwords is something else. You'll have to fully trust the owner's code, the server, and everyone involved.

But please submit your passwords!

alexanderbrevig:
Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

TLDR: It does not send your password in the clear.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod