General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
SiliconWizard:
--- Quote from: alexanderbrevig on January 12, 2023, 09:49:32 pm ---Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
TLDR: It does not send your password in the clear.
--- End quote ---
I'm not a HTML5 specialist, but from what I've read, such a form will post the password in clear. It will just not show it in the browser. But a HTML5 specialist may correct me and then tell me what the standard says about this.
--- Code: ---<form action="/Passwords" method="post" novalidate="novalidate">
<div class="input-group">
<input autocapitalize="off" autocorrect="off" class="form-control" data-val="true" data-val-maxlength="The field Password must be a string or array type with a maximum length of '450'." data-val-maxlength-max="450" data-val-minlength="The field Password must be a string or array type with a minimum length of '1'." data-val-minlength-min="1" id="Password" maxlength="450" name="Password" placeholder="password" spellcheck="false" type="password" />
<span class="input-group-btn">
<button class="btn btn-primary btn-lg" type="submit" id="searchPwnedPasswords">pwned?</button>
</span>
</div>
<div class="progress progress-striped active" id="loading">
<div class="progress-bar" role="progressbar" aria-valuenow="100" aria-valuemin="0" aria-valuemax="100" style="width: 100%">
</div>
</div>
</form>
--- End code ---
alexanderbrevig:
--- Quote from: SiliconWizard on January 12, 2023, 09:45:01 pm ---The password is part of a very simple HTML form which directly submits the password through a post method.
--- End quote ---
Did you lie on purpose or just misread the code?
See the script here: https://haveibeenpwned.com/scripts/passwordsearch
Relevant snippet:
--- Code: ---function getPwnage(n,t){var i=sha1(n).toUpperCase(),r=i.substring(0,5);$.get("https://api.pwnedpasswords.com/range/"+r)
--- End code ---
Without javascript your are right that it would send it in the clear. Though because of this it won't:
--- Code: ---$("#searchPwnedPasswords").click(function(n){n.preventDefault(); ...
--- End code ---
That preventDefault stops the form from sending, so javascript takes over and sends the hash. :-+
jpanhalt:
Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
The text in the email was: NOTE: Only send YES! via email; recruitilluminatii@gmail.com
The actual url shown was: (see attachment)
Safe? Rarely, very rarely do I get such emails because I am very stingy about giving out my address. Coincidence or ploy? Maybe Halcyon will address what he did to vett the site.
madires:
Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.
And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.
thm_w:
--- Quote from: jpanhalt on January 12, 2023, 10:26:06 pm ---Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
--- End quote ---
Its just a coincidence.
--- Quote from: madires on January 12, 2023, 10:28:30 pm ---Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.
And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.
--- End quote ---
Yeah I probably wouldn't enter my main password there.
But its a sort of useful tool to tell someone: hey think of a secure password, now test it on this site.
Oh qwertyuiop12345 was used 11,000 times? clearly its not secure, even though it is a long seemingly complex password.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version