General > General Technical Chat

Check your email address(s) and passwords for cyber security breaches

<< < (4/22) > >>

SiliconWizard:

--- Quote from: alexanderbrevig on January 12, 2023, 09:49:32 pm ---Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

TLDR: It does not send your password in the clear.

--- End quote ---

I'm not a HTML5 specialist, but from what I've read, such a form will post the password in clear. It will just not show it in the browser. But a HTML5 specialist may correct me and then tell me what the standard says about this.


--- Code: ---<form action="/Passwords" method="post" novalidate="novalidate">
<div class="input-group">
<input autocapitalize="off" autocorrect="off" class="form-control" data-val="true" data-val-maxlength="The field Password must be a string or array type with a maximum length of &#39;450&#39;." data-val-maxlength-max="450" data-val-minlength="The field Password must be a string or array type with a minimum length of &#39;1&#39;." data-val-minlength-min="1" id="Password" maxlength="450" name="Password" placeholder="password" spellcheck="false" type="password" />
<span class="input-group-btn">
<button class="btn btn-primary btn-lg" type="submit" id="searchPwnedPasswords">pwned?</button>
</span>
</div>
<div class="progress progress-striped active" id="loading">
<div class="progress-bar" role="progressbar" aria-valuenow="100" aria-valuemin="0" aria-valuemax="100" style="width: 100%">
</div>
</div>
</form>
--- End code ---

alexanderbrevig:

--- Quote from: SiliconWizard on January 12, 2023, 09:45:01 pm ---The password is part of a very simple HTML form which directly submits the password through a post method.

--- End quote ---

Did you lie on purpose or just misread the code?

See the script here: https://haveibeenpwned.com/scripts/passwordsearch
Relevant snippet:

--- Code: ---function getPwnage(n,t){var i=sha1(n).toUpperCase(),r=i.substring(0,5);$.get("https://api.pwnedpasswords.com/range/"+r)
--- End code ---

Without javascript your are right that it would send it in the clear. Though because of this it won't:

--- Code: ---$("#searchPwnedPasswords").click(function(n){n.preventDefault(); ...
--- End code ---
That preventDefault stops the form from sending, so javascript takes over and sends the hash.  :-+

jpanhalt:
Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

The text in the email was: NOTE: Only send YES! via email; recruitilluminatii@gmail.com

The actual url shown was: (see attachment)

Safe?  Rarely, very rarely do I get such emails because I am very stingy about giving out my address.  Coincidence or ploy?  Maybe Halcyon will address what he did to vett the site.

madires:
Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

thm_w:

--- Quote from: jpanhalt on January 12, 2023, 10:26:06 pm ---Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

--- End quote ---

Its just a coincidence.


--- Quote from: madires on January 12, 2023, 10:28:30 pm ---Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

--- End quote ---

Yeah I probably wouldn't enter my main password there.
But its a sort of useful tool to tell someone: hey think of a secure password, now test it on this site.
Oh qwertyuiop12345 was used 11,000 times? clearly its not secure, even though it is a long seemingly complex password.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod