I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this. Troy Hunt (who created/runs HIBP) is a well known and reputable Australian Cyber Security professional. This site is totally legitimate and is a valuable resource for checking your email addresses and passwords against a list of known leaked data.
In the past there was the possibility to check if a given password is in the known databases of leaked passwords. I didn't say the linked page can still do that or not. I said it's dumb to put your pass in a webpage to get it checked it for you, and I still think it is, from a security practices standpoint. "Don't tell your pass to others." No exceptions.
I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this.
Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
TLDR: It does not send your password in the clear.
<form action="/Passwords" method="post" novalidate="novalidate">
<div class="input-group">
<input autocapitalize="off" autocorrect="off" class="form-control" data-val="true" data-val-maxlength="The field Password must be a string or array type with a maximum length of '450'." data-val-maxlength-max="450" data-val-minlength="The field Password must be a string or array type with a minimum length of '1'." data-val-minlength-min="1" id="Password" maxlength="450" name="Password" placeholder="password" spellcheck="false" type="password" />
<span class="input-group-btn">
<button class="btn btn-primary btn-lg" type="submit" id="searchPwnedPasswords">pwned?</button>
</span>
</div>
<div class="progress progress-striped active" id="loading">
<div class="progress-bar" role="progressbar" aria-valuenow="100" aria-valuemin="0" aria-valuemax="100" style="width: 100%">
</div>
</div>
</form>
The password is part of a very simple HTML form which directly submits the password through a post method.
function getPwnage(n,t){var i=sha1(n).toUpperCase(),r=i.substring(0,5);$.get("https://api.pwnedpasswords.com/range/"+r)
$("#searchPwnedPasswords").click(function(n){n.preventDefault(); ...
That preventDefault stops the form from sending, so javascript takes over and sends the hash.
Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.
And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.
Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key.
BTW, SHA1 is a bit outdated and shouldn't be used anymore.
And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.
Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
I don't know what to say, but RoGeorge got practically everything wrong in his post here... (at least if nothing was edited away in Halcyon's post, because the answer doesn't make sense).
Safe? Rarely, very rarely do I get such emails because I am very stingy about giving out my address. Coincidence or ploy? Maybe Halcyon will address what he did to vett the site.
Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!