35 comments

[ 4.0 ms ] story [ 73.1 ms ] thread
has anyone used the bloom filter that uses this? https://github.com/62726164/bp
I don't get what Troy Hunt has done to his tool. You used to be able to type in an email address and learn all the times your credentials have been in a leak/breach. Now he wants you to enter your password. What security minded person would reveal their password to a site like this? It would be trivial to associate your password to your IP address.
This is a separate tool, HIBP is still up and running.
I don't see this. I go to https://haveibeenpwned.com and it works just as before (email address only). I am slightly bothered that I can enter anyone's email address and learn something about them tho.
You can learn even more about them by looking up their address in one of these (widely available) data dumps.
Some breaches are marked as "sensitive". HIBP won't tell you if an email is in one of the sensitive breaches unless you prove ownership of the email address by clicking on a verification link.
Is this not the tool (in some form) that's integrated with 1password? That one is indeed designed to check password hashes for matches in leaks.
umm, that feature is still there. This is for checking if the password you are using has been in any breach or not.

Also, the password doesn't go to the server but its hash goes.

Lastsly, he had to make the free API paid because people were DDOSing it

You're confusing pwned passwords wtih https://haveibeenpwned.com/

As for pwned passwords, it doesn't send the password. The way it works is that you submit the first 5 characters of a hash, and get back a list of all hashes.

You then locally compare the complete hash to see if it is there.

You're getting two different tools mixed up -- "Have I Been Pwned?" and "Pwned Passwords."

Have I Been Pwned is the tool where you search your email, and it displays breaches.

Pwned Passwords is an API (there is a front-end but that's not the usecase) where you send a partial hash of a password to the API, and it returns a list of partial hashes that match, and the implementation from there sees if any of them match the full hash. It's used by quite a few online services to ensure users don't use weak passwords, as if it's shown up in multiple data breaches, they might not let you set it as your password.

I've always found HIBP in this funny conflicting situation - on hand you should never provide your email or password to a 3rd party service because it's probably malicious, but on the other hand in HIBP's case it's very evidently not malicious, so it's totally fine. But it's evident only if you follow Troy for a while to see what he's doing.

I think it's a good study in game theory at the least.

You don’t have to send the password to determine if it’s pwned... they have a hashing scheme to determine if a password was in any leaks.

See https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...

Exactly - but the reactions I saw when he first released Pwned Passwords was "this is a malicious tool, don't give your password to anyone". Even if you're hitting the API from your own service, you need the entire password first to submit the partial hash to the API.

We who understand what's going on know it's perfectly fine, but it's hard to get that message across. Just like the first time you try to explain what a hash is to a non-technical person.

How can a regular user validate this? A malicious or compromised site could have same explanations and API page but would actually collect passwords.
(comment deleted)
It lets you search based on the first 5 characters of a SHA-1 password hash. So you use a trusted tool on your own computer to hash the password you want to search, and pass in just part of it. You get multiple results, and you can then compare against the hashes yourself to see if yours is in there. There's no way for them to collect your password that way.
You could use the API directly instead of using the webpage.

> GET https://api.pwnedpasswords.com/range/{first 5 hash chars}

The service is only receiving the first 5 hash chars and thus could not collect your password.

Or you could read the javascript code of the page when you visit it.

> var i = sha1(n).toUpperCase(),

> r = i.substring(0, 5);

> $.get('https://api.pwnedpasswords.com/range/' + r).done(function (n) ...

Or you could download the file and check it locally.

I suppose someone could build a bare basic UI in something like JsFiddle that is transparently auditable and has crystal clear comments for non-technical people to see what the code does
(comment deleted)
This works, it doesn't send the password or hash to the server:

   #!/bin/bash
   
   baseurl="https://api.pwnedpasswords.com/range/"
   read -s pass
   hash=$(echo -n "$pass"|sha1sum)
   hashhead=${hash:0:5}
   hashtail=${hash:5:35}
   
   curl -s ${baseurl}/${hashhead}|grep ${hashtail^^}
It'll dump the hash and the number of times the given password was found. If the password is not found it won't return anything.
I've always felt nervous entering my info, to do a look up. It's yet another data trail to elevate certain set of stolen data above the noise of unused/throw away/dead accounts.
Pwned Passwords uses a k-anonymity scheme so that your password is never actually sent to the server [0]. You can just call the API directly [1] so that you don’t have to trust haveibeenpwned.com’s JavaScript with your password.

[0]: https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[1]: https://haveibeenpwned.com/API/v3#PwnedPasswords

And if you are really paranoid, you can just download the whole set of hashes and do the lookup yourself.
Is there a way I can hash my password myself then check if the hash is in the database via the web?
Yes: do a SHA1 of your password (no trailing newline), then fetch https://api.pwnedpasswords.com/range/{first 5 hash chars}. If the full hash appears in the results, the password has been seen in a breach.
Small correction: It's not the full hash that appears in the results, it's the suffix (so the part after the 5 chars you put into the URL).

If you don't want the password to end up in your shell history, this works on in the shell with common tools:

tr -d '\n' | sha1sum

Then type the password you want to look for, hit enter and control-d. You can test with "common" passwords like https://www.reddit.com/r/XFiles/comments/6ge7h4/mulders_home... if you're doing it right.

if you have bash, awk and sha1sum then you can try this: export PASS=mypassword

then

PT=$(echo -n $PASS | gsha1sum | awk '{print toupper($1)}'); curl -s https://api.pwnedpasswords.com/range/$(awk '{print substr($0,1,5)}' <<< $PT) | grep $(awk '{print substr($0,6)}' <<< $PT)

Quote: "Further, a whole bunch of passwords that, um, well, I can't really print here also make an appearance, but use your imagination and you'll probably be able to work out a few of those."

Hihi, this cracked me up, best joke for today. Keep up the good work Troy

What is the recourse if a supposed "friend of Troy" exploited a friend's website, stole all the content for himself, took the customer usernames & passwords, and released the passwords as part of one of Troy's releases. He admitted to stealing the content (that the website sells) for personal use in emails. Tried to extort for his "security expertise" too. This isn't some huge company - it is a tiny, honest business.

They tried to contact Troy but he never reply. I think law enforcement will have to get involved because all of the videos were downloaded from behind the paywall.

I am seeing multiple discussions confusing the 'have I been pwned' and 'pwned passwords' services. This is a release of pwned passwords. I wrote a small commandline tool where I generate my own passwords and I validate them against the pwnd passwords database. The code can be seen here https://github.com/vivekhub/password-generator/blob/9a3ca8aa.... The two lines of python code summarizes the approach. Create an SHA1 and send the first five characters.