🆕 Software Suggestion | Have I Been Pwned (now opensource) #2309

New Issue

2021-05-29T22:35:02Z

lrq3000 commented

2021-05-29 22:35:02 +00:00

(Migrated from github.com)

Basic Information

Name: Have I Been Pwned
Category: Password Managers (Worth Mentioning)
URL: https://github.com/HaveIBeenPwned

Description

Have I Been Pwned is a well-established service to check if a username or password was leaked in a dump. It has recently been open-sourced and will be now fed with data coming from the FBI in addition to the other data sources they have. It is already used in several password managers to check for compromised passwords, such as in BitWarden Pro.

Although some people believe it is risky to send passwords to this website (as with any) as data can be intercepted or logged, others claim the system is made to ensure this is not possible:

The query system is designed in such a way that this is impossible.

IIRC, the client-side hashes the entered password and only passes the first few characters of the hash to the server. The server then sends back every pwned hash that matches those first few characters. The client can then check its hash against the small list to see if it was returned.

The best an eavesdropper can do is to know that if the client's password was pwned then it was one of those returned hashes (which could then be cracked or looked up in prior leak databases). But if the password was not pwned the eavesdropper has no information other than the first few characters of the hash, which would be impossible to crack.

This of course only works if the site itself is not compromised and is returning the legitimate client-side script to perform that process. But to mitigate this risk, you can use the API directly from your own code to ensure that the process is being followed.

This should be verifiable and auditable independently since the code is now open-sourced.

Why I am making the suggestion

This is the reference in password leak detection, which is a crucial part of risk assessment.

My connection with the software

None.

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Basic Information **Name:** Have I Been Pwned **Category:** Password Managers (Worth Mentioning) **URL:** https://github.com/HaveIBeenPwned ## Description Have I Been Pwned is a well-established service to check if a username or password was leaked in a dump. It has [recently been open-sourced and will be now fed with data coming from the FBI](https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/) in addition to the other data sources they have. It is already used in several password managers to check for compromised passwords, such as in BitWarden Pro. Although some people believe it is risky to send passwords to this website (as with any) as data can be intercepted or logged, [others claim the system is made to ensure this is not possible](https://www.reddit.com/r/privacy/comments/nmw6fw/have_i_been_pwned_goes_open_source_gets_fbi_data/gzrcptt?utm_source=share&utm_medium=web2x&context=3): > The query system is designed in such a way that this is impossible. > > IIRC, the client-side hashes the entered password and only passes the first few characters of the hash to the server. The server then sends back every pwned hash that matches those first few characters. The client can then check its hash against the small list to see if it was returned. > > The best an eavesdropper can do is to know that if the client's password was pwned then it was one of those returned hashes (which could then be cracked or looked up in prior leak databases). But if the password was not pwned the eavesdropper has no information other than the first few characters of the hash, which would be impossible to crack. > > This of course only works if the site itself is not compromised and is returning the legitimate client-side script to perform that process. But to mitigate this risk, you can use the API directly from your own code to ensure that the process is being followed. This should be verifiable and auditable independently since the code is now open-sourced. ## Why I am making the suggestion This is the reference in password leak detection, which is a crucial part of risk assessment. ## My connection with the software None. - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

👍 2

This repo is archived. You cannot comment on issues.