The FBI Will Feed Hacked Passwords Directly Into Have I Been Pwned (therecord.media) 32
Australian security researcher Troy Hunt announced today that he granted the US Federal Bureau of Investigation a direct line to upload new content into Have I Been Pwned, a website that indexes data from security breaches. From a report: The HIBP creator said that when the FBI discovers password collections during their investigations, they will upload the data into a section of the site called Pwned Passwords. The FBI will provide passwords as SHA-1 and NTLM hashes and not in plain text. No user personal details will be provided, but only the password hashes. The passwords will be added to Pwned Passwords, a collection of more than 613 million leaked passwords. While the main HIBP website allows users to search if their emails, names, or usernames have been leaked online in past security breaches, Pwned Passwords is a smaller and more specialized component of the HIBP site that tells users if a password string has ever been leaked online, without attaching the password to any user details.
Have I been Pwned (Score:5, Funny)
At this point in time this has got to be one of the world's most simplest websites.
You enter any email address you like, and it simply returns "yes"
Re: (Score:3)
Its starting to feel that way.
And its probably worse than we think. I started getting emails a while back impersonating a tiny credit provider that only does loans for a specific companies purhcases, for which I did in store and as best I can tell has never been anywhere near an online thing.
I'm prety sure the provider is retailer down tighter than fort knox (its well known in the industry for it), so the only other place that knew I had an account with the credit provider, was the credit provider.
Ergo the
Re: (Score:2)
I've now entered into that site almost every email address I've ever used.
One of my old throwaway addresses was exposed in the XKCD Forums leak. That's all.
Re: (Score:1)
The funny part is that's true. Because it's not your email address you're handing over. It's your password.
"Hey you, c'meeer. If you tell me your password, I'll tell you if someone else knows it."
Yes, my friend, as soon as you hit enter, yes, you've been pwned.
Re: (Score:1)
Re: (Score:1, Insightful)
My god a password manager? are you completeley NUTS?
All your passwords, protected by a *single* password, in one place. Yes, that's a fucking great thing to use.
No ta.
Re: (Score:2)
>Not using the checksum of a porn image of questionable legality as your password
Amateur.
Re: (Score:2)
Re:Oh No (Score:5, Funny)
Re: (Score:2)
>This password has been seen 17,491 times before
Re: (Score:2)
Shouldn't the BACKup password be 'YTREWQ' or '54321' to be so much more secure?
Re: (Score:2)
SHA-1 - Really? In 2021? (Score:2)
Re:SHA-1 - Really? In 2021? (Score:4, Informative)
Hashes aren't ciphers.
Re: (Score:2)
Bullshit. SHA-1 is perfectly secure for password hashing. That is as secure crypto-hash based password hashing can be. Better use Argon 2. SHA-1 is insecure for signatures. Some understanding of the matter required. Also, SHA-1 is not a "cipher".
Re: (Score:1)
Like amplifiers that go to 11.
Re: (Score:2)
Maybe. But too many people actually believe SHA-1 is broken for all uses, when that is really not the case.
So taxpayers are paying (Score:2)
Re: (Score:2)
This move benefits everybody, if we assume the HIBP service and its collected data are genuine. Identity theft, phishing and social security fraud are HUGE problems. It also shows that HIBP is neither an FBI honeypot nor opportunity for hackers to gather data to improve their odds. So thank you Troy Hunt.
The work by the public service would be something like 1 hr of junior staff time. They'll get bored and automate it, then it's just a daemon running in the cloud someone checks on once a year.
Re: (Score:1)
Re:So taxpayers are paying (Score:4, Insightful)
If you were told by a reliable source that an unknown person made a perfect copy of your house key and posted a high-res image of it on the internet, would you change the locks?
Re: (Score:1)
For the same reason we pay public servants to write Security Configuration Guidance documents, post YARA rulesets for malware campaigns, etc. It's a public service. I'd call it progress: in years past, data like this was frequently only circulated to select enterprise partners. This product will be directly accessible to the public.
Is there a way to download the password list? (Score:2)
Currently, the only meaningful way to check passwords is when users select theirs. But of course you do _not_ want to sent the new ones to a website in the Internet. So far I have been using the list from Kali Linux, but that list here would be a lot better.
Re: (Score:3, Informative)
There is! take a look at the bottom of the page
https://haveibeenpwned.com/Pas... [haveibeenpwned.com]
Re: (Score:2)
Excellent, thanks! I have no idea how I missed that. I think I will use that in a demo to my Software Security students.
Longevity of Utility? (Score:2)
specialized component of the HIBP site that tells users if a password string has ever been leaked online, without attaching the password to any user details.
It seems that as the list gets larger the utility declines. Soon enough, any string will match something out there. I'm not seeing the value unless the random string match is connected to my account.
All passwords except... (Score:1)
This is fucking priceless .. (Score:1)