back to article UK National Crime Agency finds 225 million previously unexposed passwords

The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords. We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to …

  1. Skiron
    Stop

    Trust

    I dunno if I trust typing one of my many passwords on that site to check it...

    1. nagyeger

      Re: Trust

      It's fairly low risk. from your favourite shell:

      From the API docs: (https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange)

      Searching by range

      In order to protect the value of the source password being searched for, Pwned Passwords also implements a k-Anonymity model that allows a password to be searched for by partial hash. This allows the first 5 characters of a SHA-1 password hash (not case-sensitive) to be passed to the API:

      GET https://api.pwnedpasswords.com/range/{first 5 hash chars}

      It will also add a random 800-1000 hashes if you request padding (next item in docs)

      1. Flocke Kroes Silver badge

        Re: Trust

        Thanks. I looked at the source code for the web page, saw Google Analytics and left in disappointment. The API has an attack surface small enough for me to have confidence in it (watch out for .bash_history). Now I know my most important passwords have not reached haveibeenpwned.

        1. Woodnag

          My El Reg pw was there :(

          Changed now :)

    2. Anonymous Coward Silver badge
      Coat

      Re: Trust

      It's alright, I'll type it in for you...

      No, you're OK, your password hasn't leaked.

      .

      Oh thanks, mine's the one with 'Skiron' written on the label.

    3. Phones Sheridan Bronze badge
      Black Helicopters

      Re: Trust

      Indeed, I've often wondered if this site could be being used as a resource by either hackers or states. Remember Lavabit, Truecrypt, Tor and Proton Mail were considered safe by their fans, quite fanatically, until it turned out they actually were not. Lavabit was in the process of being forced to install traffic sniffers into their network, Truecrypt were being co-erced, Tor had so many government controlled nodes there was no anonymity and Proton Mail removed one of it's privacy promises off it's website following a court order. If Haveibeenpwned was being compelled by it's government, it probably couldn't tell us overtly.

      A database of known passwords and usernames, is highly valuable because it probably indicates just how un-unique most peoples passwords are. Geeks will probably point out that mathematically there are trillions of user / password combinations possible for a particular application and it would take millions of years to crack them. This trove probably narrows that down to hundreds of millions making the timescales more reasonable, if it doesn't already have your exact login names and password to start with. Combine this with a google like ability to match data to actual people and the ability to predict your actions and the way you think better than you can yourself there is no actual privacy out there.

      The 50 or so active commentards on this site will proclaim that their passwords are indeed truly random or for some technical reason the event of them being cracked or discovered is highly improbable. My response is you are not and never will be the target, and if you were, I would point to exhibit a... The pipe wrench, and exhibit b.. you're probably not that interesting.

      1. boblongii

        Re: Trust

        You need to bear in mind that these passwords (and many others) are already being passed around by the bad guys, so it's a resource only in the sense that it might be a sort of external backup for them.

      2. Korev Silver badge
        Gimp

        Re: Trust

        For a while I got spam from addresses given to (later) compromised websites claiming my computer had been hacked and here's your password to prove it and they needed me to pay them money...

        I don't know if the spammers bought the details somewhere or if they got them from sites like these. Either way, using a unique email address for everywhere (and a password manager) means I can easily block the compromised addresses.

        What they claimed I'd been up to -->

        1. Zippy´s Sausage Factory

          Re: Trust

          HIBP are only working from publicly available password dumps. If they can find them, so can the spammers, sadly.

          1. Snake Silver badge

            Re: working from password dumps

            That' is not the source of my mistrust. What if HIBP ITSELF is compromised? You are handing out your passwords across the internet to be checked, to a system that itself can be hacked (because they all can be).

            HIBP is therefore a high profit honetpot to attackers, with users voluntarily entering their plaintext passwords to be verified. Crack open HIBP and you can gain access to passwords , during their owner's check procedure, previously *not* compromised.

            1. ThatOne Silver badge

              Re: working from password dumps

              To prevent this, simply search only by email address.

              Every account consists of a username + a password, to search HIBP you only need one of those two, and the username is a much less strong secret than the password, one could even consider it semi-public, especially if you only use a single email address. Searching HIBP for "thatone@thatsite.com" won't reveal hackers much usable information unless it's already in the stolen passwords database, in which case it's too late anyway, isn't it.

            2. Flocke Kroes Silver badge

              Re: What if HIBP ITSELF is compromised?

              There is a work around for that. What is supposed to happen is you type your password into your browser, the browser hashes the password with sha1 and HIBP only sees the hash. It is not possible to convert the hash back into the password. What is thoroughly possible is you selected HlBP instead of HIBP (small L instead of capital i). The javascript on HLBC could miss out the sha1 has step and send your password directly to criminals. Criminals hacking and modifying HiBP would have the same effect. The work-around is to type:

              read password

              w0rdpass

              hash=$(echo -n $password | sha1sum | cut -d ' ' -f 1)

              unset password

              wget -O hashes https://api.pwnedpasswords.com/range/${hash:0:5}

              hash=${hash^^[a-f]}

              grep ^${hash:5} hashes

              The result should be:

              B250D0FB468BA8BCC5A7A0F5EB4217AA1F7:3076

              This means that 3076 accounts that pwnedpasswords knows about use 'w0rdpass' as their password. The only information sent to pwnedpasswords was '417db' which is only 1/8 of the sha1sum. If criminals got hold of '417db' they could get a huge list of passwords, send them all through sha1sum and discover the 799 popular passwords that match. They would not know which of the 799 is correct or if the actual password is something else with a hash that shares the same first 5 letters. Unless they have made some effort to investigate me they will not know which site or user name the possible passwords unlock although they can be certain that with that password the account must be one I consider to be of no value.

              1. Anonymous Coward
                Anonymous Coward

                Re: What if HIBP ITSELF is compromised?

                Couple of things here. Firstly sha1 has been known broken since at-least 2005. Deriving the input is non-trivial but can be done without a full brute-force stack, so suggesting you can't determine the password from a sha1 is questionable.

                If you really want to check securely you can download the entire HIBP set of hashes and search it locally without your hash leaving your machine. This is significantly safer.

                1. Ben Tasker Silver badge

                  Re: What if HIBP ITSELF is compromised?

                  Being pedantic, what he said was that you can't convert the hash back into the password, which is true - it's a one way hash.

                  You *can* reconstruct it, either via brute force, or more advanced methods, but that's not the same thing.

                  Honestly though, if you're entering in the browser, it's far more likely someone would find a way to inject JS to collect your password before it's been hashed.

                  Sending the first 5 chars of the sha1 via the API should be as safe as it's possible to be (local machine compromise not withstanding etc etc), you don't really gain a lot by downloading the full hashset.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: What if HIBP ITSELF is compromised?

                    Being pedantic, not convinced that a semantic distinction between "convert" and "reconstruct" is meaningful here. For most purposes they refer to the same process of deriving an input from an output, which once automated is functionally equivalent (time factor not withstanding - because you rotate all your passwords on a weekly basis like everyone else, right? Sure).

                    As for sha1 being one way, what that really means is the forward operation is relatively cheap while the inverse (what we're talking about) is prohibitively expensive for an unauthorized user. With sha1 having publicly known deficiencies (and there are likely more known privately) that argument is becoming increasingly harder to swallow and depends largely on your threat profile.

                    The trimmed-sha looks safer but you're then stuck with a smaller subspace for your hash so you're going to get more collisions, which means more false positives. So maybe just rotate all your passwords hourly just to be sure? /S

                    1. Ben Tasker Silver badge

                      Re: What if HIBP ITSELF is compromised?

                      > For most purposes they refer to the same process of deriving an input from an output, which once automated is functionally equivalent

                      > ...

                      > With sha1 having publicly known deficiencies (and there are likely more known privately)

                      Not really, you're ignoring the resources required for each, yes hashcracking is much easier nowadays, but it's still far more resource intensive than converting something. There's also the strong possibility that your input (your password) won't be derived, depending on it's strength, some luck, and the dedication of your adversary (who may be going for low hanging fruit).

                      Remember that collisions don't mean anything here either, in this case SHA1 isn't involved in validating passwords (it'd only matter if an adversary could find a system you'd used your password on, who were using unsalted SHA1 for storage + validation).

                      SHA1s known deficiencies generally relate to the ability to generate collisions (making it useless as an authentication mechanism), so aren't actually relevant here, especially as the full SHA1 doesn't hit the wire.

                      > The trimmed-sha looks safer but you're then stuck with a smaller subspace for your hash so you're going to get more collisions, which means more false positives.

                      I'm not sure you've understood how the API works...

                      Locally, you do

                      $ sha1("supersecret")

                      Which gives you a761ce3a45d97e41840a788495e85a70d1bb3815

                      You then take the first 5 chars - a761c - and send those to the API:

                      $ get("https://api.pwnedpasswords.com/range/a761c")

                      That returns a list of hash suffixes, along with the count of how often that password exists in the dataset. So, in this case, it returns 813 hashes.

                      0018D9D5CA61E84FA3F6CFA10F6B3418C1F:1

                      0166C434339B9BD3BA2A65B33612052EB36:1

                      01784489E12730DA0FA7F41335C7AD13D9F:60

                      019DA5844E6E6CA0647FA152E572B5B14E8:4

                      02B87026E6046E669158366E51035C63336:8

                      02F2E3D8176FCF4C4811AA353C513C43E67:6

                      02FD6B23643C3B45E07413DC31B1D1D5BAC:1

                      0343E72B26DCA436ECA34393CB678BACA16:3

                      ... etc ...

                      You then take your prefix, bolt it back on and see if your original hash exists

                      In this case, "supersecret" has (unsurprisingly) been pwned quite a lot

                      > e3a45d97e41840a788495e85a70d1bb3815:1759

                      Basically, the whole point is that you *should* get a bunch of false positives back - you then filter those out as only you have the knowledge to do so.

                      Even if someone is able to MITM your connect (or gets hold of the API access logs):

                      - You've not narrowed the keyspace by very much, so they've still got to put some effort into brute-forcing

                      - The number of results that come back is irrelevant, as they have no way to know whether your password was included or not

                      Ultimately, there's an entire world of breached passwords out there - for your average adversary there's plenty of much lower hanging fruit. If you're being specifically targetted, then they're more likely to stick a RAT on your box than mess about with this.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: What if HIBP ITSELF is compromised?

                        I stand corrected thank you for clarifying in detail!

            3. Anonymous Coward
              Anonymous Coward

              Re: working from password dumps

              I suggest you read what HIBP is actually holding and also don't confuse it with their Pwned Password service.

              The latter is a service used by some very well known names to check whether a particular password has been seen before in a public breach. It doesn't receive the actual password (again read how it works) and it consequently doesn't store "your" password that you've typed in. Neither does it involve you entering your username/account id as part of that. It's simply a case of checking whether "password123" is a "known" password.

              The Have I Been Pwned service allows you - with suitable verification - to receive breach notification when your credentials have been leaked. Again though, it's not holding any password data - simply whether your email address is in the breach.

        2. MrDamage Silver badge

          Re: Trust

          Masking up and encouraging social distancing? Who would be ashamed of that?

        3. Plest Silver badge
          Happy

          Re: Trust

          Those superb emails "We've caught you wanking to bicycle porn you dirty fecker and we have vids you from your webcam! So pay up now or we tell all your mates what you get off on!".

          Always some old password I've not used in about 8 years on some site I signed up to years ago just to get some info a problem I needed to fix on Windows2000 DLL or something!

        4. JimboSmith Silver badge

          Re: Trust

          I know an OAP in their 70s who received an email from some scammer. The email mentioned a password she had used and demanded bitcoin. She'd not read anymore of it and called me at this point. I asked if she'd used the password on Facebork at any point. She said no but visiting the site on Safari automatically offered a login and password proving otherwise. Then she remembered she had signed up and visited once to view some photographs from a friend. She'd only used that password on that site so the damage was limited. She asked me how I knew instantly that it was Facebork that the password had come from. I said I had used a unique email address and password for Facebork and I'd had the same email as she'd received. I said I thought the fact that the email mentioned her visiting adult websites would have tipped her off it was a scam. She burst out laughing read the rest of the email and apologized for calling me over.

        5. Roland6 Silver badge

          Re: Trust

          >For a while I got spam from addresses given to (later) compromised websites claiming my computer had been hacked and here's your password to prove it and they needed me to pay them money...

          Had one of these a few years back.

          Was able to pinpoint it to an instance of Chrome on a specific Windows PC.

          Basically, it looked like the browser-based password store had been read. Not sure when, as I had changed the password some years previously, but not updated the Chrome password store.

          Obviously, the security of browser-based password stores has improved over the years, so suspect they aren't so easy to exploit. However, I generally try and populate the browser store with a few obvious( to me) duff credentials, so I can monitor such emails.

      3. Blazde

        Re: Trust

        "A database of known passwords and usernames, is highly valuable because it probably indicates just how un-unique most peoples passwords are"

        Because of just how nonunique many passwords such a database doesn't need to be very big and good ones have been in existence for 2 or 3 decades (of course there's been some evolution in common passwords over that time). Troy's database is a different beast and really just levels the playing field for the good guys by giving access to information the bad guys already have.

      4. tiggity Silver badge

        Re: Trust

        I don't know most of my passwords, that's what a password manager with ability to generate strong passwords is for

        Downside - single point of failure.

        Caveat - I know the passwords for sites that are used often, but they are not sites that involve purchasing / finances*, so pipe wrench would not achieve much (unless a miscreant wanted to pose as me on el Reg or do other pointless low level actions on other sites)

        *partner won't believe my refusal to do online banking etc is for any other reason than to inconvenience them despite knowing I don't trust online security as I have seen too many exploits over the years.

        1. ThatOne Silver badge

          Re: Trust

          > Downside - single point of failure.

          Using the same password everywhere is also a single point of failure, isn't it... The most significant advantage of a password manager is to allow you having unique, strong passwords for all the 30-60 online accounts a modern person nowadays has.

          As for online banking, it gets harder and harder to prevent. I had to have a long talk with one of my banks' managers for my account to be put in a special "no online or telephone orders allowed" state, very exceptionally (and I need to check every now and then that nobody "fixes" this). Convenience for the customer and lower cost for the banks have almost made online banking mandatory. After all, as anybody knows, bad things only happen to others.

      5. Cav Bronze badge

        Re: Trust

        I'd consider Proton mail reasonably secure and private. Far better a company subject to privacy favouring Swiss law, and founded by scientists with an interest in privacy, than Google et al who would sell their own grandmothers for profit, or subject to the corrupt, money driven law of the US and UK, or the oppressive regimes of Russia and China etc.

        Any legit provider will be subject to the law of the country in which they operate. The only alternatives are shady providers or open source who really have nothing to lose if you use their "as is" product, and can't be held to legal constraints because there are no warranties or guarantees.

        1. Rich 11 Silver badge

          Re: Trust

          than Google et al who would sell have sold their own grandmothers for profit

          FTFY.

      6. phuzz Silver badge

        Re: Trust

        If Haveibeenpwned was being compelled by it's government, it probably couldn't tell us overtly

        Except in this case where they were given the password dump by a government agency which put out a press release.

      7. steviebuk Silver badge

        Re: Trust

        Truecrypt was proven to be just fine when independent audits were done by the community after it was shutdown. They assume the developers didn't want to make backdoors etc.

        I'm sure I've read on haveIbeenpwd to not enter any current password you're using when you do your search.

    4. Anonymous Coward
      Anonymous Coward

      Re: Trust

      On the website, click on 'Home' then search by your email to see if it pops up with any passwords - if it does then the website tells you.

      That way, no passwords are revealed by you.

  2. Don Dumb
    Flame

    Not suprised

    How many of these are stolen from UK ISPs? - several appear to not store passwords in salted and hashed form at rest, even using them for verifction when you phone up.

    Going against both ICO & NCSC guidance but somehow claiming in public "that's fine".

    1. Anonymous Coward
      Anonymous Coward

      Re: Not suprised

      I would anticipate that the UK ISP's have been hacked, and are NOT divulging it.

      A friend very recently had his e-mail hacked. He uses a major ISP in the UK, and only uses webmail, and does not use an e-mail client. His webmail account was taken over and spam sent out.

      Unless there is a keylogger on his PC (Windows 11), then it is highly probable that the ISP was hacked. The ISP stated that it happens a lot. Yet, no announcement or other to inform people.

      1. ThatOne Silver badge

        Re: Not suprised

        In my experience ISP emails are notoriously insecure. Many years ago I had just signed up with an ISP, and the next day the attached, brand new email address started getting several hundred spams per day! I hadn't given it to anybody (since I wasn't planning on using it), my other email accounts didn't get spam bombed so it wasn't my computer, so clearly it's the ISP who leaked it (extremely efficiently! If only the rest of their service had been as exceptional...).

        Never trust an ISP with anything you wouldn't post on a public wall.

      2. Hawkeye Pierce

        Re: Not suprised

        With respect, it's more probable (in terms of how the majority of accounts are taken over) that your friend had a weak password... where "weak" means a password that *someone* else has used before on *some* service and is now being used to brute force attack other services. Given that almost by definition your <my_name>@<my_isp>.com email address will be your logon name to <my_isp>'s webmail interface, a list of valid account names for <my_isp> is easily obtained and so you've got all you need, paired with a list of common/known passwords, to start a brute force attack.

    2. katrinab Silver badge

      Re: Not suprised

      Talktalk has certainly had its passwords stolen. I don't know about other ISPs.

  3. Anonymous Coward
    Anonymous Coward

    hackers*2

    Frequently when a list of "hacked" accounts is released, our mail-server starts seeing login attempts for non-existent accounts that have just appeared in the new list. So I think that a significant number of the hacked account details in these lists sold on the dark web have been invented to scam the scammers buying the original hacked lists.

  4. Alpine_Hermit

    Phew!

    Phew! My password flamingo229 is still safe to use!

    1. lglethal Silver badge
      Trollface

      Re: Phew!

      Hey! How did you know my password for next month????

    2. Flocke Kroes Silver badge

      Re: Phew!

      pwnedpasswords says it knows of one account that uses/used password 'flamingo299'. You are going to have to change to 'correct horse battery staple' like everyone else.

      1. lglethal Silver badge
        Go

        Re: Phew!

        but how many accounts use "correct horse battery staple"????

        (says the man behind a company firewall who cant look it up himself at the moment)...

        1. Flocke Kroes Silver badge

          Re: Phew!

          Five.

          1. Arthur the cat Silver badge

            Re: Phew!

            Without spaces, 216.

  5. heyrick Silver badge

    Sadly, HIBP is only a partial resource

    Let's face it, unless your password is sixteen characters of line noise, there's a chance that somebody else on earth has also thought of "P1nkFl@m!ngo", so it turning up on a list doesn't necessarily mean anything. It'll just be another data point amongst all the other weird permutations.

    Likewise, one of my email addresses turns up as having been compromised, thanks to lame-ass webmail "security" (in scare quotes).

    What HIBP ought to do is have a method, somehow, of checking a password alongside an email address. Is my current password toast, or is it the one from back in 2014?

    Clearly it needs a bit of additional protection here. Perhaps email a key to that address, and that key must be submitted with a password in order to get a yea or nea response.

    1. ThatOne Silver badge

      Re: Sadly, HIBP is only a partial resource

      > Is my current password toast, or is it the one from back in 2014?

      The date of the breach does kind of give you this information: If the breach happened 2020, chances are they got your current password, not the 2014 one. You might want to change it ASAP.

      Of course compilations of older leaks lack this date information, but then again if your login appears there, changing password(s) anyway might be a good idea.

      Just my 2 cents' worth.

    2. katrinab Silver badge

      Re: Sadly, HIBP is only a partial resource

      Apple and Google provide the ability to do this, if you use their password managers.

      Depends whether you trust them or not.

      1. DJV Silver badge

        "Depends whether you trust them or not"

        Ha ha ha! Trust Google? NEVER!

        And my trust in Apple is not that far behind...

      2. hayzoos

        Re: Sadly, HIBP is only a partial resource

        To quote Nancy Reagan "Just say no."

    3. parlei

      Re: Sadly, HIBP is only a partial resource

      Quick math

      95 possible characters in a "line-noise" password of say 10 characters: 95^10 = 6E19 possible passwords

      171476 words in English, say five words: 171476^5 = 1.5E26

      Assuming a more limited vocabulary: 20000^5 = 3E21

      So even assuming that all the word salad passwords are based on English we have quite a bit more of them. Now when I use "Korrekt hevonen akkumulator staple" it becomes a rather large pool of possible passwords.

      But yes, 95^15 = 5E29, but then we are in password manager+copy pasta territory and can go wild with 10 words in <mumble> languages.

  6. hayzoos

    No need to worry about entering your password on HIBP

    If you think you have to check your password at HIBP, then just change it.

  7. Anonymous Coward
    Anonymous Coward

    Your average HIBP victim is sadly not checking

    If they’ve been pwned.

  8. Avatar of They
    Pint

    Hats off to Troy

    Never knew who made the site, but a virtual pint to him for trying to make people aware.

  9. Anonymous Coward
    Anonymous Coward

    This is a useful site for demonstrations of what is a good password.

    Interesting to see that both BadPassword and GoodPassword are on the list, by OKPassword isn't! ;)

  10. Pirate Dave Silver badge
    Pirate

    Fun times

    Checking the unusual but relatively permanent admin passwords from my former employer shows about half of them have been compromised. Funny enough, the compromised ones were the ones from the Windows servers we put in in 2013. None of the Novell or Linux passwords are in that list..

    Also fun to check former boss and CEO accounts, all of which show as compromised.

    1. Paul Crawford Silver badge
      Gimp

      Re: Fun times

      Also to try rude words to see what is more popular as a "secret"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like