UK National Crime Agency finds 225 million previously unexposed passwords The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords. We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to …
It's fairly low risk. from your favourite shell:
From the API docs: (https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange)
Searching by range
In order to protect the value of the source password being searched for, Pwned Passwords also implements a k-Anonymity model that allows a password to be searched for by partial hash. This allows the first 5 characters of a SHA-1 password hash (not case-sensitive) to be passed to the API:
GET https://api.pwnedpasswords.com/range/{first 5 hash chars}
It will also add a random 800-1000 hashes if you request padding (next item in docs)
Thanks. I looked at the source code for the web page, saw Google Analytics and left in disappointment. The API has an attack surface small enough for me to have confidence in it (watch out for .bash_history). Now I know my most important passwords have not reached haveibeenpwned.
Indeed, I've often wondered if this site could be being used as a resource by either hackers or states. Remember Lavabit, Truecrypt, Tor and Proton Mail were considered safe by their fans, quite fanatically, until it turned out they actually were not. Lavabit was in the process of being forced to install traffic sniffers into their network, Truecrypt were being co-erced, Tor had so many government controlled nodes there was no anonymity and Proton Mail removed one of it's privacy promises off it's website following a court order. If Haveibeenpwned was being compelled by it's government, it probably couldn't tell us overtly.
A database of known passwords and usernames, is highly valuable because it probably indicates just how un-unique most peoples passwords are. Geeks will probably point out that mathematically there are trillions of user / password combinations possible for a particular application and it would take millions of years to crack them. This trove probably narrows that down to hundreds of millions making the timescales more reasonable, if it doesn't already have your exact login names and password to start with. Combine this with a google like ability to match data to actual people and the ability to predict your actions and the way you think better than you can yourself there is no actual privacy out there.
The 50 or so active commentards on this site will proclaim that their passwords are indeed truly random or for some technical reason the event of them being cracked or discovered is highly improbable. My response is you are not and never will be the target, and if you were, I would point to exhibit a... The pipe wrench, and exhibit b.. you're probably not that interesting.
For a while I got spam from addresses given to (later) compromised websites claiming my computer had been hacked and here's your password to prove it and they needed me to pay them money...
I don't know if the spammers bought the details somewhere or if they got them from sites like these. Either way, using a unique email address for everywhere (and a password manager) means I can easily block the compromised addresses.
What they claimed I'd been up to -->
That' is not the source of my mistrust. What if HIBP ITSELF is compromised? You are handing out your passwords across the internet to be checked, to a system that itself can be hacked (because they all can be).
HIBP is therefore a high profit honetpot to attackers, with users voluntarily entering their plaintext passwords to be verified. Crack open HIBP and you can gain access to passwords , during their owner's check procedure, previously *not* compromised.
To prevent this, simply search only by email address.
Every account consists of a username + a password, to search HIBP you only need one of those two, and the username is a much less strong secret than the password, one could even consider it semi-public, especially if you only use a single email address. Searching HIBP for "thatone@thatsite.com" won't reveal hackers much usable information unless it's already in the stolen passwords database, in which case it's too late anyway, isn't it.
There is a work around for that. What is supposed to happen is you type your password into your browser, the browser hashes the password with sha1 and HIBP only sees the hash. It is not possible to convert the hash back into the password. What is thoroughly possible is you selected HlBP instead of HIBP (small L instead of capital i). The javascript on HLBC could miss out the sha1 has step and send your password directly to criminals. Criminals hacking and modifying HiBP would have the same effect. The work-around is to type:
read password
w0rdpass
hash=$(echo -n $password | sha1sum | cut -d ' ' -f 1)
unset password
wget -O hashes https://api.pwnedpasswords.com/range/${hash:0:5}
hash=${hash^^[a-f]}
grep ^${hash:5} hashes
The result should be:
B250D0FB468BA8BCC5A7A0F5EB4217AA1F7:3076
This means that 3076 accounts that pwnedpasswords knows about use 'w0rdpass' as their password. The only information sent to pwnedpasswords was '417db' which is only 1/8 of the sha1sum. If criminals got hold of '417db' they could get a huge list of passwords, send them all through sha1sum and discover the 799 popular passwords that match. They would not know which of the 799 is correct or if the actual password is something else with a hash that shares the same first 5 letters. Unless they have made some effort to investigate me they will not know which site or user name the possible passwords unlock although they can be certain that with that password the account must be one I consider to be of no value.
Couple of things here. Firstly sha1 has been known broken since at-least 2005. Deriving the input is non-trivial but can be done without a full brute-force stack, so suggesting you can't determine the password from a sha1 is questionable.
If you really want to check securely you can download the entire HIBP set of hashes and search it locally without your hash leaving your machine. This is significantly safer.
Being pedantic, what he said was that you can't convert the hash back into the password, which is true - it's a one way hash.
You *can* reconstruct it, either via brute force, or more advanced methods, but that's not the same thing.
Honestly though, if you're entering in the browser, it's far more likely someone would find a way to inject JS to collect your password before it's been hashed.
Sending the first 5 chars of the sha1 via the API should be as safe as it's possible to be (local machine compromise not withstanding etc etc), you don't really gain a lot by downloading the full hashset.
Being pedantic, not convinced that a semantic distinction between "convert" and "reconstruct" is meaningful here. For most purposes they refer to the same process of deriving an input from an output, which once automated is functionally equivalent (time factor not withstanding - because you rotate all your passwords on a weekly basis like everyone else, right? Sure).
As for sha1 being one way, what that really means is the forward operation is relatively cheap while the inverse (what we're talking about) is prohibitively expensive for an unauthorized user. With sha1 having publicly known deficiencies (and there are likely more known privately) that argument is becoming increasingly harder to swallow and depends largely on your threat profile.
The trimmed-sha looks safer but you're then stuck with a smaller subspace for your hash so you're going to get more collisions, which means more false positives. So maybe just rotate all your passwords hourly just to be sure? /S
> For most purposes they refer to the same process of deriving an input from an output, which once automated is functionally equivalent
> ...
> With sha1 having publicly known deficiencies (and there are likely more known privately)
Not really, you're ignoring the resources required for each, yes hashcracking is much easier nowadays, but it's still far more resource intensive than converting something. There's also the strong possibility that your input (your password) won't be derived, depending on it's strength, some luck, and the dedication of your adversary (who may be going for low hanging fruit).
Remember that collisions don't mean anything here either, in this case SHA1 isn't involved in validating passwords (it'd only matter if an adversary could find a system you'd used your password on, who were using unsalted SHA1 for storage + validation).
SHA1s known deficiencies generally relate to the ability to generate collisions (making it useless as an authentication mechanism), so aren't actually relevant here, especially as the full SHA1 doesn't hit the wire.
> The trimmed-sha looks safer but you're then stuck with a smaller subspace for your hash so you're going to get more collisions, which means more false positives.
I'm not sure you've understood how the API works...
Locally, you do
$ sha1("supersecret")
Which gives you a761ce3a45d97e41840a788495e85a70d1bb3815
You then take the first 5 chars - a761c - and send those to the API:
$ get("https://api.pwnedpasswords.com/range/a761c")
That returns a list of hash suffixes, along with the count of how often that password exists in the dataset. So, in this case, it returns 813 hashes.
0018D9D5CA61E84FA3F6CFA10F6B3418C1F:1
0166C434339B9BD3BA2A65B33612052EB36:1
01784489E12730DA0FA7F41335C7AD13D9F:60
019DA5844E6E6CA0647FA152E572B5B14E8:4
02B87026E6046E669158366E51035C63336:8
02F2E3D8176FCF4C4811AA353C513C43E67:6
02FD6B23643C3B45E07413DC31B1D1D5BAC:1
0343E72B26DCA436ECA34393CB678BACA16:3
... etc ...
You then take your prefix, bolt it back on and see if your original hash exists
In this case, "supersecret" has (unsurprisingly) been pwned quite a lot
> e3a45d97e41840a788495e85a70d1bb3815:1759
Basically, the whole point is that you *should* get a bunch of false positives back - you then filter those out as only you have the knowledge to do so.
Even if someone is able to MITM your connect (or gets hold of the API access logs):
- You've not narrowed the keyspace by very much, so they've still got to put some effort into brute-forcing
- The number of results that come back is irrelevant, as they have no way to know whether your password was included or not
Ultimately, there's an entire world of breached passwords out there - for your average adversary there's plenty of much lower hanging fruit. If you're being specifically targetted, then they're more likely to stick a RAT on your box than mess about with this.
I suggest you read what HIBP is actually holding and also don't confuse it with their Pwned Password service.
The latter is a service used by some very well known names to check whether a particular password has been seen before in a public breach. It doesn't receive the actual password (again read how it works) and it consequently doesn't store "your" password that you've typed in. Neither does it involve you entering your username/account id as part of that. It's simply a case of checking whether "password123" is a "known" password.
The Have I Been Pwned service allows you - with suitable verification - to receive breach notification when your credentials have been leaked. Again though, it's not holding any password data - simply whether your email address is in the breach.
Those superb emails "We've caught you wanking to bicycle porn you dirty fecker and we have vids you from your webcam! So pay up now or we tell all your mates what you get off on!".
Always some old password I've not used in about 8 years on some site I signed up to years ago just to get some info a problem I needed to fix on Windows2000 DLL or something!
I know an OAP in their 70s who received an email from some scammer. The email mentioned a password she had used and demanded bitcoin. She'd not read anymore of it and called me at this point. I asked if she'd used the password on Facebork at any point. She said no but visiting the site on Safari automatically offered a login and password proving otherwise. Then she remembered she had signed up and visited once to view some photographs from a friend. She'd only used that password on that site so the damage was limited. She asked me how I knew instantly that it was Facebork that the password had come from. I said I had used a unique email address and password for Facebork and I'd had the same email as she'd received. I said I thought the fact that the email mentioned her visiting adult websites would have tipped her off it was a scam. She burst out laughing read the rest of the email and apologized for calling me over.
>For a while I got spam from addresses given to (later) compromised websites claiming my computer had been hacked and here's your password to prove it and they needed me to pay them money...
Had one of these a few years back.
Was able to pinpoint it to an instance of Chrome on a specific Windows PC.
Basically, it looked like the browser-based password store had been read. Not sure when, as I had changed the password some years previously, but not updated the Chrome password store.
Obviously, the security of browser-based password stores has improved over the years, so suspect they aren't so easy to exploit. However, I generally try and populate the browser store with a few obvious( to me) duff credentials, so I can monitor such emails.
"A database of known passwords and usernames, is highly valuable because it probably indicates just how un-unique most peoples passwords are"
Because of just how nonunique many passwords such a database doesn't need to be very big and good ones have been in existence for 2 or 3 decades (of course there's been some evolution in common passwords over that time). Troy's database is a different beast and really just levels the playing field for the good guys by giving access to information the bad guys already have.
I don't know most of my passwords, that's what a password manager with ability to generate strong passwords is for
Downside - single point of failure.
Caveat - I know the passwords for sites that are used often, but they are not sites that involve purchasing / finances*, so pipe wrench would not achieve much (unless a miscreant wanted to pose as me on el Reg or do other pointless low level actions on other sites)
*partner won't believe my refusal to do online banking etc is for any other reason than to inconvenience them despite knowing I don't trust online security as I have seen too many exploits over the years.
> Downside - single point of failure.
Using the same password everywhere is also a single point of failure, isn't it... The most significant advantage of a password manager is to allow you having unique, strong passwords for all the 30-60 online accounts a modern person nowadays has.
As for online banking, it gets harder and harder to prevent. I had to have a long talk with one of my banks' managers for my account to be put in a special "no online or telephone orders allowed" state, very exceptionally (and I need to check every now and then that nobody "fixes" this). Convenience for the customer and lower cost for the banks have almost made online banking mandatory. After all, as anybody knows, bad things only happen to others.
I'd consider Proton mail reasonably secure and private. Far better a company subject to privacy favouring Swiss law, and founded by scientists with an interest in privacy, than Google et al who would sell their own grandmothers for profit, or subject to the corrupt, money driven law of the US and UK, or the oppressive regimes of Russia and China etc.
Any legit provider will be subject to the law of the country in which they operate. The only alternatives are shady providers or open source who really have nothing to lose if you use their "as is" product, and can't be held to legal constraints because there are no warranties or guarantees.
I would anticipate that the UK ISP's have been hacked, and are NOT divulging it.
A friend very recently had his e-mail hacked. He uses a major ISP in the UK, and only uses webmail, and does not use an e-mail client. His webmail account was taken over and spam sent out.
Unless there is a keylogger on his PC (Windows 11), then it is highly probable that the ISP was hacked. The ISP stated that it happens a lot. Yet, no announcement or other to inform people.
In my experience ISP emails are notoriously insecure. Many years ago I had just signed up with an ISP, and the next day the attached, brand new email address started getting several hundred spams per day! I hadn't given it to anybody (since I wasn't planning on using it), my other email accounts didn't get spam bombed so it wasn't my computer, so clearly it's the ISP who leaked it (extremely efficiently! If only the rest of their service had been as exceptional...).
Never trust an ISP with anything you wouldn't post on a public wall.
With respect, it's more probable (in terms of how the majority of accounts are taken over) that your friend had a weak password... where "weak" means a password that *someone* else has used before on *some* service and is now being used to brute force attack other services. Given that almost by definition your <my_name>@<my_isp>.com email address will be your logon name to <my_isp>'s webmail interface, a list of valid account names for <my_isp> is easily obtained and so you've got all you need, paired with a list of common/known passwords, to start a brute force attack.
Frequently when a list of "hacked" accounts is released, our mail-server starts seeing login attempts for non-existent accounts that have just appeared in the new list. So I think that a significant number of the hacked account details in these lists sold on the dark web have been invented to scam the scammers buying the original hacked lists.
Let's face it, unless your password is sixteen characters of line noise, there's a chance that somebody else on earth has also thought of "P1nkFl@m!ngo", so it turning up on a list doesn't necessarily mean anything. It'll just be another data point amongst all the other weird permutations.
Likewise, one of my email addresses turns up as having been compromised, thanks to lame-ass webmail "security" (in scare quotes).
What HIBP ought to do is have a method, somehow, of checking a password alongside an email address. Is my current password toast, or is it the one from back in 2014?
Clearly it needs a bit of additional protection here. Perhaps email a key to that address, and that key must be submitted with a password in order to get a yea or nea response.
> Is my current password toast, or is it the one from back in 2014?
The date of the breach does kind of give you this information: If the breach happened 2020, chances are they got your current password, not the 2014 one. You might want to change it ASAP.
Of course compilations of older leaks lack this date information, but then again if your login appears there, changing password(s) anyway might be a good idea.
Just my 2 cents' worth.
Quick math
95 possible characters in a "line-noise" password of say 10 characters: 95^10 = 6E19 possible passwords
171476 words in English, say five words: 171476^5 = 1.5E26
Assuming a more limited vocabulary: 20000^5 = 3E21
So even assuming that all the word salad passwords are based on English we have quite a bit more of them. Now when I use "Korrekt hevonen akkumulator staple" it becomes a rather large pool of possible passwords.
But yes, 95^15 = 5E29, but then we are in password manager+copy pasta territory and can go wild with 10 words in <mumble> languages.
Checking the unusual but relatively permanent admin passwords from my former employer shows about half of them have been compromised. Funny enough, the compromised ones were the ones from the Windows servers we put in in 2013. None of the Novell or Linux passwords are in that list..
Also fun to check former boss and CEO accounts, all of which show as compromised.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
