Password check against HaveIBeenPwned API

Xon

Well-known member
#21
There's absolutely no way Troy stores passwords or potentially sensitive data of that kind. It would make him an even greater target than some of the other places that have been breached.
These are already leaked passwords. They stopped being sensitive and started being a security time bomb a long time ago.
 

ManagerJosh

Well-known member
#22
These are already leaked passwords. They stopped being sensitive and started being a security time bomb a long time ago.
It's one thing that the passwords are leaked. It's another when it becomes a common commodity and so accessible like it's passing candy out on Halloween.
 

Sim

Well-known member
#23
It's one thing that the passwords are leaked. It's another when it becomes a common commodity and so accessible like it's passing candy out on Halloween.
You should assume that anyone trying to access someone's account for malicious purposes already has access to these password lists - they are already a commodity and easily accessible and thus make it trivial for anyone wishing to try a dictionary attack on your password.

Again, it's not as if Troy is making the account username and/or email available with these passwords too.
 
#24
You could check the sha1 hash against the API
My paranoia is with the 3rd party web site. You could send the password hashed but does he have the original password in the database along with the hash? He could determine what the hashed password is if that's the case. He's probably completely trustworthy and it would never be an issue, but you never know. I would assume that the majority of hacks had hashed passwords, but I know some didn't. In fact one of the lists has 805,499,391 email addresses with plain text password combinations according to his blog. That's a big number.

But...

Email actually also is a problem given that a 3rd party could have a database containing plain text passwords that have been used in combination with the email address. That would give the 3rd party some passwords to try to access the account. A risk that's already being taken by using Gravatar, StopForumSpam, etc. So I guess checking passwords through HIBP is only slightly riskier because you may give them a new password they didn't already have (if Troy were to log it). Edit: Actually wouldn't get a new password from that, since it's hashed. A new email and password combination though if the hash is already in the database with the plain text. Otherwise I think they'd have to use brute force to figure out the text of the password since they'd have the salt. It's pretty early, I might be missing something.

I think for me I'm gonna use the welcome conversation to mention password security (maybe even with an anonymized link to HIBP) and a link to updating their password and two-step verification (although two-step won't be forced). Possibly mention password managers.

Edit again: If you don't use HIBP for an email check but just the password check it's still problematic because if Troy wanted to he could keep checking the newest member to join to match the password (if he had it in plain text in the db) to the username. Most forums have a big time gap between people joining so it would be easy -- fr those with a forum on a dedicated IP any way. Unless the requests went through another IP to anonymize it, to hide the actual forum IP that's making the request. Damn paranoia 😄
 
Last edited:
Top