Password check against HaveIBeenPwned API
- Thread starter Fred.
- Start date
These are already leaked passwords. They stopped being sensitive and started being a security time bomb a long time ago.
You should assume that anyone trying to access someone's account for malicious purposes already has access to these password lists - they are already a commodity and easily accessible and thus make it trivial for anyone wishing to try a dictionary attack on your password.
Again, it's not as if Troy is making the account username and/or email available with these passwords too.
My paranoia is with the 3rd party web site. You could send the password hashed but does he have the original password in the database along with the hash? He could determine what the hashed password is if that's the case. He's probably completely trustworthy and it would never be an issue, but you never know. I would assume that the majority of hacks had hashed passwords, but I know some didn't. In fact one of the lists has 805,499,391 email addresses with plain text password combinations according to his blog. That's a big number.
But...
Email actually also is a problem given that a 3rd party could have a database containing plain text passwords that have been used in combination with the email address. That would give the 3rd party some passwords to try to access the account. A risk that's already being taken by using Gravatar, StopForumSpam, etc.
I think for me I'm gonna use the welcome conversation to mention password security (maybe even with an anonymized link to HIBP) and a link to updating their password and two-step verification (although two-step won't be forced). Possibly mention password managers.
Edit again: If you don't use HIBP for an email check but just the password check it's still problematic because if Troy wanted to he could keep checking the newest member to join to match the password (if he had it in plain text in the db) to the username. Most forums have a big time gap between people joining so it would be easy -- fr those with a forum on a dedicated IP any way. Unless the requests went through another IP to anonymize it, to hide the actual forum IP that's making the request. Damn paranoia
Last edited:
@Fred. we now have an addon that does check new user password and existing user password changes against the HIBP v2 API thanks to @Xon here - https://xenforo.com/community/resources/password-tools.4495/
Thanks WoodiE I will try it. I just have been really busy lately.
This would fit in very well with the new password functions of XF2.1
HIBP is now used widely across the net and has been expanded with a lot of databases. Likewise hackers are exploiting the databases en masse. Not only for accessing sites, but also for social engineering and extortion scams.
fortune.com
haveibeenpwned.com
haveibeenpwned.com
HIBP is now used widely across the net and has been expanded with a lot of databases. Likewise hackers are exploiting the databases en masse. Not only for accessing sites, but also for social engineering and extortion scams.
Blackmail Scam Uses Passwords to Scare People into Paying Bitcoin. Don't Fall for It. | Fortune
The perpetrators threaten to release embarrassing videos from supposedly hacked screencams.
Have I Been Pwned: API consumers
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
Have I Been Pwned: Pwned Passwords
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
