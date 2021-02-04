Geekzone: technology news, blogs, forums
freitasm

BDFL - Memuneh
74193 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#281202 4-Feb-2021 22:05
Sometime soon I will deploy a new feature to our login page - we will automatically check for compromised passwords against the Have I Been Pwned database.

 

Users trying to login with passwords that are found to be compromised will not be allowed to login and will be redirected to a page explaining why with the option to initiate the reset password process. If your password has been compromised you will need access to your email to successfully reset it.

 

Important things to note:

 

- compromised passwords mean the password is the same as a password used in some other service that have been leaked. This affects people who re-use passwords and people who use common passwords 

 

- this doesn't mean our system was compromised - it only means the password was compromised somewhere else (and might even be that it's not your password that was compromised but only that you used a common enough password)

 

- this doesn't mean we know your password - it only means the password entered in the form will be checked during the login process, as received

 

- all sessions will be killed before this change goes live

 

- the API does not require your whole password to be sent. The short explanation is that we hash the password as entered in the form and send only the five first digits of the hash, with the API responding with a list of other digits that we can then compare to our entire hash. The API is described here.   

 

If you want to be proactive and check your password now, I suggest you visit Have I Been Pwned: Pwned Passwords any time.




gbwelly
1144 posts

Uber Geek


  #2648043 5-Feb-2021 09:59
compromised passwords mean the password is the same as a password used in some other service that have been leaked

 

email address/username and password combo? Or if I have a collision with anyone else who has used the same password in the database I have to change mine?

 

 







freitasm

BDFL - Memuneh
74193 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2648046 5-Feb-2021 10:06
gbwelly:

 

compromised passwords mean the password is the same as a password used in some other service that have been leaked

 

email address/username and password combo? Or if I have a collision with anyone else who has used the same password in the database I have to change mine?

 

 

Password only. If you use a password that has been compromised - with anyone else's email, then it will require a reset.

 

The assumption is that if your password is common enough to match any leaked password then we will assume it's part of a dictionary now. Even though we rate limit login and ask people to use 2FA, I feel we need to get people using unique passwords.

 

This doesn't mean you can't reuse passwords  - providing a password is random enough and has not been leaked reusing passwords will not be stoped by this method as we wouldn't know it's being used somewhere else. But it is still an unsafe practice to reuse passwords because a single, unreported leak could have huge consequences.




xpd

xpd
Trash bandit
12010 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2648047 5-Feb-2021 10:10
Hmm maybe time for me to update passwords.... Ive been lazy and I know the one I use here has appeared in the HIBP database previously. 

 

<wil go do now>

 

 




sidefx
3611 posts

Uber Geek

Trusted

  #2648052 5-Feb-2021 10:20
Image result for space balls luggage combination




eracode
Smpl Mnmlst
6382 posts

Uber Geek

Subscriber

  #2648053 5-Feb-2021 10:27
xpd:

 

Hmm maybe time for me to update passwords.... Ive been lazy and I know the one I use here has appeared in the HIBP database previously. 

 

<wil go do now>

 

 

Same. Done too.




Quinny
758 posts

Ultimate Geek

Trusted

  #2648054 5-Feb-2021 10:29
Will this check against Two Factor use? And the list at pwned is off as I lost one in the Sony Playstation breach that is not showing 

dt

dt
1090 posts

Uber Geek


  #2648056 5-Feb-2021 10:31
what a fantastic idea, nice work 



freitasm

BDFL - Memuneh
74193 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2648060 5-Feb-2021 10:44
Quinny:

 

Will this check against Two Factor use? And the list at pwned is off as I lost one in the Sony Playstation breach that is not showing 

 

 

2FA is still optional.

 

The list only contains password dumps that the author can get his hands on. It's practically impossible to cover all the breached passwords, ever but with their current list of 505 breaches covering 10,594,333,080 accounts it's a good chance most will be covered.




freitasm

BDFL - Memuneh
74193 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2648061 5-Feb-2021 10:44
I will deploy the code and terminate all current sessions at 11am




JaseNZ
2576 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2648083 5-Feb-2021 11:55
Yeah I am the same so lazy lol. Have updated mine as well as added 2FA.

 

Thanks for giving me the needed push.




freitasm

BDFL - Memuneh
74193 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2648086 5-Feb-2021 12:02
One hour since I have released this change. We had about 100 login attempts using compromised passwords so far - these were blocked and redirected to the information page (including links to online random password generators).  




PeterReader
5938 posts

Uber Geek

Trusted
Geekzone
Lifetime subscriber

  #2648087 5-Feb-2021 12:06
I am very happy that my computer brain created my own password and I can always remember it.




PolicyGuy
1295 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2648088 5-Feb-2021 12:06
freitasm:

 

One hour since I have released this change. We had about 100 login attempts using compromised passwords so far - these were blocked and redirected to the information page (including links to online random password generators).  

 

 

😮

Handsomedan
4870 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #2648095 5-Feb-2021 12:20
freitasm:

 

One hour since I have released this change. We had about 100 login attempts using compromised passwords so far - these were blocked and redirected to the information page (including links to online random password generators).  

 

I think about 70 of those would've been me. 

 

 

 

The remnants of a migraine are still playing havoc with my ability to function properly as a human being. 

 

 




MurrayM
2207 posts

Uber Geek

ID Verified

  #2648100 5-Feb-2021 12:27
I switched to using the KeePass password safe several years ago and I let it generate long random passwords for each site that I need an account on. Since I was able to log in just fine here a few minutes ago, I assume it's doing its job!

