Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#237519 5-Jun-2018 21:54
Send private message

I am thinking of adding a small piece of logic that will test your password at login, using the http://haveibeenpwned.com/ API to determine if the password you use to login on Geekzone has been compromised in another site - reusing passwords is quite normal and people don't think much about it.

 

My question is - how do think a message like "The password you use on Geekzone has been previously used by yourself or someone else on another site. This password has been leaked as per http://haveibeenpwned.com/. We suggest you change your password on Geekzone and other sites. Make sure to create unique passwords for each service you use."

 

Do you think this is clear enough so that most people understand a compromised password wasn't leaked by Geekzone, but some other service? Suggestions?

 

To be clear, testing via their API never sends a password but only a hash of it. We'd do this check at login time because that's the time our scripts have your password - we salt and hash the password before it's stored in our database so we wouldn't know it.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
mdav056
607 posts

Ultimate Geek

Subscriber

  #2030371 5-Jun-2018 21:57
Send private message

Good idea, suggest you do this





gml




PhantomNVD
2619 posts

Uber Geek
Inactive user


  #2030373 5-Jun-2018 22:05
Send private message

So the test page says I’ve been compromised... is this a legit test of my password, or a test of the ‘compromised’ message 🤔

mdf

mdf
3513 posts

Uber Geek

Trusted

  #2030378 5-Jun-2018 22:09
Send private message

+1 great idea. You're speaking to a relatively tech savvy audience (I hope?). The short message is good (perhaps with some bolding or caps "The password you use on Geekzone has been previously used by you or someone else on another site that has been compromised"), but I'd put a link to a longer explanation as to how we test (i.e. we didn't send your password in the clear to anyone) and how to pick a good password (cough, link to a password manager).




freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2030380 5-Jun-2018 22:12
Send private message

PhantomNVD: So the test page says I’ve been compromised... is this a legit test of my password, or a test of the ‘compromised’ message 🤔


Did you put your own password there? If so, then yes. That page is not testing your actual password as we don't know it.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2030384 5-Jun-2018 22:20
Send private message

@PhantomNVD: So the test page says I’ve been compromised... is this a legit test of my password, or a test of the ‘compromised’ message 🤔

 

Let me clarify... The test page linked here is just a demo and uses the password you pass as a parameter in the URL. We don't know your password because it's hashed in our database. The idea is to put this same code in the login script and automatically let you know of something "strange" with your password. The demo is just for me to know the code works (and for you to play with)

 

How it works?

 

https://haveibeenpwned.com/ has a list of emails that leaked over the years from different services. Visit the site and enter your email address. It will tell you where it leaked and I strongly suggest you change your password on any of those services listed.

 

They also offer a password lookup service. You can enter a password and it will tell you if it's been compromised.

 

Now, it may be YOUR password. Or may be other people used the same password as you. For example "password", "god" are very common passwords so of course they will show as compromised. "IhaveaRedHorsethatannoy$inWellington" is not a common password - it's not compromised but that's not to say someone haven't used it.

 

A lot of people reuse their passwords in different services. This is bad because if one service leaks the password some Bad Guy (TM) can just use your email/password and go around trying to login - let's say they find your email and password on a Dial-a-Pizza service and then try on your Bank of My Country. And you used the same password in both. You're done.

 

So this service won't say YOUR password leaked. It will tell you that YOUR password or someone else's password that is exactly the same as yours, leaked. You then should go to the https://haveibeenpwned.com/ and check if your email is part of a leak.

 

In either case if your password is shown as compromised you should change it for something safer and unique.

 

Makes sense?





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2030386 5-Jun-2018 22:26
Send private message

Funny thing is someone used "Trump" as a password...





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


Linux
11391 posts

Uber Geek

Trusted
Lifetime subscriber

  #2030389 5-Jun-2018 22:34
Send private message

This is great tested mine and all good

 

Password ok 200

 

John


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
wazzageek
1093 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2030404 5-Jun-2018 23:17
Send private message

freitasm:

 

Funny thing is someone used "Trump" as a password...

 

 

I believe you've just leaked the President of the US of A's password ... oops!

 

 


gbwelly
1243 posts

Uber Geek


  #2030448 6-Jun-2018 07:26
Send private message

freitasm:

 

or someone else's password that is exactly the same as yours, leaked.

 

 

I'm more concerned about my email address and password pair being compromised, can you query for a match on both?

 

 








freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2030449 6-Jun-2018 07:28
Send private message

Can query individually but that's only good if you reuse the password.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


kryptonjohn
2523 posts

Uber Geek

Lifetime subscriber

  #2030488 6-Jun-2018 08:55
Send private message

The "haveibeenpwned" website says that I have been!

 

But when I look it gives a set of websites that have been exploited and the dates... and my passwords are all much newer than that and are machine generated gobbledygook - does that mean I'm ok?

 

 

 

 


kryptonjohn
2523 posts

Uber Geek

Lifetime subscriber

  #2030491 6-Jun-2018 08:59
Send private message

freitasm:

 

Funny thing is someone used "Trump" as a password...

 

 

It says "compromised" if you put any actual words or names in there such as "alphabet" or "mauricio" ... does dictionary existence automatically give a "compromised"?

 

 


mentalinc
3226 posts

Uber Geek

Trusted

  #2030495 6-Jun-2018 09:12
Send private message

Suggest you kill all sessions (we've had it happen a few times in recent weeks,what is once more) once this is implemented to clean the database.

 

Better yet do not let people use these passwords at all, they have to keep trying until its not in the database.

 

Maybe also include a link to password safes (keepass etc) to help people do better





CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 


RunningMan
8953 posts

Uber Geek


  #2030501 6-Jun-2018 09:24
Send private message

mentalinc: [snip]

 

Better yet do not let people use these passwords at all, they have to keep trying until its not in the database.

 

 

If I understand correctly though, this is a database of basically any password that any person has used, so people are being asked to have a password that is globally unique to any account from any person - that's a pretty tall order.

 

 


kryptonjohn
2523 posts

Uber Geek

Lifetime subscriber

  #2030510 6-Jun-2018 09:37
Send private message

RunningMan:

 

mentalinc: [snip]

 

Better yet do not let people use these passwords at all, they have to keep trying until its not in the database.

 

 

If I understand correctly though, this is a database of basically any password that any person has used, so people are being asked to have a password that is globally unique to any account from any person - that's a pretty tall order.

 

 

Easy to do if you use a machine generated random password. However as these are basically impossible to remember it means you'll need to either write them down (insecure) or use a password manager such as LastPass, which is potentially a catastrophic vulnerability if it is broken into.

 

I use LastPass... I am on so many systems it's impossible not to without sharing passwords between them.

 

 

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.