The work that Australian security researcher Troy Hunt has done with the Have I Been Pwned project is yielding useful tools that developers and webmasters can now use to make sure users stop using silly and easy to guess passwords.
Hunt has been collecting data exposed in data breaches for some time now. His Have I Been Pwned (HIBP) portal has been allowing users to safely check if their name, emails, or other details were included in a public data breach.
This feature sounds incredibly creepy —entering a soon-to-be-used password in a website's search form— but Hunt has gained everyone's trust in the past few years. For the worried ones, the Pwned Passwords service also allows users to search the HIBP database using the SHA1 hash of your desired password, making the process a little bit more secure.
The service is incredibly useful because even if your account was never hacked and compromised, that doesn't mean you're not using a weak password or a password that was also used by someone else who had his account compromised.
Besides Hunt, these public breaches are also hoarded by cybercriminals who extract all the leaked passwords and use them to assemble password-guessing dictionaries for brute-force attacks. Even if your account isn't in the HIBP database, that doesn't protect you against password-guessing attacks if you use a simple or previously-leaked password.
Hunt has recently revamped the Pwned Password service —announcing v2 a week ago— and now includes 501,636,842 compromised passwords. Just like in v1, this data is available via the Pwned Passwords online site, via an API, and as a downloadable archive, in case developers want to build locally-stored apps and services.
Yesterday, Hunt announced that his project got an official seal of approval from government entities. Hunt said he's in the process of assisting IT staffers from the UK and Australian governments with implementing the Pwned Passwords service for official government domains, so government employees can't use simple or leaked passwords to secure their accounts.
But the new Pwned Passwords API has also made it into commercial products. Password manager app 1Password has added a new feature that allows the user to check and see if the password that was just auto-filled inside a form field has been compromised before.
Similarly, Wordfence, a company that provides a powerful security system for WordPress sites, has now also integrated the Pwned Passwords service. Starting with a version released last night, the Wordfence plugin will alert WordPress site admins after they have logged into their dashboards if they use a password that is found in the Pwned Passwords database.
But the open source community is also in love with Hunt's new service. A quick search of open source projects unearths tens of utilities that use the new Pwned Passwords API in one capacity or another.
Below is a (probably incomplete) list of projects that have implemented the Pwned Passwords service. These tools can be used by both end users, but also other developers who want to add checks for compromised passwords in their apps or services. We hope that slowly but surely, apps and websites that check for weak or leaked passwords will become the norm, just like the recent NIST password guidelines require.