HIBP Pwned Passwords

The work that Australian security researcher Troy Hunt has done with the Have I Been Pwned project is yielding useful tools that developers and webmasters can now use to make sure users stop using silly and easy to guess passwords.

Hunt has been collecting data exposed in data breaches for some time now. His Have I Been Pwned (HIBP) portal has been allowing users to safely check if their name, emails, or other details were included in a public data breach.

HIBP's Pwned Passwords service

Over the summer of 2017, Hunt rolled out a new HIBP feature, a website section named Pwned Passwords where users could check if a password they wanted to use was included in leaked data sets.

This feature sounds incredibly creepy —entering a soon-to-be-used password in a website's search form— but Hunt has gained everyone's trust in the past few years. For the worried ones, the Pwned Passwords service also allows users to search the HIBP database using the SHA1 hash of your desired password, making the process a little bit more secure.

The service is incredibly useful because even if your account was never hacked and compromised, that doesn't mean you're not using a weak password or a password that was also used by someone else who had his account compromised.

Besides Hunt, these public breaches are also hoarded by cybercriminals who extract all the leaked passwords and use them to assemble password-guessing dictionaries for brute-force attacks. Even if your account isn't in the HIBP database, that doesn't protect you against password-guessing attacks if you use a simple or previously-leaked password.

Pwned Passwords v2 launches

Hunt has recently revamped the Pwned Password service —announcing v2 a week ago— and now includes 501,636,842 compromised passwords. Just like in v1, this data is available via the Pwned Passwords online site, via an API, and as a downloadable archive, in case developers want to build locally-stored apps and services.

Yesterday, Hunt announced that his project got an official seal of approval from government entities. Hunt said he's in the process of assisting IT staffers from the UK and Australian governments with implementing the Pwned Passwords service for official government domains, so government employees can't use simple or leaked passwords to secure their accounts.

But the new Pwned Passwords API has also made it into commercial products. Password manager app 1Password has added a new feature that allows the user to check and see if the password that was just auto-filled inside a form field has been compromised before.

Similarly, Wordfence, a company that provides a powerful security system for WordPress sites, has now also integrated the Pwned Passwords service. Starting with a version released last night, the Wordfence plugin will alert WordPress site admins after they have logged into their dashboards if they use a password that is found in the Pwned Passwords database.

But the open source community is also in love with Hunt's new service. A quick search of open source projects unearths tens of utilities that use the new Pwned Passwords API in one capacity or another.

Below is a (probably incomplete) list of projects that have implemented the Pwned Passwords service. These tools can be used by both end users, but also other developers who want to add checks for compromised passwords in their apps or services. We hope that slowly but surely, apps and websites that check for weak or leaked passwords will become the norm, just like the recent NIST password guidelines require.

christophetd/firepwned - Checks Firefox saved passwords against known data leaks using the HIBP PP API
✭  moviuro/pass-hibp - A Linux pass(1) extension that queries the HIBP PP API
✭  kevlar1818/is_my_password_pwned - Bash script for HIBP PP API
✭  sea-erkin/goPasswordCheck - Go library for the HIBP PP API
✭  JoshHarmon/kAnonymity-Password-Checking-MyBB - MyBB plugin integrating the HIBP PP API
✭  alzeih/pass-pwned - Linux Password-Store extension for the HIBP PP API
✭  RawInfoSec/hibp-chk - A PHP function for implementing password checks the HIBP PP API
✭  RandomAdversary/PwnedPasswords - Java library for the HIBP PP API
✭  nistykcab/unpwnedpsswd-gen - Python script to generate unique passwords that have not yet been recorded in Pwned Passwords