
The Legitimisation of Have I Been Pwned - weinzierl
https://www.troyhunt.com/the-legitimisation-of-have-i-been-pwned/
======
MayeulC
Seeing it being recommended by government officials in multiple countries made
me realize that the website isn't localized.

I think the website should be translated, together with the domain name.
Actually, "pwned" already sounds like something only those who "live and
breath tech", to quote the article, would be expected to be familiar with.

This unfortunately raises a serious question of trustworthiness, with regards
to phishing issues. When password.com, mypassword.net and passphrase.org are
valid domain, how would you know whether to trust mypassword.com?

The bandwidth costs could also be prohibitive. To alleviate this issue, I
would like to see the code being opened up (for perf. improvements), and
distributed hosting encouraged, databases entrusted to a few trustworthy
entities, with everything sponsored by a nonprofit entity. This doesn't solve
the trustworthiness of the various entities, though [unless this is done on
governments'websites?].

Of course, there is always the possibility of a rogue government/ISP/hoting
service MITM the connection, even issuing false certs... But a rogue actor
might as well MITM the target web site directly.

~~~
stordoff
> I think the website should be translated, together with the domain name.
> Actually, "pwned" already sounds like something only those who "live and
> breath tech", to quote the article, would be expected to be familiar with.

Not sure about that. I feel like translating the domain would made the
phishing/trustworthiness issues more difficult - as is, there is a single
canonical domain name which, at this point, has been well-publicised.
Verifying that any particular translated domain for the myriad possibilities
is real, especially when they may be less widely publicised/used due to having
smaller userbases/fragmenting the userbase, seems tricky.

I also not sure how much of an issue "pwned" is - a lot of successful services
use words that _no one_ would be familiar with or that are entirely made up.

~~~
lione
Yeah, Pwned is fine. I mean what's a Google? That isn't a word!

~~~
delecti
Well strictly speaking it's a typo of a word.

[https://en.wikipedia.org/wiki/Googol](https://en.wikipedia.org/wiki/Googol)

~~~
jessaustin
It's entertaining that Google are and always have been typo-squatters, but
"pwn" has been a typo since the very first time it was typed.

Now since there is no red squiggly line I am wondering whether I added "pwn"
as a custom addition to my local dictionary...

~~~
mistercow
Seems to be standard in the macOS spellcheck dictionary. Some traditional
dictionaries now contain it as well.

------
kozak
If the use case is only checking YOUR OWN email address, then why not require
a verification of the email before providing the results? E.g. you enter your
email and get a results link sent to this same email address. Because now HIPB
appears to be an interesting OSINT tool for gathering information about
people, specifically for finding out what "shady" services did they ever
register at.

~~~
Siecje
You need to register to see the leaks from "shady" services.

~~~
kozak
Shadyness is relative. I felt quite ashamed of having an account on some of
those sites that HIBP considers "non-shady".

~~~
Ajedi32
If someone has your email address, it's often not very hard for them to
determine whether or not you have an account on a particular site. (Try to
register with that email, and if the sign-up form complains, then you probably
do have an account there.)

That said, if you're still concerned there's always
[https://haveibeenpwned.com/OptOut](https://haveibeenpwned.com/OptOut)

~~~
drdaeman
Would be neat if one can opt-out a domain. I.e. I have a domain that's
essentially a catch-all for signing up with per-site unique emails.

~~~
mi100hael
Can't hurt to send Troy an email. Probably would be a useful feature for
companies, too. Could be achieved relatively easily w/ DNS validation.

------
nextgens
If you are looking for an "offline" way of checking your (windows) passwords
against the HIBPv2 dataset, I encourage you to check my current pet project
out: [https://safepass.me](https://safepass.me)

It's an active-directory password filter that is free for home-use and dirt-
cheap otherwise.

~~~
Already__Taken
Also [https://jacksonvd.com/checking-for-breached-passwords-ad-
usi...](https://jacksonvd.com/checking-for-breached-passwords-ad-using-k-
anonymity/) found in
[https://haveibeenpwned.com/API/Consumers](https://haveibeenpwned.com/API/Consumers)
offers active directry integration both offline and on.

~~~
nextgens
You're not comparing the same thing. One is a commercially supported
product... that ships HIBPv2 in a ~400MB bundle, the other one a PoC... that
suggests that doing a binary search over a 30GB+ dataset each time there is a
password change is a sane thing to do.

[https://github.com/JacksonVD/PwnedPasswordsDLL/blob/master/P...](https://github.com/JacksonVD/PwnedPasswordsDLL/blob/master/PwnedPasswordsDLL/dllmain.cpp#L97)

I wouldn't recommend to anyone to seriously consider deploying that code in
production!

~~~
cdubzzz
I don’t think GP was offering a comparison so much as a related item to check
out.

Why would you not recommend code that checks the hashed password against a
local DB?

See also the “pwned-passwords-django” process here:
[https://www.b-list.org/weblog/2018/mar/06/two-new-
projects](https://www.b-list.org/weblog/2018/mar/06/two-new-projects)

~~~
nextgens
> Why would you not recommend code that checks the hashed password against a
> local DB?

I would. In fact that's why I have created a product to do exactly that in an
_efficient_ way...

Doing the checks online has too many drawbacks:

\- availability: what do you do when the service/API is down or you can't
reach it?

\- determinism: what works today might not tomorrow

\- security/privacy/anonymity: ...

I am just uncomfortable with naive code that makes it barely practical:

\- if the dataset isn't pre-processed properly, binary searching through it
won't lead to the expected results (and that's not always obvious)

\- distributing a 30GB+ file on all the DCs

\- binary searching through the dataset at runtime means seeking through
30GB... with a O(log n) complexity... in practice that means a very slow
response time that gets exponentially worst with load.

If you pre-process the dataset you might as well do it "properly" and make it
usable :p

------
taf2
I see the API and I get why charging for access would be bad but what about
donations?

~~~
andimm
you can donate on HIBP:
[https://haveibeenpwned.com/Donate](https://haveibeenpwned.com/Donate)

------
kozhevnikov
I wish there was a way to prove ownership of a domain and be able to search on
*@example.com for those who use unique emails for every service to track
accounts that got hacked or companies that sold my personal info.

~~~
modernerd
Like this?
[https://haveibeenpwned.com/DomainSearch](https://haveibeenpwned.com/DomainSearch)

~~~
tialaramex
So I just tried this, it's a very different proposition than normal HIBP, and
much more useful to people like me who don't just have a single address and
give that out everywhere.

HIBP reports that zero of my addresses have been pwned. Which is weird because
those addresses include several that have been pwned in well known cases, and
several more where there's no public "We had a data breach" type report but
it's clear that somebody did in fact lose all my data.

That's pretty disappointing, it suggests HIBP doesn't have very much of the
breach data that really matters, and so many unsophisticated users who get to
the site are probably misled.

~~~
celticninja
Did you try some of those emails in the standard HIBP? There is a difference
between a site being hacked and your details posted publicly and a company you
signed up with selling your information. The former is on HIBP the latter is
not.l

------
inovica
I have found this site really useful for my addresses and had set them to be
alerted. Just a couple of days ago my Skype account was 'hacked' (probably
because I'd stupidly used an old password and not changed it). What concerns
me is just how little companies care - Microsoft have been awful at responding
to it and keep pushing me to an automated system, which isn't working for me
to get recovered.

------
isolli
I have always been worried of entrusting Have I Been Pwned with my email
address, fearing some nefarious use.

Am I being overly cautious?

~~~
robin_reala
I’d say for your email that yes, you’re being overly cautious. For Troy’s
recently launched
[https://haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords) I
probably wouldn’t use that myself, but he makes a reasonable case for why it’s
secure.

~~~
kaoD
There's a 100% safe API for password search where you SHA1 your password and
query the first 5 characters only.

Even if you don't trust _that_ form to behave as promised, you can do the
query yourself.

[https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR...](https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange)

~~~
CodesInChaos
I consider the security of the 5 char API acceptable, but it still leaks 20
bits of information about the password to HIBP, so it's certainly not 100%
safe.

~~~
kaoD
20 bits _of the password hash_. I can't think of a way to use that information
maliciously, can you?

~~~
comex
It depends on whether the hash is actually in the database or not. If it is,
then one of the hashes returned corresponds to your password. But the hashing
is done by HIBP itself, so a hypothetical evil Troy could determine the actual
values of those passwords. If he determined who you are, perhaps by
correlating requests with email submissions on the main HIBP site, he could
then try to access your account on another site with each of those passwords,
in the hope that you reused the same password on multiple sites. The docs say:

> On average, a range search returns 478 hash suffixes

which is low enough that one could potentially try them all in a reasonable
amount of time, even taking rate limiting into account.

...However, the leaks that go into the database typically contain
username/password pairs, not just passwords. So if your password is in the
database because your account was pwned (as opposed to the account of someone
who happened to pick the same password as you), and the username is reasonably
identifiable, anyone who downloaded the original leak could do the same thing,
except knowing exactly which password to try rather than having to go through
478 of them!

And of course, the whole point of the password lookup is to inform you that
your password is compromised and you need to stop using it. If you’re
diligent, evil-Troy would only have a rather limited window to attack you
before you changed your password on the relevant sites following a positive
result. That is, assuming the API is honest and returns all the hashes it
knows… In theory it could hold some back.

------
piracykills
Is leakedsource actually gone?

[https://leakedsource.ru](https://leakedsource.ru) seems to be up and running
- or is it different people?

I mean, I sort of hate both these and prefer to just download raw data dumps
straight from their source. But maybe that is legally questionable?

------
kevin_thibedeau
For the sites monitoring for outside breaches of their user accounts, doesn't
that indicate that they are likely keeping cleartext passwords so they can
rehash them to match the hacked databases?

~~~
stordoff
I'd presume that are checking passwords that leaked in plain text or with weak
hashes, or potentially just matching user names and airing on the side of
caution. I can't imagine most companies proactive enough to check leaked data
would choose to store in plain text.

------
dest
The page makes my Firefox miserably crash… (v59.0.1 stable, linux)

------
pmarreck
One of the examples he showed was a breach of a site that used "vBulletin" as
the password encryption. I looked up what the hell this was and found this:
[https://www.vbulletin.com/forum/forum/vbulletin-sales-and-
fe...](https://www.vbulletin.com/forum/forum/vbulletin-sales-and-
feedback/vbulletin-pre-sales-questions/134353-password-encryption)

It's basically MD5(MD5(password)+salt). It was unclear if the salt was global
to the entire DB or different for every record.

Surprise, yet another case of the blind leading the blind in PHP-land.

~~~
thrownaway954
that thread was from 2005... 13 years ago... would you like to quote something
a little more recent???

~~~
pmarreck
Sure. MtGox, a PHP site, got hacked just a handful of years ago because its
creator decided to write his own encryption software.

~~~
thrownaway954
got a source on that?

~~~
pmarreck
[https://pirates-forum.org/Thread-Security-At-MtGox-Much-
Wors...](https://pirates-forum.org/Thread-Security-At-MtGox-Much-Worse-Than-
Originally-Imagined)

which quotes the original source, which is now down but is still available at
web.archive.org:
[https://web.archive.org/web/20140226001727/http://blog.magic...](https://web.archive.org/web/20140226001727/http://blog.magicaltux.net/2010/06/27/php-
can-do-anything-what-about-some-ssh/)

Additional possible info:
[https://www.computerworld.com/article/2476003/cybercrime-
hac...](https://www.computerworld.com/article/2476003/cybercrime-hacking/the-
php-that-shagged-mtgox-bitcoin-mystery-deepens.html)

------
bogomipz
I think the authors exuberance and self congratulatory sentiments seem
misplaced. From the article:

>"HIBP is Becoming the "Go-To" Resource for Protecting Accounts"

No "protecting" accounts" is something that is done internally at the source
by companies storing user data. HIBP is offering a service that lets companies
do CYA(cover your ass.) Companies can subsequently claim that they "notified"
customers by telling them to check an external website. Responsibility is
transferred to the customer and a third party.

>"What that means for the industry is "a rising tide lifting all boats"; it's
becoming more legitimate for all those doing the right thing with the data."

No, doing the right thing with data is either protecting it or not storing it
in the first place. HIPB is reactionary at best. The danger is that these
companies with poor to no security practices continue to make no structural
changes themselves. They simply use HIPB as a crutch do the least amount of
actual work to protect data. This is supported by the following statement:

>"Oftentimes, the first a company knows of a data breach is when I send them
their data."

It's hard to read that sentence and believe the author's assertion that "the
industry has cleaned a lot/"

------
dandare
This kind of service should be ultimately provided by the government as part
of cunsumer protection or police services.

~~~
richmarr
Which government?

------
equationsgalore
It is a great service but I really wish there was a good way of keeping it
honest so we don't have to rely on trust so much. I wouldn't trust it with my
passwords.

