Hacker News new | comments | ask | show | jobs | submit login
500M of “Have I been Pwned” hashes broken (hashes.org)
164 points by pjf 10 months ago | hide | past | web | favorite | 56 comments

Just a reminder: HIBP password list only includes passwords from already cracked / plaintext sources.


I was puzzled about why would someone spend power cracking this, but apparently Troy was as well:

> One of the things that did surprise me a little in V1 was the effort some folks went to in order to crack the passwords. I was surprised primarily because the vast majority of those passwords were already available in the clear via the 2 combo lists I mentioned earlier anyway, so why bother? Just download the (easily discoverable) lists! The penny that later dropped was that it presented a challenge - and people like challenges!

But maybe not in one place.

If you think, even for a moment, that nobody has ever compiled and distributed a compilation of leaked credentials then I have a bridge to sell you.

So what? Now you have one more unnecessary compilation than before.

There is always this 1.4 billion plaintext email:password compilation magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

Totally unrelated, but something I've been wondering for a while. Isn't the whole point of magnet links that they use a distributed hash table (DHT)? Why do they need trackers appended to the URL? Is it strictly necessary, or does it just help in bootstrapping the DHT?

I always remove those when downloading torrents because I'm paranoid they're obvious markings of torrent traffic, more-so than DHT connections.

DHT isn't magic.. every peer builds a cache of other DHT peers over time, but for a new client it'll have no such cache, so falling back to trackers is still important. (IIRC older DHT clients also fell back to a hardcoded "bootstrap.bittorrent.org" or somesuch DNS name)

You might observe when trimming the tracker list off the URL that sometimes you can't find a peer, that's because you've never used the same client to contact what effectively amounts to a subnetwork that has no overlap with any previous subnetwork you leeched from in the past.

Especially if you're always fetching the same content (e.g. Game of Thrones episodes) it'll probably just work, but you may find it breaks when you suddenly decide to grab e.g. an old copy of OS/2 or similar, representing a set of BitTorrent users with entirely different interests.

Nope, it isn't necessary. It just helps with peering, and the actual download will start faster.

Are you sure? I always thought that the peers have to be seeded by the trackers.

How would you as a peer connect to any other peers without some kind of seed?

What IPs do you connect to?

Clients usually have some public, harcoded nodes to bootstrap the search: https://stackoverflow.com/questions/1181301

The trackers are necessary for bootstrapping.

How do I read this file on Windows?

For large CSV's I've personally used EmEditor in the past with success.

Troy Hunt said this doesn't really matter - https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...

The hashes are about not storing or giving out the passwords freely, more as a way to verify if your password is in there.

Someone should add a "Has my hashed password been broken?" and an opt-in notification when one's password is eventually revealed.

Last person standing gets a prize.

Everyone who uses a password manager would win

Using a password manager doesn't make you immune to having your credentials leaked if a sites database is breached...

Uh... he never said it did? Just that yours would be the last hash to be cracked.

then why would that password tresor user win, after his credentials were leaked by a database breach -- before other select people that weren't compromised but abstained from said software.

Its generally incomprehensible to me why some people don't want to use password tresors -- its so much easier after all - but his argument was flawed.

Because parent said there would be a competition for whose password is cracked last.

My 16 char fully randomized passwords will not be cracked, so I win, along with everyone else using a password manager?

What's a password tresor? Did you mean password manager? Wiktionary tells me it means "treasure" in Catalan and Old French.

Tresor means safe in german so maybe he is a german that substituted the z in trezor

It also means "storehouse", so he probably means password manager.

I think he meant this: https://trezor.io/

And more specifically: https://trezor.io/passwords/

I meant password manager/safe.

Sorry for that mix up.

It actually does, provided the passwords aren't stored in plaintext.

Even something ridiculously weak like a SHA-1 hash isn't going to be cracked if the password is 16 characters long and completely random.


- the passwords aren't stored in plaintext or any other compromised hashing mechanism

- you autogenerated your password

- your password manager does not get compromised

saying "it actually does" is a bit of absolutist stretch...

Furthermore, none of this is a side-effect of using a password manager. It just makes doing so more convenient.

Within a margin of error, zero people can remember 20 16-character random alphanumeric passwords. Therefore it is only possible using some sort of password manager, whether it be something like 1password or an old-fashioned notebook.

You need to specify your margin of error. ± the full population of humans on Earth is "a margin of error".

I may be an outlier, but I certainly remember 10+ 20-25 character random full-printable-ASCII passwords, some of which don't let a password manager handle them, others which I don't want to have in a manager. And then there's my password manager master password, which is close to 70 characters long.

And I have shitty memory—I wouldn't be able to remember what happened more than a few days ago if my life depended on it.

> Within a margin of error, [the value of a measure is] zero.

Nitpick: Zero does not have a magnitude, so "a margin of error" is not remotely well-defined here.

Nitpick nitpick: margin of error can be either absolute or relative.

Nitpick nitpick nitpick: "margin of error" without any value effectively means "the following value has no meaning at all", as the margin of error is unspecified.

Also, 1Password has already integrated this into version 7 (in beta). It will let you know if any of your passwords are on HiBP

I'm still on 4, the non cloud version, so I probably don't get the fancy feature. :(

What happens to your passwords if you stop paying for the cloud version?

The apps become read-only, with export functions.

Source: https://support.1password.com/membership-billing-policy/

I still think algorithmic passwords are safer. I could get access to all of your passwords via a simple keylogger to scrape your manager's master password. There's no way you can get at mine because the master password is the algorithm in my brain. You could try to get 2-3 of my existing passwords and reverse engineer my algorithm, but in the words of Liam Neeson: "Good luck"

Well there's this https://spycloud.com/

Having faith in the security of the hash that has been leaked was always a ticking clock. Better to just rotate any password you know to have been compromised.

Those hashes comes from leaked plain text passwords lists originally. They were already released in plain text. The hashing of Have I been Pwned are just a way to not release even further those passwords (to newcomers, hobbysts and general public), but the hacking community was already using them in dictionary attacks.

Seems like HIBP should be using a fixed salt on its hashes.

Because of the way HIPB works the salt would need to be both constant and known by the client which makes it rather useless as a salt. It only would stop rainbow tables, but that's not the issue here.


Oh, HIBP do not include the data from the MyFitnessPal breach. 150m users are affected!

> https://content.myfitnesspal.com/security-information/FAQ.ht...

Breaches can only be added to HIBP if Troy gets his hands on a copy of the data that was stolen.

Most of the passwords probably won't get added to the HIBP password list either, since only plaintext passwords ever end up on that list, and MyFitnessPal claims that most of the passwords in their database were hashed with Bcrypt. (So probably difficult to crack.)

How would an attacker use this information? Brute force attack on an account with known email address?

> Brute force attack on an account with known email address

Yup. These days I get a ton of break-in attempts for random accounts. My Epic Games account is disabled weekly due to failed login attempts from random actors.

Use a password manager and 2fa folks!

> My Epic Games account is disabled weekly due to failed login attempts from random actors.

Everyone has this (source: some thread on Reddit with a bunch of "me too" answers). It's a bug with their system and I don't think they know about it/care/(?)

> It's a bug with their system

Confident about that? It's certainly not the only service I get break in attempts on, fwiw

Well first of all, someone else knowing your username should not be able to lock you out of your account. So even if it isn't a bug it's bad design.

It looks like you can still sign in even if your account is "locked" which further adds to the theory that it is a bug.

Here are a few threads with a bunch of "me too"s. [0][1]

[0] https://www.epicgames.com/fortnite/forums/battle-royale/roya... [1] https://www.epicgames.com/fortnite/forums/battle-royale/roya...

Also : smaller rainbow tables if you have some hashed passwords you want to reverse yourself

Better dictionary attacks

Don't put your email into this unless there is a way to download the database for offline use. The reason is, if HIBP is compromised, the hackers will know that even if your email is not pwned, it is likely important and will try to brute force it or use it to build a larger profile if you, such as for other services.

First Torrent for just the plains from the list is available:


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact