159

My understanding of Have I Been Pwned is that it checks your password to see if someone else in the world has used it.

This really doesn't seem that useful to me. It seems equivalent to asking if anyone in the world has the same front door key as me. Statistically, I would assume yes, but without knowing where I live... who cares?

So have I misunderstood what HIBP does or am I underestimating its value because I'm misunderstanding some principle of security?

EDIT

Turns out there was more to the site than I understand. I was referring specifically to the password feature.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Dancrumb
  • 2,626
  • 3
  • 13
  • 15
  • 113
    Where did you come to this understanding? The FAQ clearly explains the site. – schroeder Feb 26 '18 at 19:30
  • 4
    On the fundamental difference of internet security and physical security and why analogies between the two tend to break down: https://www.youtube.com/watch?v=VPBH1eW28mo – David Foerster Feb 26 '18 at 22:37

8 Answers8

420

Disclaimer: I am the author, creator, owner and maintainer of Have I Been Pwned and the linked Pwned Passwords service.

Let me clarify all the points raised here:

The original purpose of HIBP was to enable people to discover where their email address had been exposed in data breaches. That remains the primary use case for the service today and there's almost 5B records in there to help people do that.

I added Pwned Passwords in August last year after NIST released a bunch of advice about how to strengthen authentication models. Part of that advice included the following:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses.

That's what Pwned Passwords addresses: NIST advised "what" you should do but didn't provide the passwords themselves. My service addresses the "how" part of it.

Now, practically, how much difference does it make? Is it really as you say in that it's just like a one in a million front door key situation? Well firstly, even if it was, the IRL example breaks down because there's no way some anonymous person on the other side of the world can try your front door key on millions of door in a rapid-fire, anonymous fashion. Secondly, the distribution of passwords is in no way linear; people choose the same crap ones over and over again and that puts those passwords at much higher risks than the ones we rarely see. And finally, credential stuffing is rampant and it's a really serious problem for organisations with online services. I continually hear from companies about the challenges they're having with attackers trying to login to people's accounts with legitimate credentials. Not only is that hard to stop, it may well make the company liable - this popped up just last week: "The FTC’s message is loud and clear: If customer data was put at risk by credential stuffing, then being the innocent corporate victim is no defence to an enforcement case" https://biglawbusiness.com/cybersecurity-enforcers-wake-up-to-unauthorized-computer-access-via-credential-stuffing/

Having seen a password in a data breach before is only one indicator of risk and it's one that each organisation using the data can decide how to handle. They might ask users to choose another one if it's been seen many times before (there's a count next to each one), flag the risk to them or even just silently mark the account. That's one defence along with MFA, anti-automation and other behavioural based heuristics. It's merely one part of the solution.

And incidentally, people can either use the (freely available) k-Anonymity model via API which goes a long way to protecting the identity of the source password or just download the entire set of hashes (also freely available) and process them locally. No licence terms, no requirement for attribution, just go and do good things with it :)

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Troy Hunt
  • 3,930
  • 4
  • 19
  • 21
  • 70
    Straight from the horse's mouth! Thanks Troy. For the avoidance of doubt, I certainly didn't intend to impugn your work... I was pretty sure that *I* was missing something. – Dancrumb Feb 27 '18 at 03:34
  • 64
    @Troy - many thanks for giving us this. I know you have it all on the site itself, but it's valuable to have this post here! – Rory Alsop Feb 27 '18 at 09:42
  • 53
    To clarify for people who are not familiar with Troy, he [is the creator of HIPB](https://haveibeenpwned.com/About). – Tom K. Feb 27 '18 at 15:39
  • 9
    RE: Credential stuffing / password reuse, the [obligatory XKCD](https://www.xkcd.com/792/). Also, thank you Troy, for putting together the Pwned Passwords service; I've been recommending that approach since long before the updated NIST guidelines but was hampered by lack of a good public corpus to point people at. – CBHacking Feb 28 '18 at 08:37
  • 3
    And [the explanation for xkcd 792](https://www.explainxkcd.com/wiki/index.php/792:_Password_Reuse). – Peter Mortensen Mar 04 '18 at 13:43
75

This answer refers solely to the original HIBP part of Troy's site, before the question was updated. Please read Troy's post for specifics on the Pwned Passwords section of it.

That is not at all what it is for. It isn't actually even an indication if it has been used - just an indication that it has been leaked.

Its use comes in knowing that attackers are likely to have your email address and password...

Which they can then use anywhere you have used that set of credentials. And it is an amazingly successful attack technique.

Obviously, if you only ever use a password on one particular site, and it bears no relationship to passwords used on other sites, then once you change that password you are as safe as you can be. In fact, the general guidance is that the key trigger for password change should be suspicion of a breach.

You do that, right?

Peter Mortensen
  • 877
  • 5
  • 10
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
31

Yes, someone in the world will have the same front door key as you because (for a common type of lock) there are only 5^6 = 16 000 possible combinations. But for a door key, you need to physically try each house before you get in anywhere. In the digital world, you can try a million 'houses' in a few minutes.

A password of 8 alphanumeric characters (a-z, A-Z, and 0-9) already has (26+26+10)^8 = 218 340 000 000 000 combinations, so with only 8 billion people on the planet, it's unlikely many people have the same one. If you share a password with someone else, that means your pick wasn't random enough, and therefore it is probably guessable by an attacker as well.

When doing pentests, one of the things we do is look for @<company>.com addresses in public data breaches. We often find at least a hash (which we can often crack), and sometimes we even find plaintext passwords. Those passwords, used on random websites, are sometimes also working credentials on company servers.

Password reuse is a big problem if you use the wrong password in a place which later gets hacked. HaveIBeenPwned tells you whether this applies to you, and if so, where. You know where else you used that password so you can change it.

But looking for a password is only part of the site. I think the "where did breaches occur" part (identified by your username or email address) is equally or more useful, as you will know which passwords it involved and which need changing.

Luc
  • 31,973
  • 8
  • 71
  • 135
10

Password space is potentially huge, so attacks often aim at what are hoped to be popular subsets of it, namely anything known to already have been used. Have I been Pwned aims to make that kind of attack less useful by letting everyone know what is known to be in that list, so they can be avoided.

The chance of someone else having used the same (good) password as you is vanishingly small. The much much more likely case of finding you use a password in the list is that it is proof that your password has been leaked.

But even that isn't actually the important takeaway: a password in the list is not secure. Even if it hasn't been used to violate your account yet it will be. If you have a password in the list change it now, and think seriously about what problems could come up if what ever was protected by that password was released.

Also comparing computer security to physical security has some pretty big limitations: Going to places with a physical key is billions of times harder than making a digital connection with a digital key.

It would be silliness to bring thousands of physical keys to try and unlock my front door to break in. Trying thousands of digital keys on servers happens every second.

It would be silliness having found my key to drive around town trying it on every door. Trying known passwords on guessed names is apparently actually viable judging by how commonly it is tried.

Even if I publish my house key and address you still need to get to it to do anything bad, and chances are there is nothing in my house worth traveling 1000 miles to get. If digital credentials are published it takes almost no effort to exploit them from anywhere in the world.

8

Telling you if your password has been used elsewhere is really only a small part of it, and it's not just that the password has been used, it's that it's been used and breached meaning it's probably in several brute force and dictionary lists by now and your account may be more likely to be compromised if it has a password that has been compromised and dumped.

Another key part of it is subscribing to the breach service with your email address, in the case that a password dump is provided to HIBP and your username or email address is in there you are notified so that you can change the password for that service and anywhere else where you may use that password.

iainpb
  • 4,142
  • 2
  • 16
  • 35
6

I was going to make this a comment, but it just kept getting longer.

The website as described to be understood sounds more like the "passwords" section of HIBP rather than the main page, which has other goals. See the passwords section blog post.

The "passwords" section helps little more than to tell you if you have a very bad password that is easily guessable. These passwords are easily guessable because commonly-used passwords make for a good dictionary attack. A dictionary attack, poorly described, basically is that were anyone to try to target you or your account, they would definitely try these passwords first.

You make mention of 1-password using this feature of HIBP. I haven't heard this news, but it would make sense-- 1-password wants to encourage use of good passwords, so making sure their customers' passwords aren't ones that are in this very-probable-password-dictionary is a great step.

The main page of HIPB is a little different- one inserts their email address into main page of to answer the different question, "have my credentials been leaked in any of the major publicly-known hacks?"

For example, when I put my email address in, I am informed that in at least one specific hack, "Email addresses, IP addresses, Passwords, Usernames" were leaked. In addition to now needing to make efforts to regain control over that account, it tells me some other things: if I have ever used that same password anywhere else, this is a reminder that that is a terrible idea and I need to change it. It also gives me a clue if I start receiving new spam at my email, etc.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Tyrannosaur
  • 259
  • 1
  • 4
3

HIBP's purpose/use is twofold.

The first use is to figure out if you are using a common password known by attackers. If this is the case, it makes attackers' jobs a lot easier since they try all the common passwords first.

The second reason is a little more complex.

In a perfect world, everyone uses a long, randomly generated password (as they should). Under this assumption, "having the same front door key" is extremely unlikely, to the point that you might as well assume the leaked credential is yours. If you know that a given password was compromised, you would look in your password manager to figure out which site was hacked and needs your attention (so you can change your login credentials). It is not uncommon for companies to not know that they were hacked until after your passwords are out in the wild.

The third use is to show that your nephew's clever "life-hack" of using qwerty as a password for everything isn't as "clever" as he thought, at least considering that it's one of the most popular passwords, therefore one of the first to be cracked by attackers.

user196499
  • 1,121
  • 6
  • 11
3

I've used HIBP to teach the importance of unique passwords to non-technical staff. This follows my talk about a password manager and rolling new passwords occasionally or when one has been compromised on an account.

schroeder
  • 123,438
  • 55
  • 284
  • 319