2

I have just started to explore HIBP to check whether we can use HIBP in our public facing interfaces.

AS per my read I have 3 options to check out.

  1. Download the password dictionary and implement my own breached password checker

  2. call HIBP api to check whether the given password is already breached

  3. Use one of the password managers to perform the task (as you mentioned in Troy Hunt's blogs: 1Password manager)

As a developer I prefer to choose either the 1st or 2nd option as I don't have to pay for it.

I wanted to check with you how reliable to use 1st or 2nd option: How often the password dictionary get updated?

What about the availability of the password dictionary/api? are there any policies covering this? If so, Do I need to pay for anything?

maya16
  • 121
  • 2
  • 4
    For everyone except Troy Hunt, this is going to be opinion-based. But in my experience (as someone who uses the API for password checking), it is reliable. And it is free (as in beer), and no plans to change that has been announced :) – Geir Emblemsvag Apr 12 '19 at 04:20
  • Thanks a lot for your comments. I am in a state to choose HIBP as my dictionary to check the breached passwords. Seems I can assume it is reliable as many people are already using it and HIBP is partnered with 1Password. – maya16 Apr 12 '19 at 05:11

2 Answers2

2

The HaveIBeenPwned API is safe to check for leaked passwords as the password or the hash is never transmitted via API. Here is how the API works,

  1. You hash the password to be checked
  2. Send the first 5 characters of the hash to the HIBP API.
  3. The API returns hashes of used passwords that matches the hash's starting characters.
  4. You check locally in your server whether the password hash is among the list.

To address your other points,

  1. The service is free.
  2. Yes, there is a policy about accepted usage.
  3. In the homepage of HIBP there is a section called recently Added Breaches. At the time of writing, the most recent breach added is Dec 2018, the data was leaked on internet on Feb 2019 and added into the site in Apr 2019. You can aslo find the details on the twitter account. On average it would seem that 10 data breachs is added per month.

Other options

Option 3 is more or less the same as it uses the same service in the background.

Among your options, I will choose either option 2 or 3 as they will be updated more regularly.

Kolappan N
  • 2,662
  • 14
  • 26
1

I wanted to check with you how reliable to use 1st or 2nd option: How often the password dictionary get updated?

I have been using HIBP over a year. Till now i didn't face any downtime from their server. However, My requests to the API were blocked at some point. Which I had to contact the support to get sorted.

Below are the tips to not get blocked:

  1. Stick well within the published rate limit
  2. Don't distribute requests over multiple IP addresses in an attempt to circumvent the rate limit
  3. Only query the email addresses of people who have a reasonable expectation that you should do so Avoid prolonged
  4. querying of the API over an extended period of time Clearly identify your app in the user agent string per the API docs.

However the API docs are very clear on do's and dont's.

What about the availability of the password dictionary/api? are there any policies covering this? If so, Do I need to pay for anything?

Again the answer to this is same as above. HIBP uses K-anonymity model to check weak passwords.

All together there is no need to pay for anything!. Just stick to the limits.

Gowtham
  • 983
  • 6
  • 13