Password Recycling and the Pwned Password API

As peoples online lives increase, so does the recycling of their passwords. This refers to the act of using the same password over and over again, or common, easy to remember words in an attempt to make their lives easier It has been a problem for many years yet one that has never really been given any direction on what companies should do. 

NIST recently updated their guidelines on “Digital Identities” which now tells organisations what to do. 

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

NIST Digital Identity Guidelines

Troy Hunt (@troyhunt) announced last week (22nd February) the release of his Have I been Pwned (HIBP) Password Pwned v2 list.

The v2 list has an increase from 320m unique passwords to over 500m unique passwords and has introduced API functionality to allow individuals and companies an opportunity to easily (and securely) test whether a password they use is on the Pwned list.

As stated in his blog post (link at the end) this is the how to NIST’s what.

This is done in the following way:

  • A user or application takes the password input and encrypts it using SHA1. This will give you a hash, similar to B2E98AD6F6EB8508DD6A14CFA704BAD7F05F6FB1
  • The first 5 characters of the hash value are recorded, so in the above instance B2E98
  • You send ONLY the five characters to the API URI - (make a web call to https://api.pwnedpasswords.com/range/B2E98)

At this point it is important to highlight that your password has not been sent to pwnedpasswords.com, only the first 5 characters of the hashed password. This makes it impossibly for Troy and his team, or anyone eavesdropping on your connection, to know what the actual password was.

Once the API call has been made, the following will happen:

  • The calling application will receive a list of corresponding stored hashes from the database (minus the first 5 characters), and the number of times that particular hash password has been used. Such as
    AA76715E97A5F0632BFA8F09661D1FF6520:2 ACB09FFEF1993313DFA034598AB5D6B31E9:2 ACED17D849FFA981939D10B2B3CBF12D916:12 ACF679BCF5A776B47348AA66EB653F284A9:1 AD6F6EB8508DD6A14CFA704BAD7F05F6FB1:20127
  • If your password is in the Pwned Password list, you will see a matching entry followed by the number of times the password appears in the list. You'll notice mine is:AD6F6EB8508DD6A14CFA704BAD7F05F6FB1:20127​
  • You then know, without transmitting any sensitive data, the password I used has appeared 20127 times (Password123 is fairly popular)

Real World Applications

The ability to lookup passwords is a great gimmick to show everyone how secure (or insecure) their passwords are but it also has some fantastic real-world applications.

Some of these are:

  • Check Passwords at user sign-up. Thanks to the Cloudflare backend the response of the database is very fast, averaging 15ms returns for cached lookups. This response means you can quickly:
    • SHA1 the user’s input (through Javascript locally on their machine)
    • Query the API to discover if the password is one on the Pwned List
    • Alert the user to the problem and quickly ask them to enter something different
  • Check user passwords at login time. This would again be simple and quick, however, if a password is identified as being on the list, redirect the user to update their password with advice and guidance on picking a better password.

Now, these could easily be handled locally through scripting ensuring that sensitive data is not transmitted over the network. 

Although these examples would work well within a web-based environment, nothing is stopping the API being used within an application that is installed locally ensuring that password recycling is kept to a minimum.

Another thing to note is that the entire database is available for download meaning it is possible to perform these lookups offline and in bulk should you want to. 

The best usage I can see for this would be for organisations trying to justify purchasing a password management system. We all know the companies that still have Excel documents lying around containing the keys to the system. Running it through this process would help IT Managers to justify the additional expense of purchasing a password system!

Testing it for yourself

If you would like to test this for yourself there are several community driven resources to help you out.

  1. HIBP PL PowerShell 
  2. Troy’s Original Blog with a LOT more information
  3. Have I been Pwned

It’s great to see resources like this made freely available on the internet.

If you would like to know any more information on this, or anything else on this blog, don’t hesitate to get in touch.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.