As peoples online lives increase, so does the recycling of their passwords. This refers to the act of using the same password over and over again, or common, easy to remember words in an attempt to make their lives easier It has been a problem for many years yet one that has never really been given any direction on what companies should do.
NIST recently updated their guidelines on “Digital Identities” which now tells organisations what to do.
Troy Hunt (@troyhunt) announced last week (22nd February) the release of his Have I been Pwned (HIBP) Password Pwned v2 list.
The v2 list has an increase from 320m unique passwords to over 500m unique passwords and has introduced API functionality to allow individuals and companies an opportunity to easily (and securely) test whether a password they use is on the Pwned list.
As stated in his blog post (link at the end) this is the how to NIST’s what.
This is done in the following way:
At this point it is important to highlight that your password has not been sent to pwnedpasswords.com, only the first 5 characters of the hashed password. This makes it impossibly for Troy and his team, or anyone eavesdropping on your connection, to know what the actual password was.
Once the API call has been made, the following will happen:
Real World Applications
The ability to lookup passwords is a great gimmick to show everyone how secure (or insecure) their passwords are but it also has some fantastic real-world applications.
Some of these are:
- Check Passwords at user sign-up. Thanks to the Cloudflare backend the response of the database is very fast, averaging 15ms returns for cached lookups. This response means you can quickly:
- Query the API to discover if the password is one on the Pwned List
- Alert the user to the problem and quickly ask them to enter something different
- Check user passwords at login time. This would again be simple and quick, however, if a password is identified as being on the list, redirect the user to update their password with advice and guidance on picking a better password.
Now, these could easily be handled locally through scripting ensuring that sensitive data is not transmitted over the network.
Although these examples would work well within a web-based environment, nothing is stopping the API being used within an application that is installed locally ensuring that password recycling is kept to a minimum.
Another thing to note is that the entire database is available for download meaning it is possible to perform these lookups offline and in bulk should you want to.
The best usage I can see for this would be for organisations trying to justify purchasing a password management system. We all know the companies that still have Excel documents lying around containing the keys to the system. Running it through this process would help IT Managers to justify the additional expense of purchasing a password system!
Testing it for yourself
If you would like to test this for yourself there are several community driven resources to help you out.
It’s great to see resources like this made freely available on the internet.
If you would like to know any more information on this, or anything else on this blog, don’t hesitate to get in touch.