Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Wednesday February 28 2018, @03:03PM   Printer-friendly
from the now-I-have-to-change-the-code-on-my-luggage dept.

A new system that securely checks whether your passwords have been made public in known data breaches has been integrated into the widely used password manager, 1Password. This new tool lets customers find out if their passwords have been leaked without ever transmitting full credentials to a server.

Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API.

Within a day, the company AgileBits had integrated Hunt's new tool into the 1Password password manager. AgileBits' announcement describes how it works:

Troy's new service allows us to check your passwords while keeping them safe and secure. They're never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy's new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Source: https://arstechnica.com/information-technology/2018/02/new-tool-safely-checks-your-passwords-against-a-half-billion-pwned-passwords/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday February 28 2018, @03:08PM (7 children)

    by Anonymous Coward on Wednesday February 28 2018, @03:08PM (#645169)

    Just think, if the list of leaked passwords was *much* longer, it would approach all the possible combinations (up to some character length)...at which point the scan would take as long as if there were no leaked passwords.

  • (Score: 4, Funny) by Runaway1956 on Wednesday February 28 2018, @03:19PM (4 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday February 28 2018, @03:19PM (#645175) Journal

    This is for sissies anyway. I just type my passwords into Google, to see which ones have been leaked.

    • (Score: 2, Funny) by Anonymous Coward on Wednesday February 28 2018, @04:10PM (2 children)

      by Anonymous Coward on Wednesday February 28 2018, @04:10PM (#645209)

      I did the same thing:

      hunter2
      About 3,450,000 results (0.23 seconds)

      • (Score: 2) by DeathMonkey on Wednesday February 28 2018, @07:12PM (1 child)

        by DeathMonkey (1380) on Wednesday February 28 2018, @07:12PM (#645317) Journal

        Security through obscurity?

        • (Score: 1, Funny) by Anonymous Coward on Wednesday February 28 2018, @08:56PM

          by Anonymous Coward on Wednesday February 28 2018, @08:56PM (#645392)

          Uh, have you SEEN runaway's password?

          It's security through obscenity.

    • (Score: -1, Spam) by Anonymous Coward on Wednesday February 28 2018, @04:14PM

      by Anonymous Coward on Wednesday February 28 2018, @04:14PM (#645212)

      The woman spasmed and gurgled. The man, who had firmly believed she was dead, became furious. Why was this woman - this monster - clinging to life in utter defiance of a man!? The man became frightened of the monster, but then realized that the only way to end oppression was to fight back against it. He gathered his courage and then pummeled her with his fists until every last scrap of motion was taken from her.

      However, even after emerging victorious, the psychological scars the woman inflicted upon the man remained yet still. Some might wonder: Will men's rights ever be respected?

  • (Score: 0) by Anonymous Coward on Wednesday February 28 2018, @04:33PM

    by Anonymous Coward on Wednesday February 28 2018, @04:33PM (#645234)

    Not if the list is sorted. Hint: Binary search.

  • (Score: 2) by Immerman on Wednesday February 28 2018, @04:48PM

    by Immerman (3985) on Wednesday February 28 2018, @04:48PM (#645244)

    Considering that there are well over 56 billion possible 6-character passwords (using just numbers and upper- and lower-case English letters), somehow I suspect that even a leak of every password ever used by anyone for any purpose would *still* drastically reduce the search-space.