Stories
Slash Boxes
Comments

SoylentNews is people

Find Out If Your Password Has Been Pwned—Without Sending It to a Server

posted by cmn32480 on Wednesday February 28 2018, @03:03PM   Printer-friendly
from the now-I-have-to-change-the-code-on-my-luggage dept.

Fnord666 writes:

A new system that securely checks whether your passwords have been made public in known data breaches has been integrated into the widely used password manager, 1Password. This new tool lets customers find out if their passwords have been leaked without ever transmitting full credentials to a server.

Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API.

Within a day, the company AgileBits had integrated Hunt's new tool into the 1Password password manager. AgileBits' announcement describes how it works:

Troy's new service allows us to check your passwords while keeping them safe and secure. They're never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy's new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Source: https://arstechnica.com/information-technology/2018/02/new-tool-safely-checks-your-passwords-against-a-half-billion-pwned-passwords/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Find Out If Your Password Has Been Pwned—Without Sending It to a Server | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Funny) by Anonymous Coward on Wednesday February 28 2018, @04:34PM (4 children)

    by Anonymous Coward on Wednesday February 28 2018, @04:34PM (#645235)

    ********************************* that's right, just a bunch of stars. Put that in your cracker and watch your box smoke while it tries endless combinations of letters, numbers, symbols, and words. Fuck your dictionary!

    Starting Score:    0  points
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  
    Total Score:   1  

  • (Score: 5, Funny) by realDonaldTrump on Wednesday February 28 2018, @05:01PM (2 children)

    by realDonaldTrump (6614) on Wednesday February 28 2018, @05:01PM (#645255) Homepage Journal

    People don't read the stories, nobody reads the stories here. Especially not the ones about cyber. Because cyber is hard. And to be perfectly honest with you, I didn't read this story. I read the story, I read it somewhere else. And the list comes from websites -- and other kinds of cyber -- that have been hacked. So even people that picked a VERY SMART password, their cyber can get onto that list. If they use that password on a website and THE WEBSITE gets hacked. Nobody hacked the password, it was a great password. But the WEBSITE had VERY DUMB administrators. And after the website is hacked, very easy to get the passwords. Even the best ones. Meaning, they hacked the password. No matter what it was. Somebody goes to the hacked website, maybe they go to another website too. And use the same password. Everybody does it, right? But the hacker KNOWS that password. Because he hacked the first site, he hacked that password. So, use that password on the 2nd website, it's a hacked password. And the hacker can get in without hacking the 2nd website. Modern cyber is a minefield, folks. You're like a great and very brave soldier.

    • (Score: 3, Insightful) by DeathMonkey on Wednesday February 28 2018, @07:15PM (1 child)

      by DeathMonkey (1380) on Wednesday February 28 2018, @07:15PM (#645318) Journal

      Maybe you should have your nephew look into it. I heard he's real good at cyber.

      • (Score: 2) by realDonaldTrump on Wednesday February 28 2018, @10:52PM

        by realDonaldTrump (6614) on Wednesday February 28 2018, @10:52PM (#645462) Homepage Journal

        Not my nephew Fred III, he went into real estate. And always had big problems with his health. The cerebral palsy, very expensive. Very sad, it was going to bankrupt the whole family, big lawsuit. But we settled that one very amicably. That's why I promised the American people, we’re going to have insurance for everybody. There was a philosophy in some circles that if you can’t pay for it, you don’t get it. That’s not going to happen with us.

        My little brother Robert went into cyber, into the cyber games. You've heard of the Id games, right? He bought that one, it's ZeniMax now.

        But my son, my youngest son, Bannon, he's the master of it. So good with computer! And he explains it so well. Much better than our Fake News MSM!

  • (Score: 2) by inertnet on Wednesday February 28 2018, @06:34PM

    by inertnet (4071) on Wednesday February 28 2018, @06:34PM (#645294) Journal

    Ah, but my box wouldn't have to smoke if I just use tried those 500 million passwords instead of endless combinations of stuff. I'd be hitting a substantial percentage of every password used worldwide, just with that half a billion of them.