SoylentNews is people
SoylentNews
from the now-I-have-to-change-the-code-on-my-luggage dept.
A new system that securely checks whether your passwords have been made public in known data breaches has been integrated into the widely used password manager, 1Password. This new tool lets customers find out if their passwords have been leaked without ever transmitting full credentials to a server.
Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API.
Within a day, the company AgileBits had integrated Hunt's new tool into the 1Password password manager. AgileBits' announcement describes how it works:
Troy's new service allows us to check your passwords while keeping them safe and secure. They're never sent to us or his service.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy's new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
(Score: 3, Informative) by pipedwho on Wednesday February 28 2018, @09:49PM
There's no need to use anything but lower case letters if your password is long enough.
Sites that require certain characters (eg. at least 1 number, 1 upper case, etc) are less secure IMO, because they encourage people to use shorter passwords, most of which simple do the 'leet speak' replacement, which doesn't add much entropy to your password, while at the same time making it harder to remember.
Even worse are places that make you change your password periodically (eg. every 3 or 6 months). Dictionary attacks on password databases in those organisations find numerous passwords easily if they already have a previously compromised password. Simply because the vast majority of people use simple permutations of extra digits on their 'base' password (which is already of low entropy as they are now recommitting a newish password to memory each time, rather than spending the effort to memorise something longer and more secure). Far better is a company that only requires a password change if an 'exposure' occurs. Then people know to abandon the old password and create something new - hopefully that they can keep 'indefinitely' unless another hack occurs.
Even NIST's current password policy recommendations explicitly say to avoid: password expiry, upper end length limits (within reason), and requiring obscure characters. They do recommend increasing the minimum length beyond the usual 6-8 characters.