from the now-I-have-to-change-the-code-on-my-luggage dept.
A new system that securely checks whether your passwords have been made public in known data breaches has been integrated into the widely used password manager, 1Password. This new tool lets customers find out if their passwords have been leaked without ever transmitting full credentials to a server.
Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API.
Within a day, the company AgileBits had integrated Hunt's new tool into the 1Password password manager. AgileBits' announcement describes how it works:
Troy's new service allows us to check your passwords while keeping them safe and secure. They're never sent to us or his service.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy's new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @03:08PM (7 children)
Just think, if the list of leaked passwords was *much* longer, it would approach all the possible combinations (up to some character length)...at which point the scan would take as long as if there were no leaked passwords.
(Score: 4, Funny) by Runaway1956 on Wednesday February 28 2018, @03:19PM (4 children)
This is for sissies anyway. I just type my passwords into Google, to see which ones have been leaked.
(Score: 2, Funny) by Anonymous Coward on Wednesday February 28 2018, @04:10PM (2 children)
I did the same thing:
hunter2
About 3,450,000 results (0.23 seconds)
(Score: 2) by DeathMonkey on Wednesday February 28 2018, @07:12PM (1 child)
Security through obscurity?
(Score: 1, Funny) by Anonymous Coward on Wednesday February 28 2018, @08:56PM
Uh, have you SEEN runaway's password?
It's security through obscenity.
(Score: -1, Spam) by Anonymous Coward on Wednesday February 28 2018, @04:14PM
The woman spasmed and gurgled. The man, who had firmly believed she was dead, became furious. Why was this woman - this monster - clinging to life in utter defiance of a man!? The man became frightened of the monster, but then realized that the only way to end oppression was to fight back against it. He gathered his courage and then pummeled her with his fists until every last scrap of motion was taken from her.
However, even after emerging victorious, the psychological scars the woman inflicted upon the man remained yet still. Some might wonder: Will men's rights ever be respected?
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @04:33PM
Not if the list is sorted. Hint: Binary search.
(Score: 2) by Immerman on Wednesday February 28 2018, @04:48PM
Considering that there are well over 56 billion possible 6-character passwords (using just numbers and upper- and lower-case English letters), somehow I suspect that even a leak of every password ever used by anyone for any purpose would *still* drastically reduce the search-space.
(Score: 2) by Bot on Wednesday February 28 2018, @03:33PM (3 children)
> Security researcher Troy Hunt
looks totally legit
Account abandoned.
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @03:54PM (1 child)
Sounds better than Mike Hunt anyway.
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @05:29PM
Or Dick Hertz, or Ray Gunn, or Erasmus B. Draggin..
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @04:23PM
I thought Troy Hunt was Heinrich Schliemann's pseudonym!
(Score: 3, Insightful) by requerdanos on Wednesday February 28 2018, @04:19PM (2 children)
Yeah, you just type it here, and it shows up as *'s. Example: *******
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @06:59PM (1 child)
So, this should show up as *s then, right?
hunter2
Did that work?
(Score: 2) by requerdanos on Wednesday February 28 2018, @07:29PM
I don't understand. Are you just putting *'s, or is that the password? It says "*******" here.
(Score: 2) by Nerdfest on Wednesday February 28 2018, @04:31PM (3 children)
I'm sure this would work just fine, but I'd have to start using passwords longer than five characters. Next thing you know they'll want us to start using uppercase letters and numbers.
(Score: 1) by Sulla on Wednesday February 28 2018, @04:43PM (1 child)
I have heard rumor that some services are considering requiring special characters and numbers.
Verily, this has gone too far.
Ceterum censeo Sinae esse delendam
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @05:26PM
Just wait. Soon they will require one character from U+0100-U+0FFF, one from U+1000-U+FFFF, and one from U+10000 and above.
(Score: 3, Informative) by pipedwho on Wednesday February 28 2018, @09:49PM
There's no need to use anything but lower case letters if your password is long enough.
Sites that require certain characters (eg. at least 1 number, 1 upper case, etc) are less secure IMO, because they encourage people to use shorter passwords, most of which simple do the 'leet speak' replacement, which doesn't add much entropy to your password, while at the same time making it harder to remember.
Even worse are places that make you change your password periodically (eg. every 3 or 6 months). Dictionary attacks on password databases in those organisations find numerous passwords easily if they already have a previously compromised password. Simply because the vast majority of people use simple permutations of extra digits on their 'base' password (which is already of low entropy as they are now recommitting a newish password to memory each time, rather than spending the effort to memorise something longer and more secure). Far better is a company that only requires a password change if an 'exposure' occurs. Then people know to abandon the old password and create something new - hopefully that they can keep 'indefinitely' unless another hack occurs.
Even NIST's current password policy recommendations explicitly say to avoid: password expiry, upper end length limits (within reason), and requiring obscure characters. They do recommend increasing the minimum length beyond the usual 6-8 characters.
(Score: 1, Funny) by Anonymous Coward on Wednesday February 28 2018, @04:34PM (4 children)
********************************* that's right, just a bunch of stars. Put that in your cracker and watch your box smoke while it tries endless combinations of letters, numbers, symbols, and words. Fuck your dictionary!
(Score: 5, Funny) by realDonaldTrump on Wednesday February 28 2018, @05:01PM (2 children)
People don't read the stories, nobody reads the stories here. Especially not the ones about cyber. Because cyber is hard. And to be perfectly honest with you, I didn't read this story. I read the story, I read it somewhere else. And the list comes from websites -- and other kinds of cyber -- that have been hacked. So even people that picked a VERY SMART password, their cyber can get onto that list. If they use that password on a website and THE WEBSITE gets hacked. Nobody hacked the password, it was a great password. But the WEBSITE had VERY DUMB administrators. And after the website is hacked, very easy to get the passwords. Even the best ones. Meaning, they hacked the password. No matter what it was. Somebody goes to the hacked website, maybe they go to another website too. And use the same password. Everybody does it, right? But the hacker KNOWS that password. Because he hacked the first site, he hacked that password. So, use that password on the 2nd website, it's a hacked password. And the hacker can get in without hacking the 2nd website. Modern cyber is a minefield, folks. You're like a great and very brave soldier.
(Score: 3, Insightful) by DeathMonkey on Wednesday February 28 2018, @07:15PM (1 child)
Maybe you should have your nephew look into it. I heard he's real good at cyber.
(Score: 2) by realDonaldTrump on Wednesday February 28 2018, @10:52PM
Not my nephew Fred III, he went into real estate. And always had big problems with his health. The cerebral palsy, very expensive. Very sad, it was going to bankrupt the whole family, big lawsuit. But we settled that one very amicably. That's why I promised the American people, we’re going to have insurance for everybody. There was a philosophy in some circles that if you can’t pay for it, you don’t get it. That’s not going to happen with us.
My little brother Robert went into cyber, into the cyber games. You've heard of the Id games, right? He bought that one, it's ZeniMax now.
But my son, my youngest son, Bannon, he's the master of it. So good with computer! And he explains it so well. Much better than our Fake News MSM!
(Score: 2) by inertnet on Wednesday February 28 2018, @06:34PM
Ah, but my box wouldn't have to smoke if I just use tried those 500 million passwords instead of endless combinations of stuff. I'd be hitting a substantial percentage of every password used worldwide, just with that half a billion of them.
(Score: 2) by pkrasimirov on Wednesday February 28 2018, @07:31PM
Fnord666 Awesome, thank you!