Password Alerts

Ad: This forum contains affiliate links to products on Amazon and eBay. More information in Terms and rules

horseUSA

horseUSA

Administrator
Staff
Admin
Mod
3,185
580
Mar 10, 2003
Florida, USA
ww2aircraft.net
The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords

If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.

FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Password reuse and credential stuffing

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.

NIST's guidance: check passwords against those obtained from previous data breaches

The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords, version 4 came in January 2019 along with the "Collection #1" data breach to bring the total to over 551M. Version 5 landed in July 2019 with a total count of 555M records, version 6 arrived June 2020 with almost 573M and finally, version 7 arrived November 2020 bringing the total passwords to over 613M.
Click to expand...
 
Last edited:
Hey horseUSA horseUSA ,

What does "Your password is known to be compromised on at least 1,636 other accounts." and/or "your password was found to be exposed" indicate?

Does it mean that upto 1,636 other people use the same password on one or more of their accounts?

Does it mean that someone has hacked this website and can log in under my name? (The password I use to log in on this forum is the only time I have used that particular password.)

Or does it mean something else?
 
Last edited:
A password Pro-Tip:
Just about every electronic device in your household has a serial number, most often alphanumeric, which makes the best passwords.

They are extremely hard to "crack", easy to remember and change (October is DVD player month, November is coffee maker month, December is guest bedroom TV month, etc.) and manufacturer's serial number archives are rarely hacked and almost never connected to a consumer purchase.
 
But on a serious note. Longer passwords are more difficult to break. So it's good practice to use a password sentence instead of a word, for instance: "ThisPasswordIsDifficultToBreak"

Having said that, no secure password is really secure if it gets stolen. So rule number one is: never reuse a password. Using the same password on different sites is asking to be hacked. David's tool is helping you to recognise that your password has leaked somewhere. If you get the alert you probably used your password multiple times. Make sure you won't make that mistake again.
 
ThomasP said:
What does "Your password is known to be compromised on at least 1,636 other accounts." and/or "your password was found to be exposed" indicate?
Click to expand...
The password you are using has been found in password dumps from various data breaches a total of 1,636 times. These breaches and password dumps are complied at https://haveibeenpwned.com and this site checks that database for possible hits on users password.

ThomasP said:
Does it mean that upto 1,636 other people use the same password on one or more of their accounts?
Click to expand...
It means the password, which you may think is unique, has been seen in these data breaches 1,636 times. It does not mean that an account you setup was part of a data breach, but the password you are using has been exposed and thus is not as secure as you would think.

ThomasP said:
Does it mean that someone has hacked this website and can log in under my name? (The password I use to log in on this forum is the only time I have used that particular password.)

Or does it mean something else?
Click to expand...
No this site has not been compromised. It is a big internet with a lot of people and something you thought was unique might with large numbers be not so unique.

Like was state above some of the best password are a sentence like setup with words that are known to you but in combination would be hard to discern.

password_strength.png
 
vikingBerserker said:
Have I Been Pwned: Pwned Passwords - So by using this you test your password by giving them it. Anybody see the irony of this?????
Click to expand...
No. From first post.

horseUSA said:
FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
Click to expand...
Your password gets hashed into a hexadecimal string. Then the first 5 characters are queried against the database. Which returns a set of complete hashes for those with matching starting characters. So a typical query against the database will return 300+ hashes. However since we only sent first few characters, the exchange doesn't compromise your password. We then see if the hashes returned to us have your password hash included. If so the password you are using has at some point been compromised.
 
Will this alert come up in the future if the site finds your password "Pwned" (never heard that word til now) or is this alert a one time thing?
 
horseUSA said:
The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords

If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.

FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
Click to expand...
I stated this earlier on a different thread, but I will repeat here. I did change my password. But most disturbing is the reported 1956 password compromises! Where does this data come from?
 
haveibeenpwned.com

Have I Been Pwned: Pwned websites

Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
haveibeenpwned.com haveibeenpwned.com

This list shows most recent breaches.

The collection of accounts and passwords comes from data breaches, which happen more often than you'd think. The number of password compromises is high for weaker passwords that many users are using.

As example years ago Linkedin was breached and the password I used showed up on this list, but it was only a count of 1

However if you check the password: "password" on the site you get a count of 3,861,493

The difference was the password I used was unique thus one hit, but "password" was used by many more accounts thus more hits. So the higher the count the more the password has showed up in breaches, which typically means it's weaker and simultaneously used by more people.
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back