Ad: This forum contains affiliate links to products on Amazon and eBay. More information in Terms and rules
Password reuse and credential stuffing
Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.
NIST's guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords, version 4 came in January 2019 along with the "Collection #1" data breach to bring the total to over 551M. Version 5 landed in July 2019 with a total count of 555M records, version 6 arrived June 2020 with almost 573M and finally, version 7 arrived November 2020 bringing the total passwords to over 613M.
I've heard that using the word "password" is easy to remember, too!My password is "safe" so it's always safe
The password you are using has been found in password dumps from various data breaches a total of 1,636 times. These breaches and password dumps are complied at https://haveibeenpwned.com and this site checks that database for possible hits on users password.What does "Your password is known to be compromised on at least 1,636 other accounts." and/or "your password was found to be exposed" indicate?
It means the password, which you may think is unique, has been seen in these data breaches 1,636 times. It does not mean that an account you setup was part of a data breach, but the password you are using has been exposed and thus is not as secure as you would think.Does it mean that upto 1,636 other people use the same password on one or more of their accounts?
No this site has not been compromised. It is a big internet with a lot of people and something you thought was unique might with large numbers be not so unique.Does it mean that someone has hacked this website and can log in under my name? (The password I use to log in on this forum is the only time I have used that particular password.)
Or does it mean something else?
No. From first post.Have I Been Pwned: Pwned Passwords - So by using this you test your password by giving them it. Anybody see the irony of this?????
Your password gets hashed into a hexadecimal string. Then the first 5 characters are queried against the database. Which returns a set of complete hashes for those with matching starting characters. So a typical query against the database will return 300+ hashes. However since we only sent first few characters, the exchange doesn't compromise your password. We then see if the hashes returned to us have your password hash included. If so the password you are using has at some point been compromised.FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
"Pwned" is an old gamer's term for "Owned".Will this alert come up in the future if the site finds your password "Pwned" (never heard that word til now) or is this alert a one time thing?
Yes, it will pop-up again if your password is still insecure.Will this alert come up in the future if the site finds your password "Pwned" (never heard that word til now) or is this alert a one time thing?
I stated this earlier on a different thread, but I will repeat here. I did change my password. But most disturbing is the reported 1956 password compromises! Where does this data come from?The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords
If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.
FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download