Checking if my passwords are among the stolen ones
There is a new big case of stolen login/password data in the news:
https://www.forbes.com/sites/daveywinder/2019/01/17/collection-1-more-than-770m-people-pwned-in-biggest-stolen-data-dump-yet/?ss=cybersecurity#1cc1b07e509f
At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. this one:
https://haveibeenpwned.com
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach
asked 3 hours ago
godwanagodwana
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
There is a new big case of stolen login/password data in the news:
https://www.forbes.com/sites/daveywinder/2019/01/17/collection-1-more-than-770m-people-pwned-in-biggest-stolen-data-dump-yet/?ss=cybersecurity#1cc1b07e509f
At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. this one:
https://haveibeenpwned.com
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach
asked 3 hours ago
godwanagodwana
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
4
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
3 hours ago
3
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
2 hours ago
To be honest - can it be - has it been - independantly verified thathaveibeenpwned.comis safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)
– Martin
1 hour ago
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
1 hour ago
A screenshot that all data in thehaveibeenpwned.comdatabase is encrypted at rest is a good start. But yes, trust only goes so far as the here and now, we can't trusthaveibeenpwned.comtomorrow, based on this morning's assessment. Oh dear, the paranoia is back.....
– Martin
1 hour ago
add a comment |
There is a new big case of stolen login/password data in the news:
https://www.forbes.com/sites/daveywinder/2019/01/17/collection-1-more-than-770m-people-pwned-in-biggest-stolen-data-dump-yet/?ss=cybersecurity#1cc1b07e509f
At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. this one:
https://haveibeenpwned.com
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach
asked 3 hours ago
godwanagodwana
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There is a new big case of stolen login/password data in the news:
https://www.forbes.com/sites/daveywinder/2019/01/17/collection-1-more-than-770m-people-pwned-in-biggest-stolen-data-dump-yet/?ss=cybersecurity#1cc1b07e509f
At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. this one:
https://haveibeenpwned.com
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach
passwords breach
asked 3 hours ago
godwanagodwana
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
godwanagodwana
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
godwanagodwana
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
godwanagodwana
211
asked 3 hours ago
godwanagodwana
211
211
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
4
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
3 hours ago
3
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
2 hours ago
To be honest - can it be - has it been - independantly verified thathaveibeenpwned.comis safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)
– Martin
1 hour ago
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
1 hour ago
A screenshot that all data in thehaveibeenpwned.comdatabase is encrypted at rest is a good start. But yes, trust only goes so far as the here and now, we can't trusthaveibeenpwned.comtomorrow, based on this morning's assessment. Oh dear, the paranoia is back.....
– Martin
1 hour ago
add a comment |
4
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
3 hours ago
3
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
2 hours ago
To be honest - can it be - has it been - independantly verified thathaveibeenpwned.comis safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)
– Martin
1 hour ago
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
1 hour ago
A screenshot that all data in thehaveibeenpwned.comdatabase is encrypted at rest is a good start. But yes, trust only goes so far as the here and now, we can't trusthaveibeenpwned.comtomorrow, based on this morning's assessment. Oh dear, the paranoia is back.....
– Martin
1 hour ago
4
4
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
3 hours ago
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
3 hours ago
3
3
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
2 hours ago
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
2 hours ago
To be honest - can it be - has it been - independantly verified that
haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)– Martin
1 hour ago
To be honest - can it be - has it been - independantly verified that
haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)– Martin
1 hour ago
1
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
1 hour ago
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
1 hour ago
A screenshot that all data in the
haveibeenpwned.com database is encrypted at rest is a good start. But yes, trust only goes so far as the here and now, we can't trust haveibeenpwned.com tomorrow, based on this morning's assessment. Oh dear, the paranoia is back.....– Martin
1 hour ago
A screenshot that all data in the
haveibeenpwned.com database is encrypted at rest is a good start. But yes, trust only goes so far as the here and now, we can't trust haveibeenpwned.com tomorrow, based on this morning's assessment. Oh dear, the paranoia is back.....– Martin
1 hour ago
add a comment |
2 Answers
2
active
oldest
votes
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to loose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databses of the world yourself, if you don't want to take the risk, that maybe a lot of people are wrong about Troy Hunt - because then you would disclose your email address.
answered 2 hours ago
Tom K.Tom K.
5,56032149
3
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
HIBP is a free service for you(!) that costs Troy Hunt moneyI find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
4 mins ago
add a comment |
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
answered 1 hour ago
VishalVishal
114
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
godwana is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201654%2fchecking-if-my-passwords-are-among-the-stolen-ones%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to loose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databses of the world yourself, if you don't want to take the risk, that maybe a lot of people are wrong about Troy Hunt - because then you would disclose your email address.
answered 2 hours ago
Tom K.Tom K.
5,56032149
3
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
HIBP is a free service for you(!) that costs Troy Hunt moneyI find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
4 mins ago
add a comment |
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to loose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databses of the world yourself, if you don't want to take the risk, that maybe a lot of people are wrong about Troy Hunt - because then you would disclose your email address.
answered 2 hours ago
Tom K.Tom K.
5,56032149
3
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
HIBP is a free service for you(!) that costs Troy Hunt moneyI find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
4 mins ago
add a comment |
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to loose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databses of the world yourself, if you don't want to take the risk, that maybe a lot of people are wrong about Troy Hunt - because then you would disclose your email address.
answered 2 hours ago
Tom K.Tom K.
5,56032149
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to loose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databses of the world yourself, if you don't want to take the risk, that maybe a lot of people are wrong about Troy Hunt - because then you would disclose your email address.
answered 2 hours ago
Tom K.Tom K.
5,56032149
edited 1 hour ago
answered 2 hours ago
Tom K.Tom K.
5,56032149
answered 2 hours ago
Tom K.Tom K.
5,56032149
answered 2 hours ago
Tom K.Tom K.
5,56032149
5,56032149
3
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
HIBP is a free service for you(!) that costs Troy Hunt moneyI find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
4 mins ago
add a comment |
3
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
HIBP is a free service for you(!) that costs Troy Hunt moneyI find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
4 mins ago
3
3
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
2 hours ago
HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.– Aaron
4 mins ago
HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.– Aaron
4 mins ago
add a comment |
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
answered 1 hour ago
VishalVishal
114
add a comment |
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
answered 1 hour ago
VishalVishal
114
add a comment |
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
answered 1 hour ago
VishalVishal
114
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
answered 1 hour ago
VishalVishal
114
edited 31 mins ago
answered 1 hour ago
VishalVishal
114
answered 1 hour ago
VishalVishal
114
answered 1 hour ago
VishalVishal
114
114
add a comment |
add a comment |
godwana is a new contributor. Be nice, and check out our Code of Conduct.
godwana is a new contributor. Be nice, and check out our Code of Conduct.
godwana is a new contributor. Be nice, and check out our Code of Conduct.
godwana is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201654%2fchecking-if-my-passwords-are-among-the-stolen-ones%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
3 hours ago
3
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
2 hours ago
To be honest - can it be - has it been - independantly verified that
haveibeenpwned.comis safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)– Martin
1 hour ago
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
1 hour ago
A screenshot that all data in the
haveibeenpwned.comdatabase is encrypted at rest is a good start. But yes, trust only goes so far as the here and now, we can't trusthaveibeenpwned.comtomorrow, based on this morning's assessment. Oh dear, the paranoia is back.....– Martin
1 hour ago