Cyber security Identity

Have I been pwned?

Marcin Zimny08/11/2022

Today, I’m going to address less technical audience and explain the concept of breached passwords database and how to securely check if a password is running wild in the open, in the hands of bad actors.

The wildlife of passwords

Historically there have been a lot of data breaches as a result of malicious activity. We hear about them in news all the time and it affects all industries and businesses, the hackers don’t really discriminate. From social media platforms like LinkedIn, software vendors like Adobe, through airlines like EasyJet finishing at financial services like Money Bookers. Those databases are then used by another breed of bad actors and one of the common scenarios is sending an email from a ‘hacker’ quoting your password in the subject (really draws the eye…), blackmailing the poor victim into some Bitcoin payment, a textbook example of digital extortion. The threat is a disclosure of private data like browser history or videos taken without the victim knowing they’ve been recorded.

Account Take Over (ATO)

You will probably hear about ATO more and more. The majority of breaches of the data perimeter these days are the results of compromised credentials. Nature likes the path of least resistance and us, humans are a perfect example. We re-use our passwords across different platforms. I will risk a statement there are only two types of password users – those who reuse their passwords and those who don’t admit to it.

Have I been pwned?

It’s a service allowing you to check if your password or email leaked in a breach. Just go to: https://haveibeenpwned.com/Passwords  and type your password, see if it leaked… Oh I know… you’re scared to do so, aren’t you? I mean why would you knowingly send your password over the wire? Is there a possibility it can leak during the process? Perhaps the service is untrustworthy and collects the passwords? How  do the browsers like Chrome alert you if you used breached password without compromising the trust between the user and the device?

Search a database for an item, without providing the item…

Makes no sense? Actually, it does and is technically possible. In fact that’s how the pwned password services work. In other words – yes they are safe to use. A lot of businesses check against the pwned password database every time you log in. If the password leaked, you’ll be asked to change it or you may be challenged with MFA. How? To understand the mechanism we need to go look at one item of cryptography.

Hashing

In the crypto world hashing is transforming a string into another. The most important properties of hashing are that (if you use the same algorithm):

    • the derived string will always be the same
    • it’s a one way function, meaning you cannot mathematically de-hash to the original string

Let’s look at an example. If I take the word Password123 and run a SHA-1 hashing algorithm, I will get b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1. Every single time. And all SHA-1 hashes are 40 characters long. You can go here and check.

The mechanism

Knowing how the hashing works, let’s look at the pwned passwords database. The dataset comprises of both passwords and their respective hashes. So, for a start, we can ask for the hash instead of the password and that way we directly know if it’s there or not. But the mechanism is even more secure, because believe it or not, we don’t even send the whole hash over the wire. What we actually send is the first 5 characters of the hash. The service then responds with a list of all hashes that are present in the database, that start with our 5 characters. To be precise, the strings returned are only the remaining 35 characters of the hash (remember a SHA-1 hash is 40 character long). It means that if the list is empty, we’re good, password is not on the list. If the list isn’t empty we have one more job to do. We need to compare all the returned strings against the one we have on our side. Today, if you ask for b2e98 (first 5 characters of the SHA-1 hash of the string Password123) you will get 783 strings that you need to compare. Obviously this is done by code in the application itself, so it takes no time or hassle.

The conclusion

I always find technology amazing and knowing how we can make things secure is no doubt – exciting (I am a geek, sorry!). But there’s more to it. Trust in the technology should be based on understanding, not just pure belief. Hopefully this helped you understand better a small aspect of password security and you won’t be scared to do the check in the future. Make sure you use a trusted service, like the one I posted earlier. (https://haveibeenpwned.com)