Skip to content

August 3, 2017

Need a new password? Don’t choose one of these 306 million

by John_A

Troy Hunt, the security expert behind Have I Been Pwned (HIBP), has released 306 million previously-pwned passwords in a bid to help individuals and companies ramp up their online security. The passwords have been mined from dozens of data breaches, and can be downloaded for free.

HIBP lets someone see if their email address has appeared in a breach, but doesn’t reveal the associated password for that particular compromised service. Now, Hunt — who has written extensively on password protection — has flipped the model on its head, making passwords searchable without the associated email address or username.

Companies can use the data in their back-end systems to improve password security. When someone registers a new account the provider can compare their chosen password with the list, and warn them if it’s been compromised before. They can then be encouraged or forced to choose a more secure alternative.

Individuals can also play with the data online, although Hunt advises you don’t check any passwords you currently use, for obvious security reasons. “The intention is to use that in a retrospective fashion,” he writes in a recent blog post announcing the service.

“As well as people checking passwords they themselves may have used, I’m envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: ‘you see, this password has been breached before, don’t use it!’” he says. “If this one thing I’ve learned over the years of running this service, it’s that nothing hits home like seeing your own data pwned.”

The service has largely been prompted by revised password guidance from the National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre, which very clearly states providers shouldn’t allow people to use a password that’s been breached before. But with 306 million passwords now blacklisted, coming up with a suitable new one could take a while.

Source: troyhunt.com

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: