Cyber Security Informer

Pwned Passwords, Version 5

Troy Hunt

JULY 8, 2019

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. 3,768,890 passwords. 3,768,890 passwords.

Passwords

Passwords Accountability Authentication Data breaches

I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?

Troy Hunt

FEBRUARY 24, 2022

There's a time and a place for going fast, and there's no better place to do that than when querying Have I Been Pwned's Pwned Passwords service. (Ok, What happens if you want to check millions of passwords? For example, a CSV file of plain text password and prevalence pairs.

Passwords

Passwords Malware

Enhancing Pwned Passwords Privacy with Padding

Troy Hunt

MARCH 4, 2020

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). They could be searching for any password whose SHA-1 hash begins with those characters. Very slick!

Passwords

Passwords Data breaches Risk Encryption

Webinars

Human-Centered Cyber Security Training: Driving Real Impact on Security Culture

MORE WEBINARS

CafePress Data Breach exposes technical details of 23 Million users

Security Affairs

AUGUST 6, 2019

The news was publicly reported by the data breach notification service Have I Been Pwned. . I just updated the CafePress breach description on @haveibeenpwned to include passwords. link] — Troy Hunt (@troyhunt) August 5, 2019. link] — Kevin Beaumont (@GossiTheDog) August 5, 2019.

Data breaches

Data breaches Passwords Advertising Accountability

How to Set Up a SpiderFoot Server for OSINT Research

Lenny Zeltser

APRIL 16, 2020

SpiderFoot is a tool for gathering Open Source Intelligence (OSINT) and threat intelligence about IPs, domains, e-mail addresses, and other research targets from many data sources, including services such as Shodan and Have I Been Pwned. Steve Micallef, the tool’s author, offers a free, open source version of SpiderFoot.

DNS

DNS Internet Internet Software

To Infinity and Beyond, with Cloudflare Cache Reserve

Troy Hunt

MARCH 9, 2023

that was out of a total of more than 166M requests in the same period: Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. I mean, what if it just stayed in their cache unless we actually changed the source file and told them to update their version? No biggy, unless. that's it.

Passwords

Passwords Accountability

Pwned Passwords, Version 6

Troy Hunt

JUNE 19, 2020

Today, almost one year after the release of version 5 , I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964? just over 3%).

Passwords

EnemyBot malware adds new exploits to target CMS servers and Android devices

Security Affairs

MAY 30, 2022

pwned , containing a message that attributes itself to Keksec. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. RCE CVE-2020-5902 F5 BigIP RCE No CVE (vulnerability published on 2019) ThinkPHP 5.X LFI CVE-2018-16763 Fuel CMS 1.4.1

Malware

Malware DDOS IoT Cybercrime

Cyber Security Roundup for May 2021

Security Boulevard

MAY 3, 2021

You can check if your phone number or email address is part of this Facebook data leak and other data breaches on the Have I Been Pwned website. How Strong is Your Password? A favourite sports team accounted for 6% of passwords, while a favourite TV show accounted for 5%. The Ransomware Scourge. Stay safe and secure.

Ransomware

Ransomware Passwords Scams Government

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Troy Hunt

JUNE 30, 2022

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Actually, the multiple problems, the first of which is that it's just way too fast for storing user passwords in an online system.

Passwords

Passwords Identity Theft Consumer Services Password Management

Downloading Pwned Passwords Hashes with the HIBP Downloader

Troy Hunt

MAY 19, 2022

Just before Christmas, the promise to launch a fully open source Pwned Passwords fed with a firehose of fresh data from the FBI and NCA finally came true. The idea of taking 16^5 hash ranges, bundling them all up into a single monolithic archive then making it all downloadable seemed a non-trivial task.

Passwords

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Troy Hunt

FEBRUARY 21, 2018

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

Passwords

Passwords Data breaches Mobile Risk

We're Baking Have I Been Pwned into Firefox and 1Password

Troy Hunt

JUNE 25, 2018

Often, it's after someone has searched Have I Been Pwned (HIBP) and found themselves pwned somewhere or other. My relationship with 1Password stretches all the way back to 2011 when I came to the realisation that the only secure password is the one you can't remember.

Passwords

Passwords Data breaches Password Management Accountability

2018 Retrospective

Troy Hunt

JANUARY 3, 2019

I guess it's maintained its traction due it being referenced in the HIBP description and there being a huge number of people finding themselves pwned. Loco Moco Sec in Hawaii: @troyhunt had a great talk, he even used [link] like a boss @LocoMocoSec pic.twitter.com/coOYwMY1ga — Troy (@troyoholous) April 5, 2018.

Passwords

Passwords Technology Government InfoSec

IoT Unravelled Part 3: Security

Troy Hunt

NOVEMBER 25, 2020

I can't blame this on the teddy bears themselves, rather the fact that the MongoDB holding all the collected data was left publicly facing without a password. I started with the Philips Hue app which was both auto-updating and at the latest firmware version: Ok, that's good, not something I need to think about then.

IoT

IoT Firmware Risk Manufacturing

Fixing Data Breaches Part 1: Education

Troy Hunt

DECEMBER 17, 2017

This isn't to try and fit things into a nicely boxed calendar week of drip-fed content, but rather that there are genuinely 5 logical areas I want to focus on and they're each discrete solutions I want to be able to link to specifically for years to come. The second one will lead to your database being pwned to the worst possible extent.

Data breaches

Data breaches Education Passwords Penetration Testing

Authentication and the Have I Been Pwned API

Troy Hunt

JULY 18, 2019

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API. I hope the explanation above helps people understand that, and also the fact the API has run the last 5 and a half years without any auth whatsoever clearly demonstrates that financial gain has never been the intention.

Authentication

Authentication Firewall Data breaches Mobile

Seamless A/B Testing, Deployment Slots and DNS Rollover with Azure Functions and Cloudflare Workers

Troy Hunt

JULY 19, 2018

If you have an efficient function that executes quickly it can be extremely cost effective as I recently demonstrated with the Pwned Passwords figures : So here's the hard facts - I'm dipping into my pocket every week to the tune of. for you guys to do 54M searches against a repository of half a billion passwords ??

DNS

DNS Passwords Firewall Authentication

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Troy Hunt

JANUARY 10, 2018

agarwal_mohit) January 5, 2018. For example, here's what happens if you attempt to load my own service Have I Been Pwned (HIBP) insecurely: I'm going to call out 4 things this time: An attempt is made to request the site insecurely. They don't know how to use version control, which leads to other assumptions about their ability.

Hacking

Hacking Government Risk Encryption

Cyber Security Informer

Pwned Passwords, Version 5

I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?

Webinars

Trending Sources

Enhancing Pwned Passwords Privacy with Padding

Webinars

CafePress Data Breach exposes technical details of 23 Million users

How to Set Up a SpiderFoot Server for OSINT Research

To Infinity and Beyond, with Cloudflare Cache Reserve

Pwned Passwords, Version 6

EnemyBot malware adds new exploits to target CMS servers and Android devices

Cyber Security Roundup for May 2021

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Downloading Pwned Passwords Hashes with the HIBP Downloader

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

We're Baking Have I Been Pwned into Firefox and 1Password

2018 Retrospective

IoT Unravelled Part 3: Security

Fixing Data Breaches Part 1: Education

Authentication and the Have I Been Pwned API

Seamless A/B Testing, Deployment Slots and DNS Rollover with Azure Functions and Cloudflare Workers

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Stay Connected