Blog / Has your password been pwned?

Don’t wait for a breach to find out.

Passwords are the cornerstone of good security, and should be supported with two- or multi-factor authentication. However, as you can read about in our recent newsletter about the Uber breach, MFA isn’t a magic wand that fixes all password issues. Good password hygiene and habits are still a basic requirement for everyone. In light of this, Windows now even allows you to setup automatic policies that force users to improve poor habits. Unfortunately, not everything can configured that way.

Of course, you can’t talk about password security without bringing up one of the most basic business requirements, which is an official password policy. That policy should not only reiterate technologically-enforced requisites like minimum length, letter cases, and special characters, but also cover less-obvious unenforceables like reusing the same password across multiple accounts, or using reusing personal passwords for work-related applications. It’s bad enough to be compromised; it’s much worse to be compromised on multiple fronts because someone decided to use their Wordle password for logging into MS Exchange as well.

The truth of the situation is that other people’s poor habits can be used against you, especially when it comes to passwords. In fact, I’ve talked about a website in the past, haveibeenpwned.com, that collects breach information so you can look up things like:

• information was contained in the breach,
• places were breach, and
• what encryption (if any) was found on passwords.

Unfortunately, while this is all useful information and haveibeenpwned is a valuable service, many organizations still think the best way to handle an information breach is to hide it, which serves to protect absolutely nobody, makes the company look shady when the breach is inevitably revealed anyways, and ultimately damages your company, its bottom line, and its shareholders.

Haveibeenpwned.com was built around checking your email to see if it’s been involved in a breach, but there’s another lesser-known and relatively new feature that allows you to test passwords as well. The main difference between these two checks is that if haveibeenpwned does identify your passwords as pwned, then the service found your password in plain text, not encoded. This doesn’t necessarily mean the password was stolen in plain text, as it could have been decoded after the fact.

So how does this affect your organization? Haveibeenpwned.com also allows offers a password detection service, with both on- and offline versions available. You just feed a password into the service and it spits out a number that corresponds to how often that password has been involved in a breach. Zero is best, with results worsening as the count grows since it means the password’s been detected in plain text before. As an example, the password “Password!234” satisfies most password requirements for length, letter case, and special characters, but if you actually check the website for ‘Password!234’ (please, never ever use this password), you’ll discover it’s been found (in plain text) 47 separate breaches.

I’ve rambled on about this service for a bit, but I wanted to end  with one final thought. The offline version of the password checker includes a downloadable file that contains all the password hashes with the number of times they’ve been detected ( in plain text). A motivated attacker could easily download this file, pull out the common passwords, and put in the work to forcibly crack them. They could then just start their brute force attacks by using that list of common passwords. So how do you know if you’re using a password that’s been breached through your account or someone else’s? The answer is if you don’t check, you won’t know.

This week’s Shakespeare quote comes from one of the bard’s the lesser-known works, Troilus and Cressida, who wonder: “Who shall be true to us, when we are so unsecret to ourselves?”

Be Kind, courtesy your friendly neighbourhood cyber-man.