Is it safe to give my email address to a service like haveibeenpwned in light of the publication of “Collection #1”?
Clash Royale CLAN TAG#URR8PPP
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach have-i-been-pwned
|
show 8 more comments
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach have-i-been-pwned
51
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
Jan 17 at 13:25
60
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
Jan 17 at 13:30
23
To be honest - can it be - has it been - independantly verified thathaveibeenpwned.com
is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)
– Martin
Jan 17 at 14:32
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
Jan 17 at 14:37
20
Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)
– Kevin Voorn
Jan 17 at 17:14
|
show 8 more comments
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach have-i-been-pwned
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
Is it safe to enter my email address there to find out whether I need to change my passwords?
passwords breach have-i-been-pwned
passwords breach have-i-been-pwned
edited Jan 18 at 6:30
Tom K.
6,27832451
6,27832451
asked Jan 17 at 13:12
godwanagodwana
456123
456123
51
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
Jan 17 at 13:25
60
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
Jan 17 at 13:30
23
To be honest - can it be - has it been - independantly verified thathaveibeenpwned.com
is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)
– Martin
Jan 17 at 14:32
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
Jan 17 at 14:37
20
Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)
– Kevin Voorn
Jan 17 at 17:14
|
show 8 more comments
51
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
Jan 17 at 13:25
60
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
Jan 17 at 13:30
23
To be honest - can it be - has it been - independantly verified thathaveibeenpwned.com
is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)
– Martin
Jan 17 at 14:32
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
Jan 17 at 14:37
20
Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)
– Kevin Voorn
Jan 17 at 17:14
51
51
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
Jan 17 at 13:25
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
Jan 17 at 13:25
60
60
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
Jan 17 at 13:30
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
Jan 17 at 13:30
23
23
To be honest - can it be - has it been - independantly verified that
haveibeenpwned.com
is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)– Martin
Jan 17 at 14:32
To be honest - can it be - has it been - independantly verified that
haveibeenpwned.com
is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)– Martin
Jan 17 at 14:32
1
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
Jan 17 at 14:37
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
Jan 17 at 14:37
20
20
Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)
– Kevin Voorn
Jan 17 at 17:14
Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)
– Kevin Voorn
Jan 17 at 17:14
|
show 8 more comments
6 Answers
6
active
oldest
votes
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.
68
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
28
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
Jan 17 at 16:24
6
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
38
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
3
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
|
show 12 more comments
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
2
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
add a comment |
You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.
The argument
haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:
Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!
Skeptic: Yeah, but you have to give them your password
Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address
Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!
Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!
Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.
Independent Verification
Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.
What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.
You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password
you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6
(5BAA6
being the first 5 characters of the hash of password
). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8
which (at the moment) lists 3645804
matches - aka the password password
has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password
is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
).
With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.
Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.
In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?
4
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
1
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
|
show 2 more comments
Many answers here talk about the particular service "Have I Been Pwned". I agree with them that this service is trust worthy. I would like to say some points that applies in general to all these services.
- Don't use a service that asks for both email and password for checking.
- Use a service that allows you to check anonymously without requiring a sign in.
These services check data breaches that already happened. If your email address is in a breach these services and many others already know about it. Searching your email is not going to trigger anything new.
The maximum you get to loose in this case is that your email address is disclosed. But that is true for any website or newsletter.
1
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
add a comment |
If you don't trust HIBP enough to give it your email but trust Mozilla (e.g. because you already gave them your email address for some other reason), you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)
6
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
add a comment |
Depends on what you mean by "secure," and how paranoid you are.
Just because the creator of the website is a security expert doesn't mean that the website has no security vulnerabilities.
The Website supports TLSv1.2 and TLSv1.3 which is great of course.
https://haveibeenpwned.com
is using Cloudflare. As we all know Cloudflare is a Man in the middle. The encryption from the website is broken on the way to the actual server by Cloudflare.
Now, for example, the NSA could knock on Cloudflares door and let the data move over. But you don't have to be afraid of other attackers, because only Cloudflare and the actual target server can decrypt the data.
If you don't care if the NSA or other intelligence agencies get your data, which you sent to https://haveibeenpwned.com
, then there should be no problem. Unless you don't trust the security expert.
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
Note: This is only an answer for paranoid people. For those who aren't paranoid, other answers should work better.
6
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
Thank you for your clarification, although I am having trouble withPersonally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.
– Kevin Voorn
Jan 22 at 3:45
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
1
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public becausehaveibeenpwnd.com
leaks it, the data already is public.
– Kevin Voorn
Jan 22 at 17:29
|
show 3 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201654%2fis-it-safe-to-give-my-email-address-to-a-service-like-haveibeenpwned-in-light-of%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.
68
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
28
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
Jan 17 at 16:24
6
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
38
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
3
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
|
show 12 more comments
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.
68
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
28
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
Jan 17 at 16:24
6
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
38
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
3
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
|
show 12 more comments
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.
edited Jan 18 at 20:20
jdv
1033
1033
answered Jan 17 at 14:04
Tom K.Tom K.
6,27832451
6,27832451
68
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
28
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
Jan 17 at 16:24
6
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
38
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
3
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
|
show 12 more comments
68
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
28
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.
– Aaron
Jan 17 at 16:24
6
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
38
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
3
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
68
68
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.
– Tom K.
Jan 17 at 14:14
28
28
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.– Aaron
Jan 17 at 16:24
HIBP is a free service for you(!) that costs Troy Hunt money
I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.– Aaron
Jan 17 at 16:24
6
6
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
@Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.
– Kevin Voorn
Jan 17 at 17:16
38
38
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.
– Future Security
Jan 17 at 20:23
3
3
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
@Aaron FYI Troy Hunt is doing targeted advertising... the site is clerly sponsored by 1password and considering whoever goes to that site is or might be interested in password security those ads are a form of targeted advertising
– Giacomo Alzetta
Jan 18 at 8:27
|
show 12 more comments
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
2
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
add a comment |
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
2
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
add a comment |
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
edited Jan 17 at 15:57
answered Jan 17 at 14:42
VishalVishal
1766
1766
2
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
add a comment |
2
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
2
2
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.
– Tom K.
Jan 17 at 20:32
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
@TomK. yes that is correct and I have provided the link above as a reference and an extension to this question, to put things in context further.
– Vishal
Jan 21 at 18:12
add a comment |
You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.
The argument
haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:
Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!
Skeptic: Yeah, but you have to give them your password
Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address
Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!
Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!
Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.
Independent Verification
Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.
What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.
You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password
you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6
(5BAA6
being the first 5 characters of the hash of password
). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8
which (at the moment) lists 3645804
matches - aka the password password
has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password
is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
).
With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.
Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.
In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?
4
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
1
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
|
show 2 more comments
You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.
The argument
haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:
Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!
Skeptic: Yeah, but you have to give them your password
Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address
Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!
Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!
Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.
Independent Verification
Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.
What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.
You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password
you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6
(5BAA6
being the first 5 characters of the hash of password
). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8
which (at the moment) lists 3645804
matches - aka the password password
has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password
is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
).
With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.
Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.
In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?
4
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
1
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
|
show 2 more comments
You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.
The argument
haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:
Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!
Skeptic: Yeah, but you have to give them your password
Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address
Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!
Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!
Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.
Independent Verification
Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.
What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.
You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password
you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6
(5BAA6
being the first 5 characters of the hash of password
). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8
which (at the moment) lists 3645804
matches - aka the password password
has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password
is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
).
With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.
Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.
In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?
You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.
The argument
haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:
Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!
Skeptic: Yeah, but you have to give them your password
Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address
Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!
Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!
Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.
Independent Verification
Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.
What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.
You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password
you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6
(5BAA6
being the first 5 characters of the hash of password
). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8
which (at the moment) lists 3645804
matches - aka the password password
has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password
is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
).
With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.
Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.
In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?
answered Jan 18 at 21:59
Conor ManconeConor Mancone
10.4k32149
10.4k32149
4
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
1
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
|
show 2 more comments
4
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
1
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
4
4
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
The site might send you different JS if you use an old vs. modern browser. It could detect whether the developer console is open. It could sample passwords 1:1000 to reduce chance of detection. It could submit the cleartext password on unload. Etc. And if you send a weak password it can be mostly identified from the first five characters (that's the entire point of the service). If you want to be paranoid about it, be thorough :)
– Tgr
Jan 19 at 7:59
1
1
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr :) I thought about adding some comments like that, but the point wasn't actually to make people paranoid, but rather to point out that the internet doesn't have to be a black box. There are helpful tools in almost every browser these days.
– Conor Mancone
Jan 19 at 21:31
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
@Tgr Actually identifying a password from the first 5 characters of your hash is tricky. The only way to actually do that would be to take your password and your email and spam against a service where you are known to have an account. There are 300-500 passwords per hash "bin", so it would be plausible to brute force that few passwords against a weakly secured online service. If your password was in the list it could potentially be cracked that way. However, it could be tricky in practice. If you weren't using a leaked password, sending around your first 5 hash characters has no risk.
– Conor Mancone
Jan 20 at 3:23
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
It's plausible to try that many passwords against pretty much any online service. Other than maybe banks, very few websites lock you out after a fixed number of failed login attempts (the harassment angle would be more problematic than the security one). Reasonable websites throttle logins so it might take 1-2 days to get through the list but that's all. Of course if your password cannot be leaked this is not a risk, but then if your password cannot be leaked why bother checking it?
– Tgr
Jan 20 at 5:50
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
@Tgr Indeed. The "trickiness" is because you might not know what service to check. If you know for sure that someone has an account on a given service and they don't do throttling, you can pretty quickly brute force the passwords (as you say). If you get in then great (but not for them!). However, a lack of a match is trickier to diagnose. Do they not use that service? Did they use a different password than the one they checked? Did they use a different email on that service? It's definitely a plausible attack, but it won't have a 100% success rate.
– Conor Mancone
Jan 21 at 13:45
|
show 2 more comments
Many answers here talk about the particular service "Have I Been Pwned". I agree with them that this service is trust worthy. I would like to say some points that applies in general to all these services.
- Don't use a service that asks for both email and password for checking.
- Use a service that allows you to check anonymously without requiring a sign in.
These services check data breaches that already happened. If your email address is in a breach these services and many others already know about it. Searching your email is not going to trigger anything new.
The maximum you get to loose in this case is that your email address is disclosed. But that is true for any website or newsletter.
1
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
add a comment |
Many answers here talk about the particular service "Have I Been Pwned". I agree with them that this service is trust worthy. I would like to say some points that applies in general to all these services.
- Don't use a service that asks for both email and password for checking.
- Use a service that allows you to check anonymously without requiring a sign in.
These services check data breaches that already happened. If your email address is in a breach these services and many others already know about it. Searching your email is not going to trigger anything new.
The maximum you get to loose in this case is that your email address is disclosed. But that is true for any website or newsletter.
1
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
add a comment |
Many answers here talk about the particular service "Have I Been Pwned". I agree with them that this service is trust worthy. I would like to say some points that applies in general to all these services.
- Don't use a service that asks for both email and password for checking.
- Use a service that allows you to check anonymously without requiring a sign in.
These services check data breaches that already happened. If your email address is in a breach these services and many others already know about it. Searching your email is not going to trigger anything new.
The maximum you get to loose in this case is that your email address is disclosed. But that is true for any website or newsletter.
Many answers here talk about the particular service "Have I Been Pwned". I agree with them that this service is trust worthy. I would like to say some points that applies in general to all these services.
- Don't use a service that asks for both email and password for checking.
- Use a service that allows you to check anonymously without requiring a sign in.
These services check data breaches that already happened. If your email address is in a breach these services and many others already know about it. Searching your email is not going to trigger anything new.
The maximum you get to loose in this case is that your email address is disclosed. But that is true for any website or newsletter.
answered Jan 21 at 5:09
Kolappan NathanKolappan Nathan
1,473516
1,473516
1
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
add a comment |
1
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
1
1
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
Straight to the point and actually gives a rational explanation of why there is no actual risk involved in sharing your email. Voted up.
– Kevin Voorn
Jan 22 at 3:47
add a comment |
If you don't trust HIBP enough to give it your email but trust Mozilla (e.g. because you already gave them your email address for some other reason), you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)
6
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
add a comment |
If you don't trust HIBP enough to give it your email but trust Mozilla (e.g. because you already gave them your email address for some other reason), you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)
6
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
add a comment |
If you don't trust HIBP enough to give it your email but trust Mozilla (e.g. because you already gave them your email address for some other reason), you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)
If you don't trust HIBP enough to give it your email but trust Mozilla (e.g. because you already gave them your email address for some other reason), you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)
edited Jan 21 at 11:43
answered Jan 18 at 14:50
user31389user31389
1032
1032
6
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
add a comment |
6
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
6
6
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
This does not answer the question since Firefox Monitor qualifies as “a service like haveibeenpwned”, I think. You're just saying “don't trust service A, trust service B instead” while not explaining why anyone should trust a service like that in the first place.
– Norrius
Jan 19 at 18:56
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
@Norrius Many people have already given Mozilla their email and it doesn't take any more trust to use their service. I'll add that to my answer.
– user31389
Jan 21 at 11:42
add a comment |
Depends on what you mean by "secure," and how paranoid you are.
Just because the creator of the website is a security expert doesn't mean that the website has no security vulnerabilities.
The Website supports TLSv1.2 and TLSv1.3 which is great of course.
https://haveibeenpwned.com
is using Cloudflare. As we all know Cloudflare is a Man in the middle. The encryption from the website is broken on the way to the actual server by Cloudflare.
Now, for example, the NSA could knock on Cloudflares door and let the data move over. But you don't have to be afraid of other attackers, because only Cloudflare and the actual target server can decrypt the data.
If you don't care if the NSA or other intelligence agencies get your data, which you sent to https://haveibeenpwned.com
, then there should be no problem. Unless you don't trust the security expert.
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
Note: This is only an answer for paranoid people. For those who aren't paranoid, other answers should work better.
6
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
Thank you for your clarification, although I am having trouble withPersonally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.
– Kevin Voorn
Jan 22 at 3:45
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
1
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public becausehaveibeenpwnd.com
leaks it, the data already is public.
– Kevin Voorn
Jan 22 at 17:29
|
show 3 more comments
Depends on what you mean by "secure," and how paranoid you are.
Just because the creator of the website is a security expert doesn't mean that the website has no security vulnerabilities.
The Website supports TLSv1.2 and TLSv1.3 which is great of course.
https://haveibeenpwned.com
is using Cloudflare. As we all know Cloudflare is a Man in the middle. The encryption from the website is broken on the way to the actual server by Cloudflare.
Now, for example, the NSA could knock on Cloudflares door and let the data move over. But you don't have to be afraid of other attackers, because only Cloudflare and the actual target server can decrypt the data.
If you don't care if the NSA or other intelligence agencies get your data, which you sent to https://haveibeenpwned.com
, then there should be no problem. Unless you don't trust the security expert.
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
Note: This is only an answer for paranoid people. For those who aren't paranoid, other answers should work better.
6
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
Thank you for your clarification, although I am having trouble withPersonally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.
– Kevin Voorn
Jan 22 at 3:45
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
1
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public becausehaveibeenpwnd.com
leaks it, the data already is public.
– Kevin Voorn
Jan 22 at 17:29
|
show 3 more comments
Depends on what you mean by "secure," and how paranoid you are.
Just because the creator of the website is a security expert doesn't mean that the website has no security vulnerabilities.
The Website supports TLSv1.2 and TLSv1.3 which is great of course.
https://haveibeenpwned.com
is using Cloudflare. As we all know Cloudflare is a Man in the middle. The encryption from the website is broken on the way to the actual server by Cloudflare.
Now, for example, the NSA could knock on Cloudflares door and let the data move over. But you don't have to be afraid of other attackers, because only Cloudflare and the actual target server can decrypt the data.
If you don't care if the NSA or other intelligence agencies get your data, which you sent to https://haveibeenpwned.com
, then there should be no problem. Unless you don't trust the security expert.
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
Note: This is only an answer for paranoid people. For those who aren't paranoid, other answers should work better.
Depends on what you mean by "secure," and how paranoid you are.
Just because the creator of the website is a security expert doesn't mean that the website has no security vulnerabilities.
The Website supports TLSv1.2 and TLSv1.3 which is great of course.
https://haveibeenpwned.com
is using Cloudflare. As we all know Cloudflare is a Man in the middle. The encryption from the website is broken on the way to the actual server by Cloudflare.
Now, for example, the NSA could knock on Cloudflares door and let the data move over. But you don't have to be afraid of other attackers, because only Cloudflare and the actual target server can decrypt the data.
If you don't care if the NSA or other intelligence agencies get your data, which you sent to https://haveibeenpwned.com
, then there should be no problem. Unless you don't trust the security expert.
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
Note: This is only an answer for paranoid people. For those who aren't paranoid, other answers should work better.
edited Jan 26 at 23:22
answered Jan 19 at 18:15
Skiddie HunterSkiddie Hunter
6032210
6032210
6
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
Thank you for your clarification, although I am having trouble withPersonally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.
– Kevin Voorn
Jan 22 at 3:45
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
1
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public becausehaveibeenpwnd.com
leaks it, the data already is public.
– Kevin Voorn
Jan 22 at 17:29
|
show 3 more comments
6
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
Thank you for your clarification, although I am having trouble withPersonally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.
– Kevin Voorn
Jan 22 at 3:45
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
1
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public becausehaveibeenpwnd.com
leaks it, the data already is public.
– Kevin Voorn
Jan 22 at 17:29
6
6
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
I'm having a hard time even understanding your answer, in my opinion it is full of nonsense which is why I downvoted this answer.
– Kevin Voorn
Jan 21 at 4:45
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
@KevinVoorn, Ok, I've revised my answer so that even those who don't understand so much about encryption can benefit.
– Skiddie Hunter
Jan 21 at 22:53
Thank you for your clarification, although I am having trouble with
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.– Kevin Voorn
Jan 22 at 3:45
Thank you for your clarification, although I am having trouble with
Personally, I'd rather have my account credentials exposed than the Cloudflare (NSA) getting my data.
. I myself would not want to connect Cloudflare to the NSA (which is a personal view), but I don't see why there is a choice between either sharing your data with the NSA and having account credentials exposed. Maybe you could elaborate on that.– Kevin Voorn
Jan 22 at 3:45
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
Right, of course it is best if the credentials do not even reach the public in the first place. But in the worst case, if it does happen. What I mean by that is that if my credentials becomes public, I have a small time advantage to change my password before they find my email. This small time advantage does not exist with direct connections to the spy server. In the worst case, your email will be tapped directly and stored in a database. Now they have your e-mail address. Maybe this is really only for paranoid people. Assuming the owner doesn't work for any intelligence agency.
– Skiddie Hunter
Jan 22 at 17:17
1
1
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public because
haveibeenpwnd.com
leaks it, the data already is public.– Kevin Voorn
Jan 22 at 17:29
I don't think you know how the website works. When data (your email, password, etc.) is exposed in a data leak, that is when the websites stores the data and notifies owners if they want when they are part of a data leak. The database only keeps data from data leaks so there is no reason to fear your credentials becoming public because
haveibeenpwnd.com
leaks it, the data already is public.– Kevin Voorn
Jan 22 at 17:29
|
show 3 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201654%2fis-it-safe-to-give-my-email-address-to-a-service-like-haveibeenpwned-in-light-of%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
51
Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)
– Xander
Jan 17 at 13:25
60
Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)
– Matthew
Jan 17 at 13:30
23
To be honest - can it be - has it been - independantly verified that
haveibeenpwned.com
is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)– Martin
Jan 17 at 14:32
1
@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.
– Tom K.
Jan 17 at 14:37
20
Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)
– Kevin Voorn
Jan 17 at 17:14