As a reminder, Troy Hunt is behind the “Have I Been Pwned” service, which collects information from data breaches and maintains a list of e-mail addresses that have been compromised. This allows anyone to discover whether his/her account was part of a breach and if yes, which one.
You can for instance head to this link and you will see that our infamous colleague Ector Dulac got his account and password stolen on 3 occasions, including Dropbox in 2012 and LinkedIn in 2016.
As an organisation, you can subscribe to a notification service and get an alert each time an account within your domain is added to the database.
In many cases, the stolen databases contain passwords (sometimes weakly hashed, sometime even in clear text) and Troy Hunt started building a secondary list of “Pwned Passwords”. If your password is in this list, then it can be considered “burnt” and it shouldn’t be used anywhere on the Internet.
Let’s take “abc123” for instance. You can head to this page and enter the string “abc123”. The service tells you this password has been seen more than 2 million times in known breaches.
The challenge at this point is to check if your password was stolen somewhere, without actually revealing it to the service. This where the k-Anonymity model comes into play. It means you can safely enter your password in the above URL. Your browser will send a hash of the first 5 characters and will then get a list of all the passwords starting with this sequence. A local search (in the browser) will then let you know if the password is known to the service.
DiagnoPhish: fully secure password checking
Until now, whenever users were challenged to enter their credentials in the course of a DiagnoPhish phishing awareness campaign, the strength of the provided passwords was measured against:
- a list of the most frequent passwords
- the NIST password security guidelines.
Depending on the result of this combined evaluation, a password would receive a score between 1 (very weak) to 10 (very strong),
Integrating the "PwnedPassword" API into DiagnoPhish has made it possible to additionally discover whether an existing user password has been involved in a data breach in the past. Whenever a password is captured in the course of an awareness campaign, it is compared with Troy's list of breached passwords and the result "Pwned!" is displayed in the DiagnoPhish dashboard if a match is identified.
Using the k-Anonymity model described above, this valuable information can be obtained without any password ever being stored, disclosed or transmitted in clear.
As a reminder, all information (including passwords) gathered during a DiagnoPhish phishing awareness campaign are securely sent to your own DiagnoPhish platform. The password value is then used to compute a complexity level, call the API and finally gets dumped by default. As an organisation administrator, you can also decide to retain this data for later use, in which case it gets encrypted with a dedicated key, specific to your organisation.
The easy end of exposed passwords
Organisations benefit greatly from knowing if their users' active passwords belong to a collection of breached data. Such passwords, being especially likely to be part of brute-force lists, pose a serious security threat to the whole IT infrastructure.
As part of its DiagnoPhish awareness campaign, an organisation will know which users it should instruct to replace their existing passwords with more secure ones. At the same time, it might also want to provide those users with some targeted password security training.
A win-win operation requiring very little effort for users and organisations alike.