Check for Password Reuse
Have your passwords been exposed in a data breach? Are you sure? Here’s a resource to check: https://haveibeenpwned.com/Passwords. HaveIBeenPwned, a website created and maintained by security researcher Troy Hunt, has a list of cracked passwords from data breaches.
HaveIBeenPwned is most popular for checking to see if your email address has been involved in data breaches. Now, Hunt is providing a similar search capability for passwords that have also been cracked (as SHA1 hashes). The intent is to give service providers the ability to check a password against the DB and then prevent users from using that password or require that they reset their password as soon as possible. Some companies are already doing this as an additional measure to help their users be more secure and reduce risk.
Using This Tool in Security Awareness
Avoid putting an active password into a password strength checker tool or, in this case, a password exposure tool. Why? It’s an unnecessary risk to send sensitive information across the internet! However, during a security awareness presentation, input some common passwords into the tool to show people that yes, it’s been used before, and yes, it’s known to hackers already.
Here are some passwords to try:
Next, walk users through a strong password creation strategy and then check the resulting password through the tool. Seeing that many common or simple passwords have been hacked should drive home the point that users should avoid them.
Prevent Exposed Password Use
If you are an IT department or service provider, prevent users from using hacked passwords. During sign-up or password resets, check the password provided against your own implementation of the service and let the user know it’s not a good password because it’s been found in a public data breach. Some companies are already doing this. As Troy Hunt mentions in this article, be clear about what that means to the user so they understand an exposed password puts them at risk, and that you’re referring to past breaches from other websites (not the one they’re using–unless it’s true).
Audit Exposed Password Use
It’s even possible to compare user passwords against your own version of the exposed password DB on a periodic basis and then ask the user to reset their password. This is especially useful for services without a mandated password change interval.
Your Own Password Exposure DB
It’s highly encouraged to use your own implementation of an exposed password database to avoid sending active passwords across the internet unnecessarily. Whether you are checking passwords as users are creating them or comparing encrypted/hashed PWs from your own service, protect that traffic from unnecessary exposure, even if sending over HTTPS.