Saturday, 5 August 2017

Pwned Password Protection

Back in September of last year, I wrote a little about Special Publication 800-63 that NIST had drafted (which was later finalized and released in early 2017).

One of aspect of the recommendations that I think a lot of services/companies struggled with related to preventing the usage of credentials that had previously been in a breach, leak, or other sort of compromise.

It seems like that would be very difficult to do well, without having someone at your company spending a bunch of time on the darknet markets, downloading the latest leaks. And then what do you do with the data once you have it? Even if it’s only stored internally and accessed behind-the-scenes, having that sort of information lying around just seems a bit risky (and that’s coming from someone with a VERY high risk tolerance!)

Thankfully, Troy Hunt saves the day. He already has done the hard work of collecting the data, anyhow. Not only does he already have an insanely-large stockpile of leaked credentials, but he now SAFELY exposes those password hashes so the rest of us can benefit from his work.

There are no usernames, email addresses, or other identifiable information. It’s just a list of SHA1-hashed passwords. The thinking goes that even if a specific email address and password combination wasn’t part of the credentials that were leaked, if anyone else used that same password and had their credentials compromised, that password should be considered ‘no good’ and shouldn’t be used.

That may be a bit overkill for some sites, but especially for sensitive information (such as medical or financial data), it’s probably worth being a little overly-paranoid…

Anyhow, he has RESTful API that lets you send over individual passwords (SHA1-hashed or, if you are feeling way too trusting, in plaintext) and you’ll know whether or not the password is in his list. Personally, though, take the storage hit and download the whole database, so you can do offline processing.

I’m still not sure how I’d utilize this… since it could easily generate a visceral knee-jerk reaction from some users… who might not understand the password may have been from a compromise unrelated to them and that it wasn’t a compromise of the current system they are using… It might be worth waiting to see what sort of traction it gets in the private sector and what sorts of UX conventions get used by the more mainstream sites. Either way, though, it definitely is helping things head in the right direction.