Has my password been Pwned?

Helping your users to choose secure passwords with Foldr

Web security expert Troy Hunt has recently launched version 2 of Pwned Passwords, an online service which allows you to check whether any of your passwords have ever been exposed in a security breach. The service contains over 500 million exposed passwords and provides a super-convenient way to check whether you need to change any of the passwords which you currently use.

Here at Foldr HQ we think that Pwned Passwords is a terrific service and we were keen to see whether we could integrate it into the Foldr server. And, with the release of Foldr server 4.6.3 we’ve done just that. Here’s how it works…

First of all, as with almost everything in Foldr, use of the Pwned Passwords service is entirely optional. If you don’t want to use it, don’t enable it. Moreover, it’s also completely granular so you can enable it only for specific users or groups.

Once enabled for a particular user, any time that user changes their password through Foldr their chosen password will be checked against Pwned Passwords and, if it is found to have been exposed, they will be prompted to choose a different password. Whilst the existence of a password in the Pwned database does not mean that any of the user’s accounts have been breached it is a good idea to ensure that they use a different password.

But I don’t want to share my password with the world!

OK, so if you’re thinking that the very idea of sending a password to another service seems completely at odds with good password practices then you’re not alone! But that’s not how Pwned Passwords works. Troy and the bods at Cloudflare have cooked up a service which allows us to check a password without ever sending enough information to allow them to decipher the original password. The secret sauce here is something called k-Anonymity and it works like this…

When you change your password through Foldr your server will create a SHA-1 hash of your new password. What’s a SHA-1 hash? It’s a representation of your password as an elongated seemingly-random string of letters and numbers which would be very difficult to use to reconstruct the original value. You can read more about hashing here. But sending this whole hash to a remote service could expose more information than necessary and could be used to recreate the original password. So instead Pwned Passwords requires only the first five characters of the password hash. The Foldr server sends these five characters and only these five characters – no personally identifiable information is shared with Troy’s service. Due to the nature of hashing these hashes will have been formed from completely different passwords. You can read about this in much greater detail in Troy’s post announcing Pwned Passwords (scroll down to the section entitled “Cloudflare, Privacy and k-Anonymity”).

The Pwned Passwords servers respond to your Foldr server with a list of hashes which begin with the same five characters as the hash of the user’s chosen password. Now all Foldr needs to do is to compare these hashes to see if they contain the full hash of the new password. If they do then the user is prompted that they should choose another password.

A final note of thanks

None of this would have been possible without the work of Troy Hunt. If you’d like to learn more about his work then check out his amazing Have I been pwned? service or follow him Twitter @troyhunt

Want to know more about security in Foldr? Check out our recent blog post on how Foldr can help with your GDPR compliance