PassProtect tells you if your password has been pwned

May 25, 2018 TH Author

By this point, it’s more likely than not that at least one of the accounts you use online has been compromised by a data breach. Maybe you’ve heard of Have I Been Pwned? and you’ve gone and looked to see which of your accounts have shown up in a data breach, or signed up to get notified when they do. Maybe you got an official notification from one of those breached services that an account of your has been affected; maybe you didn’t – or maybe you got a notification so vague that you can’t tell if your account was affected to not.

SEE: Password managers: How and why to use them (free PDF)

Even if your account hasn’t been leaked by poor security at a website, lots of people use the same bad passwords (like 123456, password1 and qwerty) so if you pick one of those, your password could be compromised without your account having been leaked.

There’s a 30GB database of half a billion leaked passwords that web sites can use to see if a user is creating an account using a weak password that’s already shown up in a breach.

Okta’s new PassProtect library makes it easier for web sites to use Have I Been Pwned to check whether user passwords are unsafe right when you type them in to log in to your account – which is the most useful time to get a warning, because you’re not going to forget to change it. And making it easier for developers to use the service makes it less likely that they make a dumb mistake and end up making things more secure.

As not all web sites are going to use either of those, PassProtect is also available as a browser extension (initially for Chrome with Firefox support also planned).

Of course, passing your password around the internet to check whether it’s safe needs to be done securely. PassProtect uses Cloudflare’s k-anonymity to check if the password is in the Pwned Passwords database without sending the password, or even the full hash of it.

The extension computes the SHA1 hash of the password, takes just the first five bytes of that and sends an (encrypted) request to the service to get a list of the longer hashes that have those first five bytes. That’s an anonymised bucket of passwords that stops a malicious actor using the extension to find out if their guess at your password is correct, and the Pwned Passwords service never gets enough information about a password that isn’t in the database to be able to crack it.

In the long term, moving away from passwords to contextual security and biometrics will protect us better. That means that when you’re trying to access a really important document you’ll need to use multiple factors like clicking ‘ok’ on a push message on your phone or a face or fingerprint scan on a device you’ve already used, that’s up to date on patches and anti-malware protection on a known network.

But when you’re logging into the same site you log into at the same time every day, from the same physical location using the same network connection and the same IP address, and what you’re looking at isn’t unusually confidential, you won’t have to type in a password at all.

Identity services like Azure AD and now Okta support that kind of contextual security, because making security more usable makes it more secure; annoyingly difficult security is what people try to get around. IT policies shouldn’t force users to change their password every 90 days if it hasn’t been phished or stolen from the password database. As Okta vice president Rich Dandliker put it at the company’s recent Oktane conference, the number of forced password changes directly correlates with the number of passwords that get written down on Post-it notes.

Biometrics and hardware options have their own issues; you can lose a hardware key and almost every biometric system from fingerprints to iris recognition to hand vein prints to voice biometrics fails for around 20 percent of the population (not to mention storing a hash that matches the biometric features rather than an image of your fingerprint, since you can’t reset your fingers if that database gets breached).

But as these options becomes a standard (through FIDO and the W3C), it’s another step away from the ongoing dumpster fire that is internet passwords. A combination like Windows Hello which falls back to a PIN if the recognition fails is a good compromise – even if that’s a short PIN, because it’s stored only on the PC where you register the biometric, and it’s stored in silicon. To break that, you’d have to steal the PC and type in guess after guess until you got it right. As Okta’s Alex Bovee said at Oktane, “If as an industry we’ve reduced the attack surface on our users to having to physically steal a device, that’s a pretty good achievement.”

Once browsers and web sites support the FIDO and WebAuthN standards, they can exchange tokens based on biometrics and hardware to log you in and you won’t have to worry nearly as much about whether a site has leaked your password. Until then, an extension like PassProtect is well worth installing.

More on passwords