Have you been pwned?
Troy Hunt
- Gold Coast, Australia
- Microsoft Regional Director
- Course maintainer at Pluralsight
- Founder of Have I Been Pwned (HIBP)
Have I Been Pwned (HIBP)
- Assess if your data was ever compromised
- Founded in 2013, after one of the biggest
data breaches ever → Adobe- 38 million customers’ sensitive information
- Hashed/encrypted passwords
- Credit card details
- E-mail addresses
- ...
- 38 million customers’ sensitive information
- Has since been integrated with many services
Integrations - Mobile Vikings
Integrations - Mozilla
Integrations - 1Password
Have I Been Pwned
- What's on the website?
- Chronological list of breaches details
- Lookup on e-mail address
- Lookup on password
- Notification service
- API documentation
- ...
Lookup on password
Lookup on password, is that secure? 🤔
→ Feel free to download the database
- Billions of hashed passwords (SHA-1)
- Do whatever you want with it
Lookup on password
Nevermind, I'll use the API or website
... but is it really secure? 🤔
- k-anonimity
- No link between usernames and password (hashes)
Recap: hashing
Recap: hashing
Recap: characteristics of cryptographic hashing
- Input of any length
→ fixed size output
- Given the output:
infeasible to find the input
- Given an input and output:
infeasible to find another input with the same output
Hashing in JavaScript
Side note:
hashing in Node.js is super easy
// Hashing a super bad password in Node.js with SHA-1
const { hash } = require('node:crypto');
const hashedPassword = hash("SHA1", "password");
console.log(hashedPassword);Hashing in JavaScript
const text = "password";
async function digestMessage(message) {
const msgUint8 = new TextEncoder().encode(message);
const hashBuffer = await window.crypto.subtle.digest("SHA-1", msgUint8);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray
.map((b) => b.toString(16).padStart(2, "0"))
.join("");
return hashHex;
}
digestMessage(text).then((digestHex) => console.log(digestHex));Side note:
hashing in a browser env is less easy (but doable)
k-anonimity
- All passwords in the DB are hashed (SHA-1)
- API request:
- Send first 5 chars of the hashed password
- API response:
- Return last 35 chars of all hashed passwords
that match the first 5 chars
- Return last 35 chars of all hashed passwords
- Praise the demo Gods! 🙏
Padding
What if someone intercepts the encrypted API responses, and probes the API based on response size? 🤔
- Padding to the rescue
- Request header: Add-Padding
- Ensures a response of variable size,
making it less likely to guess the prefix
Have I Been Pwned API
- Password search API: completely free
- No rate limit
- Meaning: informing clients when logging in
with a breached password → easy as cake!
- One last time: praise the demo Gods! 🙏
Key takeaways
- Hobby projects can turn into
globally renowned organizations! - You should check out haveibeenpwned.com!
- Integrating HIBP into your sign-up & sign-in flow is super easy, free and beneficial for everyone.
Thanks for listening and keep your passwords safe!
Have you been pwned?
By kareldesmet
