Have you been pwned? Troy Hunt, a security researcher at Microsoft has set up a great project called “haveibeenpwned” so you can find out. You can use the website to search for an e-mail address and see if they have been included in past data breaches. You can also sign up to be notified of future breaches too. If your e-mail has been found, it will tells you what data has been leaked, such as poorly hashed passwords. My results (for my generic sign-up email) are below. The Adobe and LastFM password leaks are a serious concern since MD5 is no longer considered a secure hashing algorithm. Oops.
Check Your Passwords
Troy has recently added a new feature allowing you to search a collection of over 320 million leaked passwords. As he states at the top of the page, you shouldn’t be trusting passwords you still use to some 3rd party website. SHA1 hashes of all 320 million are available to download , and Cloudflare kindly cashed them so you should be able to download them fairly quickly. I wrote a program to search them, available under the MIT Licence on GitHub. If you don’t want to download 5.6GB of data, you can use the web API to search hashes. This is less safe than searching passwords through the website directly, as SHA1 hashes can be cracked fairly easily, but this happening seems unlikely. The safest way is to search the text files directly. Any issues with the software can be reported through the GitHub issues page.
The program is fairly simple to use, you can select the hash files, or to use the web search API. Then add passwords with a hint, and they will be displayed on the right hand side. Finally hit ‘Check Hash’ and if any are found, it will say found next to them. As you can see below, ‘password’ and ‘correcthorsebatterystaple’ were both found, but some random mashing of my keyboard wasn’t. The web search API has a 1.5s rate limit, so searching for lots of passwords may take a while.
Change Your Pwned Passwords
If you password is found, you need to change it everywhere it is used, ASAP! I would highly recommend getting a password manager so you can use a different password for every site. That way you only need to remember one secure password. I use LastPass, but others are available. A password manager has the added benefit of keeping track of what sights you have signed up to. If you see news about a data breach, you can quickly check you password list for an account and change you password straight away.