E-mail breaches : collection #1

udg

Expert
Licensed User
Hi all,
you may have read about this before. They collected more than 773 million emails (and a good number of passwords too) through a few data breaches against some providers.
AFAIK, Troy Hunt was the first to announce it and on his site he offers a nice API to conduct some checking.
Below you can find a quick and dirty B4J implementation of password checking. Try with your own pwd and see whether it was pwned before (in that case, change it immediately).

udg
 

Attachments

  • pwnedpwd.zip
    1.2 KB · Views: 95

AnandGupta

Well-Known Member
Licensed User
I may be wrong, but if you type your 'password' to check, that 'password' can be taken by the site, no matter what it is.
So they have a legitimate password, and more in similarly manner, to try on different sites, for whatever purpose they want.

Please correct me.

Regards,

Anand
 

udg

Expert
Licensed User
Please read the code. In no way we send out our password to that external service. We just send the first five bytes of the SHA-1 hash of our password.
The service returns a list filled by items sharing those same 5 bytes. It's up to us to scan the list to find the exact match for our password.
I chose that service mainly because I see no risk in sending 5 bytes out of 40.
 

AnandGupta

Well-Known Member
Licensed User
I agree with you, but wanted to covey my concern how some sites are using this fear for their advantage.

Better use strong password with combination of local language and special characters. Change it periodically. Follow it for important sites like financial. For the rest of the sites use simple password which you can remember along with the site name combination.

Regards,

Anand
 
  • Like
Reactions: udg
Top