Not trying to rehash things, but while catching up on reading; On 3/24/20 11:52 AM, Michael Peddemors via mailop wrote: > On 2020-03-24 9:35 a.m., micah anderson via mailop wrote: >> Steve Freegard via mailop <mailop@mailop.org> writes: >> >>> I included the partial SHA-1 to be compatible with automation and >>> tooling around the HaveIBeenPwned API - see >>> https://haveibeenpwned.com/API/v3#PwnedPasswords >> >> I understand that desire, but I wish the HaveIBeenPwned things were >> better. As a provider, even with their API, its basically useless for us >> to actually consume in a way that makes sense. >> > > While 'haveIbeenpwned' is an interesting piece of data for researchers, > having an email address password combination in there does NOT > necessarily mean the account has been compromised either, or more to the > point, still compromised. >
I still haven't decided if I want to classify HaveIBeenPwned as shameless FUD, an all-out shill for 1password.com, or security performance art. Some time ago I downloaded their data, at the time over 555M hashes, and while there is good reason to avoid passwords that have been used over and over again. E.g.; 7C4A8D09CA3762AF61E59520943DC26494F8941B:23547453 F7C3BC1D808E04732ADF679965CCC34CA7AE3441:7799814 B1B3773A05C0ED0176787A4F1574FF0075F7521E:3912816 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8:3730471 3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D:3120735 7C222FB2927D828AF22F592134E8932480637C0D:2938594 6367C48DD193D56EA7B0BAAD25B19455E529F5EE:2855057 20EABE5D64B0E216796E834F52D61FD0B70332FC:2512537 E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D:2413945 8CB2237D0679CA88DB6464EAC60DA96345513964:2380800 .. I see _no_ value in the millions of hashes (over 196M) that appear to have only ever been exposed once. No one is going to load up and attempt a dictionary attack of those used-only-once hashes. It sure as heck doesn't mean a thing about if a specific user has been compromised without any context to go with the password. -- SgtChains _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
