A security researcher has released an updated list of 500 million breached passwords so that organizations can use it to protect their systems.
On 22 February, Australian web security expert Troy Hunt published the second version of “Pwned Passwords.” The feature enables users to check a new or used password against a list of 501,636,842 combinations previously compromised by data breaches. In so doing, organizations can leverage the feature to ensure users are choosing secrets that are unaffected by any known security incidents.
People can either download the entire list or use an online search tool to verify their passwords. If they choose the latter, the utility will notify users if their password is contained in the list. It will also display a number that indicates how many times the service found their secret across the various data sources of which it consists.
Such a feature has many potential applications in the security world. 1Password recognized one when it integrated the feature’s k-Anonymity model into its password manager. This fusion lets users gauge their exposure should they choose to opt into 1Password’s new option.
I’m *so* impressed with what they’ve done here; I launched this service only 27 hours ago and they’ve already pushed this out. They had no prior knowledge I was doing this, they just got hands on tools right away and made it happen. That’s awesome.
— Troy Hunt (@troyhunt) February 22, 2018
As with the first version of the feature, Hunt decided to SHA-1 hash the entries contained in Pwned Passwords. He did so not because he thinks SHA-1 is a sufficiently robust algorithm for protecting sensitive data like passwords. Rather, he believes it’s important to “to ensure that any personal info in the source data is obfuscated such (Read more...)
This is a Security Bloggers Network syndicated blog post authored by David Bisson. Read the original post at: The State of Security