Website haveibeenpwned checks passwords or steal them?

  • Dec 24, 2019

Yesterday I wrote about the world's largest base of stolen passwords and website, where you can verify whether the compromised your e-mail (ammo1.livejournal.com/1011988.html). More than half a hundred commentators have suggested that the site itself is stealing passwords, collects email for spam and so is de spirit. One commentator even wrote "Alexey need to remove any post or to apologize for the dissemination of such lazhy, or reputation will be tarnished a bitand "(spelling preserved the rule" Ms-shek "from the second year of secondary school is forgotten).

Let's investigate.


Troy Hunt, who created the site https://haveibeenpwned.com, Is an expert on Internet security. Here's an article about it in the English Wikipedia: en.wikipedia.org/wiki/Troy_Hunt. Troy keeps a blog devoted to Internet security troyhunt.com.

On the news leaked about the base with a billion passwords wrote yesterday not just me. Here publication Habra edition: habr.com/ru/post/436420. Here are published by Kaspersky Lab:

instagram viewer
facebook.com/KasperskyLabRussia/photos/a.133379716735218/2440782895994877. This was written TASS, RBC, and Echo of Moscow many other media.

Mozilla company that created the popular browser FireFox, launched a service leak check monitor.firefox.comUsing the API site haveibeenpwned.com, but not transmitting it verifiable e-mail address (transmitted only hashes).


This service is convenient because it just shows the sites where the leak occurred pairs email password and the date when it happened. In my primary address is displayed five leaks of 2011-2013.


And more on the site of Troy can be downloaded base hashes of passwords (it is not clear text passwords, but the checksums which can definitely check whether the password in the database is).


Based on all the given above factors, it appears that the site can be trusted and haveibeenpwned.com any email and password it does not collect its creator is not an attacker.

I think the most correct would be to do a very simple thing that I said yesterday. If the site when you enter an email sent to this email letter that this e-mail address following passwords leak detected and resulted in explicit form all the pairs of login and password with an indication of the site that has flowed and the date leakage, no doubt it would be much smaller and use more. Once again, a pair of an email-password must be only in a letter sent to the address of the compromised, I think it is quite safe.

Now, about the country. Several people have written that the injected site non-existent email addresses and website reported that according to him there is a leak. Let's try to fix it. Please check the time even such non-existent or newly registered addresses on https://haveibeenpwned.com and monitor.firefox.com and talk about the results, citing the email, so that I and others have also been able to check them out.

© 2019 Alex Nadozhin