Credential Stuffing is a form of cyber attack. The attacker obtains a collection of previously breached credentials (i.e. username & password pairs), and uses this collection to target an organisation. The attack involves trying credentials within the collection against the organisation's login systems in an attempt to gain access to user accounts. The idea being that if a credential has been reused in multiple places, a leaked credential from one organisation can gain access into a user account in another organisation. Attackers commonly use collections like these when attempting to breach accounts to gain access to sensitive data including Personal Identifiable Information, and Payment Card Information.
Have I Been Pwned (HIBP) is a free online service that documents known data breaches. The service is able to identify if the email address you commonly use has been seen in a publicly released data breach. You can also subscribe to this service for free to be notified if your email ever appears in a data breach.
If your email appears in a data breach, your credentials for the service that has been breached may also have been compromised (HIBP should be able to tell you if this is the case), and you should immediately change your password to something secure that you have not used before, or preferably use a password manager to securely generate a new random password.
It is important to note that not all breaches are made public and not all breaches are even detected. If your email does not appear in HIBP, you should still remain vigilent.
HIBP is operated by Troy Hunt and you can read more on his blog here.
Pwned Passwords is a free service that is part of HIBP. It allows you to check if a password has been previously compromised by a data breach. Before using the service it is worth reading about it, and why you shouldn't enter a password you currently use. While the service makes it clear that they are not explicitly logged; if the website did store it in plain text then leaked it, that password has still been compromised. The blog post announcing this service can be found here.
The reuse of passwords is what enables a Credential Stuffing attack. Even the UK's National Cyber Security Centre (NCSC which is part of GCHQ) describes password reuse is a major risk for individuals and companies. The password '123456' has been found over 23 million times in the breaches that have been collected by HIBP's Pwned Passwords service. You might think that choosing a more complex password such as 'oreocookie' is better, but even that has been seen over 3,000 times.
Together we can reduce this risk by taking advantage of breached data, and poor password choices to make more informed decisions when selecting a good strong password. Don't reuse passwords.
Whilst the service we use is kept up to date with as much data as possible, it contains but a small subset of all the passwords that have ever been compromised. As noted by HIBP; many breaches where credentials are compromised never result in the public release of data. Many breaches even go entirely undetected.
Borrowing from HIBP's FAQ - "Absence of evidence is not evidence of absence" or in other words, just because your password wasn't found in the data set doesn't mean that ii has not been compromised in another breach.
If a password is found by the service we use, it means it has previously appeared in a known data breach. We do not and HIBP does not store any information about who the password belonged to. The only information available is;
- The password has previously been exposed publicly
- How many times the password has been exposed by known data breaches.
If your password has been seen before then it should no longer be used as its exposure puts it at higher risk of being used to login to accounts using the now-exposed secret. If you reuse this password elsewhere you should immediately change your password to something secure that you have not used before. Alternatively use a password manager to securely generate a new random password.
We previously noted that password resue is a problem, we agree with government agencies and other technology organisations that there is a usability concern with blanket preventing any compromised password. We strongly believe that there is a need to strike a balance between protecting users from making poor password choices, and making it too difficult for them to choose one. We think that a password that has been compromised less then 1,000 times achieves a fair balance. Our aims is that you won't be too frustrated, while the quality of passwords is kept high enough. We also use other technology based mitigations to reduce the risk of these exposed passwords.
We previously noted that password reuse is a problem, and the password you entered poses such a significant risk that the other technology based mitigations we use to reduce the risk do not reduce it to a level we are comfortable with.
We feel we have a fairly flexible password policy. You are able to create a password that can contain any character you like, including emojiis if you wish, and it can be as long as 256 characters long. The only two restrictions we impose are;
- It must be at least 8 characters long.
- It must not have been shown to have been compromised more than 1000 times.
With this policy we feel that you should be able to create a significantly secure and unique password easily. If you are struggling then we recommend using a password manager to generate (and store) a secure unique password that you do not need to remember.
We do not and HIBP does not store any information about your password when checking it for previous compromise. Your password undergoes a cyptographic transformation within your browser called hashing. Hashing your password is a one way operation, and a password can not be obtained from reversing the resulting hashed value. This hash is sent to our servers where it is used to query HIBP's Pwned Password Service for checking how secure it is.
If you register with us your password is stored securely using industry standard algorithms to hash it along with a salt. Salt is random data that is used as an additional input, and is used to safeguard passwords in storage. Your password is stored in an encrypted database segregated from other data.