The NCA Shares 585 Million Passwords With 'Have I Been Pwned' (therecord.media) 20
The UK National Crime Agency has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches. The Record reports: The NCA now becomes the second law enforcement agency to officially supply HIBP with hacked passwords after the US Federal Bureau of Investigations began a similar collaboration with the service back in May. In a blog post today, Troy Hunt, HIBP creator Troy Hunt said that 225 million of the compromised passwords found by the NCA were new and unique.
These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks. Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt's service.
In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility. The NCA said they weren't able to determine or attribute the compromised email and password combos to any specific platform or company.
These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks. Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt's service.
In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility. The NCA said they weren't able to determine or attribute the compromised email and password combos to any specific platform or company.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Gimme your passwords! (Score:2)
Re:Gimme your passwords! (Score:5, Informative)
You can hit the API with the first 5 characters of the hash of your password. It looks like a good model to me. Documentation here: https://haveibeenpwned.com/API... [haveibeenpwned.com]
Re: (Score:2)
It's time we did away with passwords.
The only safe way to use them is to generate a long random one for every site, so you might as well just use a token.
Stop spreading FUD. Troy is a good guy (Score:5, Informative)
No, the site does NOT ask for your password.
That's a lie.
Troy is a great guy. He's been doing an important public service for a long time, for free. Even the services he offers for businesses are free because that's the kind of guy he is. A fine example of an excellent human being.
Stop spreading lies about a really great person.
Re: (Score:2)
Re: (Score:1)
mkdir -p
(download the arc
Re: Gimme your passwords! (Score:2)
Only problem I see with this site is that it forces users and services to think about their password policies. The accumulated stress will eventually release as a revolution of some kind, over a totally unrelated matter.
Oh shat! (Score:1)
my password is...was "Have I Been Pwned"
Re: Oh shat! (Score:1)
Re: (Score:2)
CorrectHorseBatteryStaple (Score:3)
Apparently only pawned once!
If you add the spaces, no pawnage found. Obviously not enough people are following Randall Munroe's recommendation to use this password.
swordfish (Score:2)
Oh no — pwned!
This password has been seen 134,315 times before
Pity, this classic password is only 89 years old [youtube.com]