Nerdy leaked passwords:
Treebeard - “This password has been seen 1,207 times before in data breaches!”
NedStark - 20 times
CerseiLannister - 30 times
youknownothingjonsnow - 61 times
PicardIsSexy - 0 times ([email protected] you’re safe. ;)
edit:
Gandalf1 - 53,478
Gandalfthewhite - 51
NSFW leaked passwords:
spoiler
bigdick - 178,712 (!?!)
bigpussy - 9,226
longpussy - 26
longdick - 10,762
wetpussy - 61,575
wetdick - 579
twat - 6,588
dickhead - 201,942
Weird leaked passwords:
((More to come later))
very sane reaction.
I have to say though, haveibeenpwned is very well regarded in the industry, and is run by a well known security expert. A leak from there would be quite the blow to his reputation.
https://en.wikipedia.org/wiki/Have_I_Been_Pwned
That said, while I happily give them my email-addresses, I have never given them my password.
I’m not so sure that it would be a huge blow. He’s only human and everyone is susceptible to the odd mistake.
He did get phished last year and blogged about it after it happened which is the transparent approach that security experts say is the correct response. I’m pleased that he followed the advice that he gives to be honest and don’t think any less of him for suffering a breach.
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Fair, I misstated that. A deliberate leak from there would be quite the blow to his reputation.
All it takes is a malicious actor to MITM or a compromised codebase or any other malicious things to slip in something and its also pwned.
I’ve seen too many widely recognized and supposedly secure things fail, to trust this with my passwords.
I’d argue though, if you use a single password for everything, its probably more secure to add it here to at least get an indication when it’s breached. Your surface in that case is already so large that the difference is negligible compared to the gained warning.
That said, don’t reuse passwords!
I suppose they use JavaScript to hash your password locally so all haveibeenpwned has is your hash.
It’s certainly not full proof but it means a simple MITM attack wouldn’t be that bad.
The risk would be that the JavaScript in question would be compromised for the whole service. Also if the machine of the user is already compromised well I would argue that password is already useless anyway. If someone has a keylogger on your system, ihavebeenpwnd would be the least of your concern.
So it’s never foolproof but some risk can be mitigated.
Hashes are a powerful tool enabling easy check of leaks without exposing directly any user password.
Edit: Hmm there is much better explanations than mine on hashes on here, probably disregard the above comment.
I hope for humanity’s sake that you’re joking.
Why?
Because using a reputable k-anonymity service is as risky as throwing apple peels in the trash. Or just looking at an apple.
Same person said that to me too and refuses to elaborate. Really strengthens their argument.