![]() ![]() Where Are the Passwords From?īefore I go any further, I've always been pretty clear about not redistributing data from breaches and this doesn't change that one little bit. If you're impatient you can go and play with it right now, otherwise let me explain what I've created. This blog post introduces a new service I call "Pwned Passwords", gives you guidance on how to use it and ultimately, provides you with 306 million passwords you can download for free and use to protect your own systems. ![]() It would be exceptionally helpful if could share anonymized passwords for this purpose.- scriptjunkie June 23, 2017 As I read NIST's guidance, I realised I was in a unique position to help do something about the problem they're trying to address due to the volume of data I've obtained in running HIBP. The reasons for this should be obvious but just in case you're not fully aware of the risks, have a read of my recent post on password reuse, credential stuffing and another billion records in Have I been pwned (HIBP). NIST isn't mincing words here, in fact they're quite clearly saying that you shouldn't be allowing people to use a password that's been breached before, among other types of passwords they shouldn't be using. Here's the full excerpt from the authentication & lifecycle management doc (CSP is "Credential Service Provider"): Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. More on why later on.Įdit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2. Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |