1

I am looking into databases of compromised passwords in order to ensure that passwords on a system I am responsible for are not already compromised.

To have complete peace of mind, I prefer to get access to the data, and check passwords locally, rather than sending hashed passwords to an API.

HaveIBeenPwned is an obvious one that came to mind. However, the main browsers Chrome, Safari and Firefox all automatically check saved passwords against a list of compromised passwords.

Does anyone know if these browsers use a database different from the one HaveIBeenPwned uses?

Improve this question
5
  • 1
    BTW the HIBP API doesn't take hashed passwords, but hash prefixes, so its use shouldn't reveal your password. See haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange. You can use padding if you're concerned about encrypted traffic analysis, see haveibeenpwned.com/API/v3#PwnedPasswordsPadding.
    – Bruno Rohée
    Commented May 17, 2022 at 17:04
  • Questions of the type "where can I find X?" are off-topic in the same way that product recommendations are off-topic.
    – schroeder
    Commented May 17, 2022 at 17:13
  • 1
    @BrunoRohée thanks for highlighting this. I am not sold on search by range/k-anonymity. It still open users to a little bit of risk. I'll admit it's very small, but the effort to download the full database is not too great either.
    – DevShark
    Commented May 17, 2022 at 17:56
  • Concur. When the entire corpus can be downloaded including frequency data, and with 99.97% of them already cracked and publicly available, and with the K-anonymity at the prefix length used by HIBP ... you can pretty easily narrow down which password is most likely: the one with that prefix, that's also the most common in the HIBP corpus. Testing this for yourself with a given common password - querying the API, then sorting the results by HIBP frequency - is eye-opening. You don't even need the entire corpus - just crack the API results.
    – Royce Williams
    Commented May 17, 2022 at 18:02
  • The way how the password checker integrated in Google Chrome is works if for example shown here: security.googleblog.com/2019/12/… It uses a technique called "private set intersection with blinding" that allows to check username and password on server side for matches without being able to reveal the original values.
    – Robert
    Commented May 18, 2022 at 12:34

1 Answer 1

Reset to default
1

I don't know for sure, but it seems very likely that large, well-resourced, security-conscious orgs (such as Google) would maintain their own corpus of commonly compromised passwords.

I would also expect that they would keep it privately held.

Improve this answer
1
  • That's a reasonable line of thoughts. Sometimes though, they do share things for the greater good (or marketing points, if you're more on the cynical side).
    – DevShark
    Commented May 17, 2022 at 18:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .