1

If I administer a webpage that allows users to create accounts, and assuming I don't keep or even ever have access to plaintext passwords, is it possible for me to detect that one of my users is using a known bad password?

I am guessing that if I salt my password hashes, which I do, this means there is no way of detecting any compromised passwords from among the ones already in use by my users. Sure, I could use the have I been pwned lists to check passwords before hashing and salting when a user creates a password, but I can't think of a way of checking salted hashes.

Am I missing something? Is there some way to go through a properly stored DB of salted hashes to check for known compromised passwords?

Improve this question

1 Answer 1

Reset to default
3

But you know the salts. You could simply run a process over your hashes to compare to a password list in an offline brute-force approach.

Trying to crack your own user's passwords is a problem, though. You end up knowing the user's passwords, which creates a problem for you. That's why a check on the user-side and when the user is still in control is better. It puts the responsibility on them and not you. Once you know the user's password, you need to somehow explain why you know the password, which would be an uncomfortable conversation if I was one of your users.

Improve this answer
6
  • Is there a list of published open passwords? I usually saw that they are hashed for testing so that you test with the hash of your password.
    – kelalaka
    Commented Oct 10, 2023 at 20:20
  • Lists of commonly used passwords? Password list leaks? Yes, quite a few ... Rockyou being the big one. Live databases of recently compromised passwords a la HIBP? Not from reputable sources.
    – schroeder
    Commented Oct 10, 2023 at 21:02
  • Well, my university, one of the top in my country, had printed the passwords, and showed us when we forgot, yes years ago, however, still amaze me since when considering the date of the article Password Security: A Case History, Morris and Thompsen
    – kelalaka
    Commented Oct 10, 2023 at 22:23
  • Hmm, why would I end up knowing the passwords? Do you mean I would know the compromised ones only? If so, I can see why that would be bad, but if I were to do this, it would be to immediately reset the passwords anyway (we have a system that asks the user to set a new one) so the breach would be minimal as I would only be aware of a password that is i) already known to be compromised and ii) will immediately be rest on my system. True, that would mean that if I were malicious I could go and try to gain access to other systems using the same name/password... Is that the problem you mean?
    – terdon
    Commented Oct 11, 2023 at 10:30
  • Yes, you would know what someone used as their password. And since people reuse passwords, especially weak ones, ten you would have this knowledge. Even if you did this just to reset the password, it means that you "cracked their password", which is a real problem. You shouldn't do that. It is not your responsibility to ensure that all users use strong passwords once they are set. You are overreaching your mandate. I would have serious problems if you cracked my password in your system.
    – schroeder
    Commented Oct 11, 2023 at 17:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .