67

There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place. By 'changing your password' I refer to creating a randomly generated password string for each service, not the enforced changing of passwords in corporate environments.

So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?

AncientSwordRage
  • 1,925
  • 4
  • 17
  • 19
JonathanReez
  • 1,046
  • 1
  • 7
  • 16
  • 28
    It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises. – MrWhite Jan 21 '19 at 10:06

10 Answers10

141

Your question contains several false assumption:

  • If you're a security conscious user, you'd change your passwords regularly on any website that matters

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

  • and thus leaks would not affect you in the first place.

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

  • Why not follow the right security practices regardless of any leaks?

See previous point.

  • So why are people so interested in using haveibeenpwned?

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

  • I can change the password instantly.
  • I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.
  • If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.
  • I know which of my data might be compromised (data at the hacked service).
Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
H. Idden
  • 2,998
  • 1
  • 11
  • 19
  • 35
    "*To know which accounts are affected and to figure out which service got hacked/where the accounts came from.*" just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts *you never knew about*. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle. – VLAZ Jan 21 '19 at 11:11
  • 12
    The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important. – anaximander Jan 21 '19 at 16:06
  • @vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take *anyway*. – Michael Jan 21 '19 at 23:30
  • @vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about. –  Jan 22 '19 at 15:23
  • @vlaz if you created an account on some obscure forum 10 years, do you really care if it gets stolen? – JonathanReez Jan 22 '19 at 18:58
  • 3
    @JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known. – Captain Man Jan 22 '19 at 19:40
  • @JonathanReez maybe? It depends on what the account has. An old password is an obvious one but, really, the problem here is you're focusing on the literal example rather than what it is about. It could have been *any* account with *any* information that you've used for *anything*. It might have stuff like personal data that you filled in because you were prompted. Perhaps you made a one-off purchase which has payment details. To flip your (initial) question on you - if you're a security-conscious user, why *wouldn't* you be interested in mitigating any potential information leak? – VLAZ Jan 23 '19 at 06:23
  • @vlaz personally I use fake personal details on any online or offline form that doesn't absolutely have to know them to mitigate that risk. But I see your point. – JonathanReez Jan 23 '19 at 06:43
  • We're all forgetting something - A lot of sites now use a separate table for passwords. If they've got the user table they've got the password table. Change it as many times as you want, all you're doing is giving them more passwords. – XLR Jan 23 '19 at 23:44
68

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.

they
  • 923
  • 1
  • 5
  • 7
  • 26
    *Forcing* people to change their passwords is not best practice anymore. Doing it by yourself is always good practice. – JonathanReez Jan 19 '19 at 20:34
  • 36
    This has been discussed before: https://security.stackexchange.com/questions/186780/how-often-should-i-change-my-passwords Since it is stated well _"The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: **8.2.4 Change user passwords/passphrases at least once every 90 days.** This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."_ – they Jan 19 '19 at 20:39
  • 4
    The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (*password1*, *password2*, *password3* etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords **will** make your accounts more secure. – anaximander Jan 21 '19 at 16:10
  • 8
    @anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway. – Conor Mancone Jan 21 '19 at 16:22
  • 3
    @ConorMancone Frequent password changes reduce the window of time for which a compromised password is useful to an attacker. There is usually a delay between a breach and the point where you find out about a breach. In some cases, breaches didn't come to light for *years*. If you change passwords frequently, then regardless of how long this delay is, your password was only useful to the attacker for at most a few moments less than whatever your "expiry" duration is. – anaximander Jan 21 '19 at 17:07
  • @ConorMancone Of course, if your password is strong and thus takes a while to crack (assuming proper hashing etc) then your "expiry" duration doesn't need to be too much less than the rough time it'll take to crack. For example, if you can be confident that it'll take at least 90 days for a representative malicious actor to crack your password and thus be able to use it, then you really only need to reset your password every 80-something days to be sure that even if a breach happens and you don't know about it, they never get to use your password. Resetting more often than that adds nothing. – anaximander Jan 21 '19 at 17:10
  • 6
    @anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time. – Conor Mancone Jan 21 '19 at 17:50
  • 1
    @ConorMancone Of course, every security action should be assessed in the context of your threat model to determine if the effort is worth the payoff. That said, in the absence of any threat model, this question simply asked if there *is* any payoff to frequent password changes, and the answer to that is yes, there is: it makes compromised data containing your password hash useless to anyone who can't crack it fast enough, and limits your exposure to breaches that you don't know about yet. It's up to you whether you feel this is enough to justify the extra work. – anaximander Jan 22 '19 at 09:44
  • @JonathanReez How so? What difference is there between making a user change their password and the user regularly changing their password? Is the former somehow compromising even though the exact same behavior in the latter is not? – user64742 Jan 24 '19 at 06:03
  • @TheGreatDuck one leads to passwords like "Password!123" that are posted as a sticky note on your monitor. The other leads to proper randomized passwords that are kept safe. – JonathanReez Jan 24 '19 at 07:06
  • @JonathanReez How so? Why would a user use a less secure just because they were told to change the password rather than them voluntarily doing so? The user can still use a random password in both situations. Writing passwords on a sticky note seems like a completely separate issue and would occur even with a user choosing to change the password. Especially with a randomized password they might be likely to forget. – user64742 Jan 24 '19 at 07:16
  • 1
    @TheGreatDuck While this can apply to both situations, as someone can voluntarily change a password _and_ use a simple sequence, people tend to either use a simple sequence or write password down. https://ldapwiki.com/wiki/Password%20Statistics My opinion thus far without looking too far into it is that the type of user who voluntarily changes passwords often is probably more security conscious and more likely to not use a simple sequence or write their password down, and possibly use a password manager... Or, they are just avoiding confrontation and still using crummy passwords... – they Jan 24 '19 at 15:45
  • 1
    @TheGreatDuck A user *forced* to change their password likely didn't want to, so they'll try to make the task as quick and easy as possible by choosing an easy password, incrementing a number (*password1*, *password2*, *password3* etc) or some other trick - and most of these tricks lead to bad passwords. A user *choosing* to update their password is less likely to resent the time and effort, because they chose to do so, and will therefore likely put more effort into choosing a good one. They're also more likely to be a security-conscious user, and thus more likely to use a password manager. – anaximander Jan 25 '19 at 10:49
  • If you're using 40 letters random passwords, like you should if you're a security conscious users and are using password managers, there's no way you are getting brute forced. Either your password will be cracked almost immediately because there's no hashing involved (or they use home grown crypto that are easily reversible through basic cryptanalysis), or they use at least one round of unsalted, but strong cryptographic hash, which would be sufficient for protecting a 256-bit password (salting and key stretching is really only needed to reinforce weak passwords). – Lie Ryan Feb 03 '19 at 22:22
  • 2
    Password changes, even voluntarily, brings only marginal benefits for a nearly nonexistent scenario. Yes, it's theoretically more secure, but it's unlikely to be worthwhile for the amount of efforts needed to implement them. Case in point, there's no known password breaches where regular password changes would've prevented damage. 90 days is forever, and anything less than that is impractical. – Lie Ryan Feb 03 '19 at 22:24
30

Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • To expand on this: For HIBP to identify which password or which service is compromised I believe you have to use a different userID on each service. It isn't enough to have the same UserID but different passwords on each service. For example the Onliner Spambot 711 million address breach data, you cannot find the service or password for a pwnd email-address used as a login ID on multiple sites (with differing pws for each). HIBP by policy do not disclose PWs and do not even provide a hash that you could check. – RedGrittyBrick Jan 20 '19 at 11:05
  • 4
    It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones. – gnasher729 Jan 20 '19 at 14:05
  • 3
    In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name. – Rory Alsop Jan 20 '19 at 17:47
  • @RoryAlsop How do you know what passwords "a few thousand employees at various organisations" are using? Nobody, and I mean nobody, should have access to, or be able to have access to, this information. What am I missing? – Lightness Races in Orbit Jan 20 '19 at 17:53
  • @LightnessRacesinOrbit: An automated password strength test might report statistics on which particular rules are being violated, without disclosing passwords, or even which accounts were involved. – Ben Voigt Jan 20 '19 at 19:33
  • @BenVoigt How could such a tool know about things like "incrementing final digit" or "change month or season name" unless passwords are stored in the clear? – Lightness Races in Orbit Jan 20 '19 at 20:14
  • 2
    @LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way. – Ben Voigt Jan 20 '19 at 20:18
  • 4
    @lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics – Rory Alsop Jan 20 '19 at 20:31
  • 1
    @RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service. – James_pic Jan 21 '19 at 12:12
  • 1
    @LightnessRacesinOrbit When you switch jobs or work as a contractor you also tend to encounter big international corporations that have password policies so ridiculously strict that you learn the patterns that will guarantee acceptance by the system from colleagues / other contractors working longer with that big corp. Suffice to say that those patterns are easy to remember and shared not only by contractors but internal workers as well and so prevalent I'd say 50% of the company using them is a low estimate. – Frank Hopkins Jan 21 '19 at 13:02
  • @RedGrittyBrick While you're correct that HIBP can't necessarily tell you what was breached; it depends on the nature of the breach. If a file surfaces containing a great many email/password combinations with no contextual info, like the Collection #1 or AntiPublic lists, then sure, there's no real way to know where that came from. However, if it's a disclosed breach, or the data is recovered with sufficient context, then that's a different story. For example, HIBP can tell you if you were in the LinkedIn breach, or the Dropbox breach, because of how those ones came to light. – anaximander Jan 21 '19 at 16:17
  • @Darkwing it shouldn't be a secret what pattern of password works if you're an employee. You should know exactly what kinds of requirements are in place so you don't try to enter an unacceptable password choice 10 times before finally landing on one that works. – TylerH Jan 22 '19 at 14:59
  • @TylerH You don't need to tell me that^^ I'd have loved a clear UI with reasonable restrictions and no or a reasonable password change policy, the reality I've seen is different. – Frank Hopkins Jan 22 '19 at 15:02
  • @Darkwing I think MS is quite guilty of this -- there's no way to display password complexity requirements AFAIK in Windows when changing your AD/local password. – TylerH Jan 22 '19 at 15:12
  • 1
    @TylerH That might be, but I never stumbled over it. Compared to what I've seen, MS is the gold standard of usable. – Frank Hopkins Jan 22 '19 at 15:13
7

It comes in handy when your email address has been exposed but not as part of a credentials set. As an example, I had an email address included in a breach but I didn't have an account with that service/product, the breach was actually on a marketing tool used by a service/product that I was using and my email address had been added to the tool for marketing purposes.

Knowing my email address had been exposed in that way, I knew to keep an eye out for increased spam and phishing attempts.

Aaron
  • 559
  • 3
  • 4
4

There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.

Also, increasing awareness is important in itself.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56
  • 1
    +1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes. – O. Jones Jan 25 '19 at 11:40
3

All the other answers talk about what best practises are. But let's take the question at facevalue: "Why do people not use best practises (whatever they may be), and instead use this website".

The biggest problem in security is the human element. It's human nature. To improve security you have to take it into account.

You write in the question: "A security concious user would", but then you ask "why are people so interested in using haveibeenpwned?". Well, thats because a lot of people who are interested in the service are NOT security concious. Maybe they are somewhat concious, maybe they have just heard on facebook about this neet website.

If I tell my mom to "follow the right security practices" (and explained them) she would do nothing.
If I tell my mom to check that website for the one password/email she uses everywhere, and it shows her that it's compromised, she will probably atleast change it once on important websites.

In the end it's a tradeoff for the user.
If he never had an account hacked and felt the impact he will see the risk as very low, and the cost to follow best practises as very high.
Checking haveibeenpwned on the other hand is very low cost. And checking it in and of itself gives you a better risk assesment. If you are compromised you now know that the risk to you is high, so it's more likely that they will follow better practises after visiting the website.

So, it's easier and more convienient, and therefore more likely to go viral. This is something I can share, and security illiterate people can use and feel good about and share too. It's also a gateway to good security practises.

Lichtbringer
  • 569
  • 1
  • 4
  • 7
2

Why not follow the right security practices regardless of any leaks?

Because regularily changing your passwords is not a right security practice. It is a hack and work-around.

The proper security practice would be to change your password whenever you have reasons to believe that it has been compromised. I've had root passwords unchanged for a decade because there was never ever any reason to suspect a compromise has occurred, so it would have been a nonsense to create the cost of a password change (however small) for no reason.

The advise to regularily change passwords is what we use when tracking possibility of compromise becomes difficult or expensive, and regular changing is simpler and cheaper than that. Basically, the reasoning is: "If I don't have a clue about the probability of my password being compromised, I'll just take a statistical average and err on the side of caution".

So when actual evidence - such as havibeenpwned - appears, it is always preferable to use the actual data over any guesstimated heuristics.


addendum:

If you search a little, you can find plenty of publications advocating against regular password changes for no good reason. Disclaimer: Some of them are mine. This nonsense might be a common practice, but that a) doesn't make it a good practice and b) still doesn't mean it can hold a candle to actual data.

Tom
  • 10,201
  • 19
  • 51
  • 1
    Isn't the the point though, that neither you nor Troy Hunt does know about **all** security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his [FAQ](https://haveibeenpwned.com/FAQs) and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach." – Tom K. Jan 22 '19 at 10:21
  • Absolutely. You can get **positive** evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites. – Tom Jan 22 '19 at 18:50
  • 1
    @Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password". – Frank Hopkins Feb 04 '19 at 15:57
  • Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk. – Tom Feb 04 '19 at 16:33
1

Changing passwords often can be good practice if you use a password manager. If not, it's a bad idea because you can not remember good passwords that easily.

A minority of people use a password manager. And even if you do use one, I suspect you don't change all your passwords that often. There are services I use once every two or three years. Or that I created an account for but might never use again. Would I go back there and change my password every month?

I have 50+ sites listed in my password manager. Changing all those passwords every month or so would just be to much work.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • "*And even if you do use one, I suspect you don't change all your passwords that often.*" indeed - OP only mentions "passwords that matter". The problem that immediately arises is *which* accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole. – VLAZ Jan 21 '19 at 11:16
1

To protect yourself against fraud

There's an alternative consideration I notice people haven't covered, one of which is identity fraud and impersonation of the compromised company, something of which changing a password will not protect you from.

For example, it's common for scammers to harvest leaked information and then pretend to be the company whose information was leaked by using the information they've obtained to convince you they 'legitimately' have access to your information. The ISP TalkTalk often sees scammers phoning up, pretending to be TalkTalk service engineers, regurgitating the stolen information as 'proof' they're authentic.

Likewise, being aware of which companies have had their details stolen allows you to be aware of which vectors scammers will try to use against you. For example, details for Adobe have been stolen, and it's quite possible a scammer could mail people whose accounts were on Adobe, a supposedly 'urgent update' to their Adobe software, that actually maliciously downloads and installs malware. Being aware that information has leaked from Adobe allows you to take additional precautions against that.

An alternative is if leaked information is about an activity you'd rather not have made public; you can then take reasonable steps to have that information scrubbed (such as deleting the account or changing email addresses).

So in summary; you would regularly check to make sure you know what other people (EG scammers, identity fraudsters, blackmailers etc) know about you.

  • I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts. – Makoto Jan 24 '19 at 18:33
  • The example I gave was an ISP impersonation, which has nothing to do with financial fraud. – SE Does Not Like Dissent Jan 27 '19 at 12:20
0

I will go against the trend here and disagree with the other answers:
You should regularly change your passwords on a service that you do not trust to handle your data securely.
You can also regularly check your password manager for such sites and decide if you really need every one of them. If not: send an email to the service provider and ask for deletion of your account and all affiliated data.

The NIST guidelines that handles password states:

Verifiers SHOULD NOT require memorized secretsread: passwords to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Collection #1 - which is the reason for the recent buzz around haveibeenpwned.com and Troy Hunt - is an excellent example for the publication of evidence of compromise.

Why? Because it is not a new breach.
Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old. His report furthermore contains this picture from a credible chat with a seller. A screenshot of all the other "Collections" (one through five) and two other huge databases that are sold with the claim, that they are full of working login credentials. All in all a terrabyte of raw data from one seller.

So what does "non-public publication"-age mean in this context? If you have a strong password and it is properly hashed, then no attacker will be able to crack it, no matter how long the password dump has been around. The problem is, a lot of sites do not properly hash your password. And here is where the NIST comes in again. They adapted their guidelines towards changing passwords, because it made no sense in respect to the part of the guideline that handled hashing passwords and storing hashes.

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

So what does it all mean?
Conclusion:

  1. Premise 1: If a service is storing my password hash securely, arbitrary expiration dates of a password do not make much sense.
  2. Premise 2: Hacks happen all the time, only a fraction get noticed and/or publicly disclosed.
  3. But if a service does not hash your password properly - and a LOT of services do not do that - expiration dates of passwords do make sense.
  4. How do I know which service stores my credentials securely? Some certificates give you some information about it. But even companies that seem very professional from the outside fail hard. Small companies perform very nicely sometimes. It's very hard to tell.
  5. If hacks happen all the time, password breaches happen very often as well. As we have seen only a portion of the hacked password databases are searchable on haveibeenpwned.
  6. So change your password regularly on sites you do not trust. Again with the caveat that you should use a password manager to avoid password reuse and if possible 2-factor authentification or multi factor authentication.
Tom K.
  • 7,965
  • 3
  • 30
  • 53
  • Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you. – Nzall Jan 22 '19 at 13:45
  • 1
    Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering. – Tom K. Jan 22 '19 at 14:34