US security researchers have followed Australia's lead on setting up a password-checking service to determine whether usernames or email addresses have been compromised.
(Screenshot by Michael Lee/ZDNet Australia)
The PwnedList allows users to enter their username or email address, and search from a large database of known compromised accounts to see if they are on it.
It works in a similar way to the Australian-made Should I Change My Password site, by only storing one-way hashes of compromised usernames and email addresses.
Should I Change My Password began shortly after Lulzsec started to publish large amounts of user data, which malicious hackers then used on popular sites in the hope that users had maintained the same email address and password combination across multiple sites. Both password-checking sites claim to never store passwords in their databases. The PwnedList allows users to submit their own hashed data if they are concerned that the site is mining their usernames or email addresses.
However, if users don't find that either site lists their details as compromised, it doesn't mean that they aren't. While both sites have large databases, there are many compromised usernames and email addresses that aren't publicised or yet added to their databases. In addition, the databases are maintained on a voluntary basis, and, in some cases, can only be updated manually by researching new security breaches and collecting data dumps that may result.
The PwnedList claims that it can automatically harvest data from various sources 40 per cent of the time, and it also allows users (or hackers) to submit information anonymously.
TippingPoint Security researchers Alen Puzic and Jasiel Spelman set up and maintain the PwnedList in their spare time, while former Stratsec consultant Daniel Grzelak manages Should I Change My Password in his free time.