US follows Oz lead on checking passwords

Summary:US security researchers have followed Australia's lead on setting up a password-checking service to determine whether usernames or email addresses have been compromised.

US security researchers have followed Australia's lead on setting up a password-checking service to determine whether usernames or email addresses have been compromised.

(Screenshot by Michael Lee/ZDNet Australia)

The PwnedList allows users to enter their username or email address, and search from a large database of known compromised accounts to see if they are on it.

It works in a similar way to the Australian-made Should I Change My Password site, by only storing one-way hashes of compromised usernames and email addresses.

Should I Change My Password began shortly after Lulzsec started to publish large amounts of user data, which malicious hackers then used on popular sites in the hope that users had maintained the same email address and password combination across multiple sites. Both password-checking sites claim to never store passwords in their databases. The PwnedList allows users to submit their own hashed data if they are concerned that the site is mining their usernames or email addresses.

However, if users don't find that either site lists their details as compromised, it doesn't mean that they aren't. While both sites have large databases, there are many compromised usernames and email addresses that aren't publicised or yet added to their databases. In addition, the databases are maintained on a voluntary basis, and, in some cases, can only be updated manually by researching new security breaches and collecting data dumps that may result.

The PwnedList claims that it can automatically harvest data from various sources 40 per cent of the time, and it also allows users (or hackers) to submit information anonymously.

TippingPoint Security researchers Alen Puzic and Jasiel Spelman set up and maintain the PwnedList in their spare time, while former Stratsec consultant Daniel Grzelak manages Should I Change My Password in his free time.

Topics: Collaboration, Security

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.