Securing User Passwords with "Have I Been Pwned"

Most developers are familiar with the website “Have I Been Pwned?“. Most non-developer and non-techie people have probably never heard of it. That’s ok, that’s what this blog post is for – to not only tell you about it, but to show you how to use it to keep your WordPress site safer.

First, the term “Pwned” originated in a game. It was a typo because the letters “P” and “O” are so close to the keyboard. Like many good mistakes in gaming, it was appropriated and now is common slang in technical and gaming circles for “Owned.” Depending on the context, it can mean that someone really beat you bad in a game, or that someone has compromised your server and now has access to it. Either way, you’ve been pwned. Pwned is never a good thing. 🙂

What’s “Have I Been Pwned?”

The website “Have I Been Pwned?” is more tech than a game. It was set up by Troy Hunt because, after every major data breach, he would do a post breech analysis of the data released over and over again, and see the same credentials and passwords being used. When a data breach occurs, the attackers will sell or release any user credentials they obtain.

Most users have the bad habit of reusing logins and passwords, so the credentials that work on one site may also work on another site. Thus if a user’s data is released from one site, it can be potentially disastrous for a user because the attackers can try their login and password on a multitude of other sites and gain access to more and more sites and data.

How to Use It?

So Troy gathered any data he could get from a data breach and put it all in one big database. Then he built a website where you can enter your email address and see if it was included in any of the breeches he has access to. Just for fun, go ahead, click the link and check your email address. You’ll probably be surprised, and not in a good way, pwned is never a good thing. 

These days the website also provides an API that other websites can use. The main function of this website is to prevent a user from reusing a password that has already been compromised. WordPress has several plugins that hook into the registration process and check the password a user is trying to use against haveibeenpwned.com’s API. The API takes a prefix of a “hash” of the password. The password itself is never sent across the wire. It returns all the hashes that start with that prefix.

The plugin then looks for its exact hash. If it finds it, it will give the number of times that password has been released, regardless of the site that was breached or the user name. The plugin then makes a decision on whether or not to let the user use that password.

This, by itself, will not make your site safe. As I discuss in “Is My Website Safe”, there is only one way to secure a computer from the Internet – turn it off. However, adding this layer to your security stack is one more way to make it more secure. Add enough layers of security, and your site is not an easy target, so attackers move on to another one.