{"id":11040,"date":"2012-01-10T19:00:09","date_gmt":"2012-01-11T00:00:09","guid":{"rendered":"http:\/\/rbach.net\/blog\/?p=11040"},"modified":"2021-07-03T13:04:16","modified_gmt":"2021-07-03T17:04:16","slug":"are-you-on-the-pwnedlist","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/are-you-on-the-pwnedlist\/","title":{"rendered":"Are You on the Pwnedlist?"},"content":{"rendered":"

\"Are Pwnedlist.com<\/a><\/strong> will tell you if your email has compromised. <\/strong>The site checks emails against a collection of nearly 5 million possibly compromised accounts. Brian Krebs<\/a> at Krebs on Security<\/em><\/a> reports<\/a> that a user can enter a username or email address<\/a><\/strong> into Pwnedlist.com\u2019s search box, and it will check to see if the information was found in any suspicious public data dumps<\/strong>.<\/p>\n

\"Pwnedlist\"<\/a>Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP\/TippingPoint<\/a> created Pwnedlist.com. Mr. Puzic said. \u201c… I could create a site that would help the everyday user find if they were compromised.<\/em>\u201d<\/p>\n

Pwnedlist.com currently allows users to search through nearly five million emails and usernames<\/a> found online at sites like Pastebin<\/a>. The site also often receives large caches of account data that people directly submit to its database. Mr. Puzic told Krebs on Security<\/em> it is growing at a rate of about 40,000 new compromised accounts each week.<\/p>\n

\"Encryption\"<\/a>The researcher said information contained in these data donations often makes it simple to learn which organization lost the information. \u201cUsually, somewhere in the dump files there\u2019s a readme.txt file or there\u2019s some type of header made by a hacker who caused the breach, and there\u2019s an advertisement about who did the hack and which company was compromised,<\/em>\u201d Mr. Puzic in the article. \u201cOther times it\u2019s really obvious because all the emails come from the same domain.<\/em>\u201d<\/p>\n

DVLabs’ Puzic said in the article that Pwnedlist.com doesn\u2019t store the username, email address, and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. According to the blog, a \u201chit\u201d on any searched email or username only produces a binary \u201cyes\u201d or \u201cno\u201d answer about whether any hashes matching that data were found. It won\u2019t return the associated password, nor does it offer any clues about where the data was leaked from.<\/p>\n

Advice from the Pwnedlist developers<\/h3>\n

If Pwnedlist says your email or user ID<\/a> is in their database, they offer the following advice:<\/p>\n

\"Shocked<\/p>\n

    \n
  1. \u201cDon\u2019t panic! Just because your email was found in an account dump does not mean it has been compromised.<\/li>\n
  2. Immediately change any passwords<\/a> that might be associated with listed email accounts.<\/li>\n
  3. Go through all your accounts and create new passwords for each of them, just in case. “Better safe than sorry.\u201d<\/li>\n<\/ol>\n

    The two researchers plan to publish regular updates to their Twitter<\/a> account (@pwnedlist) when new data dumps are discovered. Longer-term, Mr. Puzic told Krebs that he plans a longitudinal study on password security.<\/p>\n

    rb-<\/em><\/strong><\/p>\n

    I have several emails, professional and personal which thankfully Pwnedlist does not have in their databases. Follow password best practices and use an 8 character or longer password with at least one letter, number, and special character. Also, change your passwords regularly.<\/em><\/p>\n

    End-user password best practices:<\/em><\/h3>\n
      \n
    1. Passwords should be something you can remember but difficult for others to guess. That means avoid information anyone can pick up from Facebook<\/a>. <\/em><\/li>\n
    2. Use at least 8 characters. Some authentication systems will ask for more, but 8 well-chosen characters is usually enough.<\/em><\/li>\n
    3. Mix letters, numbers, uppercase, lowercase, and even symbols when possible. 1GrdDC@82 is stronger than letter22<\/em><\/li>\n
    4. Avoid dictionary words. Many brute force attacks<\/a> are designed to guess them. \u201dPassword\u201d is not a good password.<\/em><\/li>\n
    5. Use a unique password for each account. Your password at work should be different from your Facebook password. <\/em><\/li>\n
    6. Do not share your password.<\/em><\/li>\n<\/ol>\n
      Related articles<\/h6>\n