HaveIBeenPwned Password Cracker

Hello, I use Github only occasionally to write issues and the like. I have just heard about the partnership between Github and HaveIBeenPwned. HaveIBeenPwned has been known to me for a long time, and not positive.

What is Github doing with HaveIBeenPwned? Github promises that it can only see the passwords of the users hashed. With HaveIBeenPwned Github cracks the passwords of the users. OK, not all, but all that exists in any of the lists provided by HaveIBeenPwned. 517 million records.

The problem: Github does not crack the passwords of users in connection with the email addresses, as they are in the lists of HaveIBeenPwned. Github cracks the passwords of the user independently of the email addresses.

How it works? The hashed passwords in the HaveIBeenPwned lists are hopped using the same hash method as Gashub hashed. Then the hashed passwords are compared and if there is a hit, the unashashed password is assigned to the Github account. Hereby just independent of the email address and possible a new email address. HaveIBeenPwned thus extends its offer.

HaveIBeenPwned made the breakthrough. With HaveIBeenPwned, however, quite different things are possible / on the run.

I trust HaveIBeenPwned ZERO! (my experience and reasonable sense). And that should be any reasonable internet user.

As stated in our recent blog post, HaveIBeenPwned.com has made a list of passwords that have been compromised in various data breaches available for download. These are passwords that people attacking accounts will be more likely to use than passwords generated random brute force methods because most people use the same password or some small set of passwords for all their accounts. Because of this, it is advisable that people should not use these compromised passwords if they want their accounts to be, and remain, secure.

In order to help people keep their GitHub accounts secure, we now check the password you provide to us against the list of compromised passwords and let you know if the password you provide is present in that list. We do not store the password you provide to us anywhere, only the bcrypt hash of the password.

GitHub does not “crack” your password. HaveIBeenPwned does not “crack” your password. Nothing is sent from GitHub to HaveIBeenPwned because GitHub uses a local copy of the password list that HaveIBeenPwned provides for download.

I hope that clarifies things.

2 Likes

A really good feature of http://leakprobe.net a similar and in my opinion superior functioning service to Have i been pwned is that every hash found in their database has the option to use their rainbow tables to crack it. In fact, the website only adds user accounts that have been “pwned” that contain plain-text data OR unsalted hashes (MD5 or SHA1). This is a major difference because they will not add records that contain salted hashes or any other kind of encrypted information such as with bcrypt.

Leakprobe uses millions of rainbow tables to decrypt hashes in seconds, with a majority of the ones in their database able to be cracked instantly. This function is efficient to regular dictionary, brute force, or other hash decryption techniques. 

I highly recommend them.