At Eventication, security has always been one of our highest priorities. Encouraging users to pick strong passwords is still the first line of defence for their accounts.
For years HaveIBeenPwned has been collecting lists of passwords from available data breaches worldwide. The founder of HaveIBeenpwned, Troy Hunt, has released an API to check whether a password has been used before and if the password leaked in any data breaches. With this API, we can advise our users to choose better, harder passwords when they sign up for Eventication, or when they change their password.
Your security senses might be tingling at the prospect of sending all our users’ passwords to a third-party. Thankfully you needn’t worry.
Instead of sending the whole password, we only need to hash the password using SHA-1 and send the first 5 characters of the result. This returns all the hashes that are in the data set beginning with those 5 characters and if the remained of the hash is present, the password was in the list.
Through these extra security measurements, we will protect our users and their data even more and we hope that our users will also check and change their passwords on other online services.
Please, never reuse a password.
More information about PWNED can be found on their website.