You are using exists on lists of passwords leaked in data breaches

  • Resolved boutzamat

    (@boutzamat)


    6 years, 4 months ago

    Hi.

    So i got this message after loggin into my website: You are using exists on lists of passwords leaked in data breaches.

    What list is that? My password is not in the popular rockyou.txt file.
    Im taking this matter very serious. If it really does exist on a list of leaked passwords, i would like to know how you know this? What list do you compare to?

    Thanks in advance.

Viewing 7 replies - 1 through 7 (of 7 total)

  • Hi @boutzamat,

    WordFence uses HIBPv2 ( https://haveibeenpwned.com/API/v2 ) to check if your password has been leaked.

    You have two ways of checking if your password has been leaked.

    1. Type your password into this website to check: https://haveibeenpwned.com/Passwords
    2. Alternatively, you can check without typing your password:

    a. Determine your password’s SHA-1, using https://onlinemd5.com/ (scroll down, select SHA-1)
    b. Navigate to https://noc1.wordfence.com/passwords/*****.txt (replacing ***** with the first 5 characters of your SHA-1 hash)
    c. Search for the remaining characters in your SHA-1 hash to see if it has been leaked

    So for example, I’ll pretend my password is password.

    a. I have determined that the SHA-1 for password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
    b. The first five characters is 5BAA6 (must be uppercase), so I’ll navigate to https://noc1.wordfence.com/passwords/5BAA6.txt
    c. The remaining characters after 5BAA6 is 1E4C9B93F3F0682250B6CF8331B7EE68FD8

    I am able to find 1E4C9B93F3F0682250B6CF8331B7EE68FD8 within the text file, so I can conclude that my password has been leaked.

    Here are some resources on what WordFence offers in password leakage protection.

    https://www.wordfence.com/blog/2017/12/password-auditing-feature-update/
    https://www.wordfence.com/blog/2018/03/password-leak-attacks-wordpress/

    Dave

    Thread Starter boutzamat

    (@boutzamat)

    I @wfdave, thank you for this very detailed and helpful answer. highly appreciated.

    I managed to follow your guide, and SHA-1 hashed my password, looked up the password on the *****.txt (first 5 letters of my hash) list – it was not to be found, thank god.

    But, Wordfence said my password exists on that list. This is what i dont understand.
    I have never been hacked before, so im pretty sure my password isn’t on that list, but the WF alarm had me worried.

    I would highly recommend changing your password (and any other websites that share this password).

    Your account does not have to be hacked for your passwords to be leaked. Suppose I use the same password for Google and Hotmail. If Hotmail’s entire database gets breached, attackers will have access to my Google account as well.

    When you search for your password within *****.txt, did you search the remaining characters? For example, if your hash is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8, you should search for 1E4C9B93F3F0682250B6CF8331B7EE68FD8 not the entire hash.

    Dave

    Thread Starter boutzamat

    (@boutzamat)

    Hello Dave.

    I do consider it.

    Yup, i know it doesn’t. What i ment was that i’ve never been hacked. So if they do have the hash, it’s probably not from me. And since i’ve been very creative with my password, i dont think they got it from someone else either. This is why i believe WF probably was wrong about my password being on the leak list.

    Thanks for suggestions. I do posses some knowledge about hacking myself.
    What i was wondering was what list WF used to compare my hash, so i could check it myself, and i didn’t find it on the list.

    I searched for the whole hash, not only the first part of it.

    Thank you for your time.

    I searched for the whole hash

    Ah I’m sorry, please search for the rest of the hash in the text file.

    If your hash is 5BAA6 1E4C9B93F3F0682250B6CF8331B7EE68FD8, you need to search for 1E4C9B93F3F0682250B6CF8331B7EE68FD8. You won’t find the beginning 5 characters in the text file, search for the remaining 35 characters of the hash.

    So if they do have the hash, it’s probably not from me.

    You are correct! They stole it from a website’s database and not from you. It’s not the fault of the user. The fault is the website that got hacked.

    Thread Starter boutzamat

    (@boutzamat)

    Hi Dave,

    I tried searching the last 10 characters of both MD5, SHA-1, SHA-256 on 3 separate lists, and thank god, my hash is not on the list.

    That’s really good to hear! I’m sorry to have made you worried.

    I’m being told that on previous versions of Wordfence, some caching issues might cause that warning to appear.

    The list above (Have I been pwned), is the only list Wordfence currently uses.

    I think if you update Wordfence, or reinstall it, you will no longer see that warning about your password being on a leaked list.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘You are using exists on lists of passwords leaked in data breaches’ is closed to new replies.