In the InfoSec world, a pwned password is a password that is part of a list of more than half a billion passwords (517,238,891 and counting, to be exact) that are known to have been exposed in data breaches (i.e. they are owned/pwned by hackers).
Using any of these pwned passwords significantly increases the chances of being the victim of a data breach. RDM 14 has a great new feature (which is also one of my favorites): the Pwned Password Check! This feature, which leverages Troy Hunt’s brilliant Pnwed Passwords Detection System, automatically checks to see if a password that you’re using (or are thinking of using) has been pwned by hackers. If so, then you can be proactive and choose something else to stay out of harm’s way.
How to Setup the Pwned Password Check
Go to Administration– Data Source Settings– Password Management
Click on the Pwned checkdropdown menu and select Enabled.
- RDM will analyze every password that is saved in an entry, and let you know if it is pwned — in which case you should change it immediately:
The Back End
Rest assured that RDM does **NOT **send your passwords in plain text to Hunt’s database system. Here is how the back end workflow looks:
The Pwned Passwords Check uses k-Anonymity, and RDM only sends the first 5 characters of an SHA-1 password hash to be passed to the API.
RDM accesses a list of every password that was found in the Pwned Passwords repository containing the first 5 hash characters.
RDM compares the passwords found on the list to the password you want to use, and if there is a match you receive a warning.
Help Generating Strong Passwords
Also, remember that RDM has a built-in Strong Password Generator and a Password Analyzer to help you choose more secure passwords and improve your security best practices. The Pwned Passwords Check adds an extra layer of security to your enterprise — and more peace of mind.
Tell Us What You Think
My view on the Pwned Passwords Check aren’t a secret: I love it! But what you guys think is more important, because we add new features for you — not for us (although we get the same benefits as you do).
So please share your comments below. Tell us what you like, what you don’t, and what you want us to change, improve, fix, overhaul, eliminate…there’s no limit. We’re always listening to you, and striving to find new ways to keep your accounts and data from being pwned!
As always, please let us know your thoughts by using the comment feature of the blog. You can also visit our forums to get help and submit feature requests, you can find them here.