Password Reuse

Though gunqr.co has never fallen prey to a security breach, you have undoubtedly heard of sites that have. As of July 2018, Troy Hunt’s Have I Been Pwned (HIBP) site has collected more than 5.1 billion compromised (aka pwned) accounts compiled from 292 website breaches and 73,196 pastes of more than 80 million accounts alone.

One thing data breaches have taught us is that humans love to reuse passwords. It’s extremely risky, but it’s so prevalent because it’s easy and people aren’t aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.

In August 2017, The National Institute of Standards and Technology (NIST) released guidance recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data are well-described in detail in Troy Hunt’s Introducing 306 Million Freely Downloadable Pwned Passwords blog post.

If you are curious about how we’re able to securely check your password against half a billion breached passwords without revealing your password, check out Troy’s blog post about Cloudflare, Privacy and k-Anonymity.

Please wait...