Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised. You just need to enter your username or email address into the site’s search box, then it will check to see if this information was found in any of these recent public data dumps.
The approach which this site used is to harvest mounds of data being leaked or deposited daily to sites like Pastebin and torrent trackers, and records a cryptographic hash of the information and then discards the plaintext data. So once a user ignites a query, only a binary “yes” or “no” answer about whether any hashes matching that data were found will be returned. So, this site does not actually store the <username, password> pair in database, it also never returns any clues about the password and where the data is leaked.
It seems this site has became a big targets of many attackers. Allen Puzic, creator of pwnedlist.com said they found some users have been trying to poison the database or include malware and exploits in data dumps submitted to the site. So, for security reason, this site does not store the username and email address submitted to the site form but it records the internet address of those who used the sites. I am not sure whether or not the hackers can recovery the <username, password> pair from the submitted username and related hash key. If they can , they would get a huge amount of victims’ account by hacking pwnedlist.com.
There is interesting thing: when I tried to access pwnedlist.com today, my browser returned their page with only one sentence “Sorry, looks like we have an error on our hands. We apologize, wait 10 seconds and try again?”. Some guys in the comments point out pwnedlist.com is getting a DDoS attack now.
If you don’t want to see your email account appeared on the Pwnedlist, you should always use strong password and periodically change it especially for your sensitive account. Some information about strong password you should know: “Length and complexity are two of the most important factors in determining a strong password. It’s also a good idea to periodically change passwords for sensitive accounts, provided you have a decent way to recover the password should you forget or lose it.”
Check out Password Primer for a list of tips and resources to help create and protect strong passwords.
Source: http://krebsonsecurity.com/2011/11/are-you-on-the-pwnedlist/ http://krebsonsecurity.com/password-dos-and-donts/
Something makes me a little weary of typing my e-mail address in some random site, although they offer the sha-512 hash option for those people who really care.
Also, binary yes/no is probably the only thing a lot of users will understand. I haven’t seen the YES page, but I would assume it would tell you to change your passwords and stuff.
Actually, the YES page only tells you your email account is not on their list. The NO page might show some warnings or advice to the users.
And I think if they provide something more than the binary yes/no, such information might be more likely used by the attackers rather than common users.
Hmm.. Interesting! I checked their website, it is up, and I am safe 🙂
One thing for sure, just a binary YES / NO is not useful. Agreed, binary value works out a lot safe for the website, for the victim, it provides no value.