Why is breach-detection site "Have I Been Pwned" considered safe?

This article by the service's creator may answer some of your questions.

https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/

Specific details that might be of interest:

  • Passwords are not stored along with user details because there is no such thing as "secure enough" storage for this kind of thing
  • Have I Been Pwned? won't tell people their own passwords anyway, even if the account ownership could be verified
  • Some more sensitive breaches - Ashley Madison being the first such breach - are kept more discrete by only disclosing that an email is in the breach corpus after confirming you control the address

Here's an additional article covering the Pwned Passwords feature:

https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

Of note, Pwned Passwords as the downloadable list provides only Hashed Passwords. There is some question as to whether this constitutes a password dictionary that can be exploited, but given it doesn't associate the passwords at all with who used them or where - reversing them to use them just wouldn't be that valuable. And while some may not consider this a satisfactory answer... these passwords are already out there.

The most recent "Collection #1" breach, with over 12,000 sources is evidence enough that Have I Been Pwned is not the only one aggregating this type of information. And the competition does not have your best interest at heart.

Pwned Passwords as a lookup service uses k-anonymity to provide some safety. It works basically like this:

  • You hash the password with the same algorithm Pwned Passwords uses (SHA1)
  • Submit just the first 5 characters for the hash, which given the sample size of the database will return many results for any given 5-character combo
  • You search the returned list to see if any of the results match your hash from the first step

I can't see the future, so I don't know if this collection of information will ever become exploitable in any meaningful way... but as far as I can tell, Have I Been Pwned is provided as a useful service provided for virtually no gain, in the interest of public safety.


I'm not sure where you are getting the "unquestioningly safe" claim. They ask this question of themselves and provide clear explanations of what they claim they are trying to do to limit risks to the people involved. Believe them or not, but the question is actively raised.

Second, could users be profiled as being "those who care"? Sure. How is that a risk? How is that a higher risk than any check anyone does on the Internet for Internet safety? I'm not sure where you are getting "care == value" logic. It does not follow. There are so many other methods to get this information with so much more enrichment than just seeing what usernames are accessed.

Note that companies check on their own email addresses using automated methods, so I'm not sure that there would be clear value in gathering this usage data.

Third, remember that the data they are processing is already public. So blackhats do not get an easier tool.