Breached password protection
Users frequently re-use passwords across different sites and apps, and this becomes a real security problem with some other site is compromised and a re-used password becomes known to hackers. Here is how we protect against this.
Protecting against insecure passwords
When a new user is invited to Hivebase, they are required to select a password. The password is checked to ensure it is not a known password found in third-party data breaches and will reject the password if it is.
This practice follows the National Institute of Standards and Technology (NIST) guidance that specifically advises services to check passwords against known breaches:
https://pages.nist.gov/800-63-3/sp800-63b.html (Section 5.1.1.2)
The problem of password re-use
Ideally, users would have strong, unique passwords for every single website and app where they register, managed by a secure password manager.
In reality, users frequently re-use the same password with different services. When one service is hacked and passwords compromised, that can give hackers a list of known passwords to try on other services. This type of attack is called credential stuffing and is a very effective way for hackers to gain access to accounts.
HIBP data-breach database
There are services that track when a list of compromised passwords is distributed on the web. One well-known service is HIBP (haveibeenpwned.com). This database has billions of compromised accounts tracked and available for you to search. Simply enter your email, and HIBP will show you all the specific data breaches where your account was included.
Proactively checking passwords
The HIBP database provides a service where users can proactively check a password to see if it is found in any known breaches: https://haveibeenpwned.com/Passwords.
Hivebase integrates with this HIBP service to check each password against the massive database of data breaches.
How it works
Providing a password directly to a third-party service is obviously not safe! Thankfully there is a way to perform the lookup anonymously and safely.
Here are two technical write-ups that describe in-depth the process of anonymously searching for a compromised password:
- https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
- https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity
It's worth noting that the HIBP data-breach lookup service is trusted and used by many security tools including 1Password, one of the leading password manager tools available.