Login Form

jDBexport Frontend module

demoA
products
Demo Excel 2003
MariaDB nations
Nations ordered by area
Test
BJTdemo1
amys-question

starting...

jDBexport is estimating the time it takes to download this document, based on previous downloads. This is only an educated guess!

Have I been pwned? / Plugin for Joomla

Since the early 2010ths the public increasingly got informed about various data breaches, where millions of user accounts were stolen from enterprise databases and used for criminal endeavours. On december 4, 2013 Troy Hunt introduced his haveibeenpwned.com website, where individual users can check whether their email address is found in one (or more than one) of the then-known data breaches (Adobe, Stratfor, Gwaker Yahoo!, Sony). Since then Troy added more than 220 other breaches, summing up to more than 4 billion accounts in his database (and will continue to do so in the future, we are sure). He also added a webservice functionality to do an inline-check on passwords for breaches.

Our Joomla plugin makes use of this named webservice, and checks the user password, whether it is found in one or more of those breaches. So let's explain a little how the plugin works.

Use case 1: Registration

At the point of registration, the user-provided password is checked against the Pwned Passwords database. If a match is found, there are two likely explanations for what's happened:

This is a password the user has previously used and it has been pwned in a data breach. It may even be a very good password strength wise, but it should now be considered "burned".
This is a password someone else has used and it has been pwned in a data beach. This is almost certainly a poor password choice as someone else has independently chosen the same string of characters.

Both scenarios ultimately mean the same thing - the password has previously been used, exposed and is circulating amongst nefarious parties with criminal intent. Let's look at NIST's advice for a moment in terms of how to handle this:

"If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value."

The Joomla! plugin allows us (as the owner of this website) to decide whether we accept such passwords or not - and for security reasons, we chose to not accept such breached passwords. So this is why a user cannot register on our website with such an already breached password.

Use case 2: Password Change

Password change is important as it obviously presents another opportunity for users to make good (or bad) decisions. But it's a little different to registration for a couple of reasons. One reason is that it presents an opportunity to do some social good; we know how much passwords are reused and the reality of it is that if they've been using that password on one service, they've probably been using it on others too. Giving people a heads up that even an outgoing password was a poor choice may well help save them from grief on a totally unrelated website. So this is why the Joomla! plugin not only checks the new password, but also shows the user a notice about how to check his previous password directly in the Pwned Password database.

Clearly, the new password is checked against the database and as per the previous use case at registration, we decided to block a Pwned Password entirely.

Use case 3: Login

Many systems will already have large databases of users. Many of them have made poor password choices stretching all the way back to registration, an event that potentially occurred many years ago. Whilst that password remains in use, anyone using it faces a heightened risk of account takeover which means checking the password AND/OR the email address during login makes a lot of sense.

With the Joomla! plugin you can activate either of these two options in the plugin configuration, and the user will receive a respective message when logging in. However we suggest you use this feature only for a limited time during your initial implementation of the plugin (it does not make sense to check the email address over and over again each time the user logs in).

Use case 4: everything else

The Joomla! plugin provides a simple interface to use the "Have I been pwned?" database in other (useful) ways. We describe the nessessary steps in this forum post on our website.

Statistics from the 'Have I been pwned?' website

data breaches aggregated:

768

breached accounts aggregated:

13,072,026,975

Two year subscription (HIBP API costs, support and updates)
for a fee of EUR 20,00

In order to advance overall internet security, we wanted to make this plugin as afordable as ever possible (short of making it free of course). However, as Troy Hunt was forced to put a pricetag on usage of his service, we also have to cover these costs.

To use our plugin, you need an active subscription with a fee of EUR 20,00 for two years (plus VAT if applicable). This will allow you to use the plugin on as many sites as you like, download the plugin and any updates, and ask for support should the need arise.

Get the plugin now!

References

"Have I been pwned?" website: https://haveibeenpwned.com/
Checking your email address for being pwned: https://haveibeenpwned.com/
Checking your password for being pwned: https://haveibeenpwned.com/Passwords
Troy Hunt's web blog: https://www.troyhunt.com/
Details on the data and use cases: https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/