Skip to content

I suggest you ...

← General

Search for non decrypted passwords

As we can download both SHA-1 and NTLM password list, I suppose this list concerns only decrypted passwords that have been re encrypted with SHA-1 and NTLM.

So what about non decrypted passwords ?

I can see a lot of breaches where (fortunally) only the digest has been pwned and the digest algorithm is known.

Are there databases of encrypted passwords with their digest algorithm waiting to be decrypted ?

If yes it could be a nice feature to test passwords against all these databases using the corresponding algorithm...

1 vote
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Rémi shared this idea  ·   ·  Report…  ·  Admin →
declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded  · 

There are multiple problems with this:

Firstly, passwords are almost never encrypted, they’re hashed. If they are encrypted then without the private key you really can’t verify the password by any means.

Secondly, when hashed, they’re almost always salted as well so just knowing the algorithm used isn’t sufficient for a password hash provided by a user to be verified, I’d have to provide the salt used as well. That would mean storing that in a way that could be retrieved for that user which amounts to needing credential pairs which is too risky for my comfort.

Thirdly, it’s a very niche audience that could use this, namely people technical enough to hash their own password (with the salt, if needed) and then pass it back to the service.

In short, it’s high effort, high risk and low value given the niche nature of it.

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Rémi commented  ·   ·  Report

    Thanks for your answer and sorry for my confusion between encryption and hashing: I should have replace each occurence of "non decrypted"/encrypted by hashed and decrypted by "clear text" in my post.

    So I understand that generally there's one different salt per user (e.g. based the account creation date).

    Even by downloading the SHA-1 or NTLM password list, it would be too CPU/time expensive to try each line against different salts based on the digest algorithm and clear text password.

    I begin to realise the necessity of very strong passwords (the kind of that most people cannot remember by heart): as breaches happen quite often, it seems the more important is to complicate the work of peoples using brute force technics against digests (particularly if it is a small set where corresponding accounts are known).

General

Categories

Feedback and Knowledge Base

(thinking…)