Copyright 2018 - Schultz IT Solutions - swiss servicequality for austrian and international enterprises - All rights reserved.

Have I been pwned? / Plugin for Joomla

Since the early 2010ths the public increasingly got informed about various data breaches, where millions of user accounts were stolen from enterprise databases and used for criminal endeavours. On december 4, 2013 Troy Hunt introduced his haveibeenpwned.com website, where individual users can check whether their email address is found in one (or more than one) of the then-known data breaches (Adobe, Stratfor, Gwaker Yahoo!, Sony). Since then Troy added more than 220 other breaches, summing up to more than 4 billion accounts in his database (and will continue to do so in the future, we are sure). He also added a webservice functionality to do an inline-check on passwords for breaches.

Our Joomla plugin makes use of this named webservice, and checks the user password, whether it is found in one or more of those breaches. So let's explain a little how the plugin works.

Use case 1: Registration

At the point of registration, the user-provided password is checked against the Pwned Passwords database. If a match is found, there are two likely explanations for what's happened:

  1. This is a password the user has previously used and it has been pwned in a data breach. It may even be a very good password strength wise, but it should now be considered "burned".
  2. This is a password someone else has used and it has been pwned in a data beach. This is almost certainly a poor password choice as someone else has independently chosen the same string of characters.

Both scenarios ultimately mean the same thing - the password has previously been used, exposed and is circulating amongst nefarious parties with criminal intent. Let's look at NIST's advice for a moment in terms of how to handle this:

"If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value."

The Joomla! plugin allows us (as the owner of this website) to decide whether we accept such passwords or not - and for security reasons, we chose to not accept such breached passwords. So this is why a user cannot register on our website with such an already breached password.

Use case 2: Password Change

Password change is important as it obviously presents another opportunity for users to make good (or bad) decisions. But it's a little different to registration for a couple of reasons. One reason is that it presents an opportunity to do some social good; we know how much passwords are reused and the reality of it is that if they've been using that password on one service, they've probably been using it on others too. Giving people a heads up that even an outgoing password was a poor choice may well help save them from grief on a totally unrelated website. So this is why the Joomla! plugin not only checks the new password, but also shows the user a notice about how to check his previous password directly in the Pwned Password database.

Clearly, the new password is checked against the database and as per the previous use case at registration, we decided to block a Pwned Password entirely.

Use case 3: Login

Many systems will already have large databases of users. Many of them have made poor password choices stretching all the way back to registration, an event that potentially occurred many years ago. Whilst that password remains in use, anyone using it faces a heightened risk of account takeover which means checking the password AND/OR the email address during login makes a lot of sense.

With the Joomla! plugin you can activate either of these two options in the plugin configuration, and the user will receive a respective message when logging in. However we suggest you use this feature only for a limited time during your initial implementation of the plugin (it does not make sense to check the email address over and over again each time the user logs in).

Use case 4: everything else

The Joomla! plugin provides a simple interface to use the "Have I been pwned?" database in other (useful) ways. We describe the nessessary steps in this forum post on our website.

 

Statistics from the 'Have I been pwned?' website
pwned websites:
333
pwned accounts:
5,687,892,700

 

 

Livetime subscription (support and updates) for a onetime fee of EUR 10,00

In order to advance overall internet security, we wanted to make this plugin as afordable as ever possible (short of making it free of course). So we settled for a onetime subscription fee of EUR 10,00 (plus VAT if applicable). This will allow you to download the plugin and any future updates, and ask for support should the need arise (however we hope you are considering this low costs and do not flood us with support requests).

You can use the downloaded software forever on as many websites as you like - no restriction there. But again, we expect you to honor our efforts by not freely distribute the plugin (an interested website owner should be able to spend the onetime subscription fee, don't you agree?)

 

Get the plugin now!

 

References