17 September 2020
Our latest update adds another layer to the security around your data and personal information; helping you store your data with confidence in Today’s Plan. We can now let you know if the password you are wanting to use has been previously exposed in one or more third party data breaches from around the web. This will only impact new users and existing users who request to change their password.
How does it work?
Our latest update includes an automated password check that validates your password against known compromised passwords. If it has, we will notify you to enter a password that is more secure. Behind the scenes, we have integrated with Have I Been Pwned, which is a web service developed by security expert Troy Hunt.
Do we send your password anywhere? No
We do not need to send your password to any external parties and never will. The most common cause of data breaches is the re-use of passwords, and it is still quite common for most people to re-use their passwords across multiple platforms.
Below is a quick summary of the steps we take to validate your password and protect you:
- You enter a new password on the registration or forgotten password form
- We take this entered password and hash it using the SHA-1 cryptographic hash function
- Of this created hash, we extract the first 5 characters to create a “prefix”, and keep the rest as a “suffix”
- This 5 character prefix is sent to the HIBP Pwned Passwords API
- The API will return a list of 800-1000 “suffixes” of fully hashed passwords from data breaches that match the prefix we sent
- Once we have received this list, we search these results for the presence of our original suffix and can then inform you whether the entered password has been part of a breach.
About Have I been Pwned
The service was developed by Troy Hunt following the largest ever single breach of customer accounts (at the time) – Adobe. He developed the service to help people deal with the ever increasing risk of data breaches and it now contains over 570 million passwords that have been used in known data breaches. His aim was to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.