Pwned (pronounced, p-oh-n-d) is a word created from the gaming industry. Started from someone being beaten, to being owned, and eventually pwned or in l33t speak, pwn3d. So keeping with the theme, we won’t be reffering to getting hacked, but instead getting pwned.
HIBP (Have I Been Pwned) is a freely accessible site that anyone can use.
It was created and run solely by Troy Hunt. Troy made the site to help people and organisations who have been affected by a data breach. HIBP started out as a small service however, in recent years has become a huge brand, used around the world by individuals and governments alike.
Who is Troy Hunt?
Troy Hunt is the one who create HIBP. He’s created many security courses for pluralsight which are used around the world. He has worked / works for Microsoft and has won many awards. He created the site for the public to use if they needed to find out the chance of their data being breach. In addition to this, he wanted to make it free, so it benefits the public to the best of its ability.
Why was the site created?
One of the main reasons HIBP was created was because in 2013 Adobe was pwned, the hackers stole near enough 3 million credit card details, this hack was and still is one of the biggest to happen, for the effect it had on the industry. He used to research peoples credentials and found out that many people use the same password for everything. This means you’re at a higher risk of a data breach across many accounts, in the event that one gets compromised.
What does Have I Been Pwned do?
HIBP has many completely free features;
- Check if your email has been pwned
- Get notified if your email has been pwned
- Check if email addresses on a specific domain have been pwned
- Pwned passwords – see if your passwords have been pwned
This feature allows you to put in an email address and find out whether it has been involved in one of the many. This is a great tool for showing friends and family, or even colleagues and bosses that they have been involved in a hack. It’s often quite an eye opener to see that you have been involved in a hack and helps build the awareness needed to make people more secure.
Have I Been Pwned Notifications
Troy runs a notifications service as part of HITB, again, completely free to use. This service will send you an email as soon as it has been identitied that you are involved in a breach that has been verified within the HITB database – there is little to lose and lots to gain by using this service.
Combined with a good password manager, you can often be one step ahead of the attackers by the time they have got to your accounts.
Checking if emails within a domain have been pwned
This feature is brilliant for organisations. Once you have verified that the domain is under your ownership, you can search for hacked accounts under your domain and also set up notifications to be alerted. This allows sys admins to carry out an excercise to contact the users or change their passwords in case of reuse.
Pwned passwords is a brilliant tool that we use when you sign up to mappd. Essentially it takes an encrypted section (SHA-1) of your password and runs it against a database of pwned passwords. The way that it takes your password in this hashed format, means that your passwords arn’t seen by anyone. You can read more about how it works on Troy’s blog
When you try to type in a password at mappd, if you have chosed a pwned password, then we will reject this and you will have to create a new one. After all, the whole point of mappd is to make you more secure!
How does mappd use Have I Been Pwned
mappd has features that are heavily dependant on HIBP APIs – essentially we use all of the HIBP processes to offer additional features to our customers.
Why do we do that? There is no point in re-inventing the wheel when there is overlap in some features, and using these services mean that we can focus on what makes mappd so special.