User Tools

Site Tools


ict:pwned-passwords

Checking for compromised passwords

I've received an e-mail stating my password has been compromised

When you log in to the website of S.A. Proto we employ various security measures. One of these security measures is that we check whether your password has been part of a data breach in the past. The reason we check for this is that people with malicious intent use passwords gathered from data breaches like these as a first guess when trying to guess your password. This means that if your password appears in such a data breach, your account on our website is more likely to get compromised. In addition you may be using that passwords for other sites as well, so it is also a good reminder to change the password on these other sites, as they are open to the same problem.

The fact that you receive this e-mail means that your password is in such a breach. Please change your password at the website as soon as possible. Do the same for any site that your are also using that password for. In addition, you may also want to check if any of your other accounts have been compromised. You can do so using the service Have I been pwned?.

Because we do not store your password we cannot regularly check if it is compromised. Only when you enter your password can we check it, which is the reason we check it during the log in.

I cannot change my password, because it says my new password is present in a data breach

In much the same way as described above, we also verify if a new password is already present in a set of known compromised passwords. If this is the case, we do not allow that password to be used for the website of S.A. Proto. In addition, if you are using that password for any other website, you may also follow the relevant instructions from the section above.

Why are you sharing my password with other parties?

We are not!

We check your password against a service called Pwned Passwords. We trust this service, but more importantly the way that this service is set up means that even they will never be able to see your password or be able to guess your password. If you are interested in the technical details, you can read them here. The bottom line is that we do not send them your password, and the information we do send them cannot be used to retrieve your password.

ict/pwned-passwords.txt · Last modified: 2018/04/14 17:36 (external edit)