Check your passwords against the pwned passwords database

2000s and Beyond

Popularity of the term among teenagers rose in the mid-2000s, where it spread from the Internet written form and gaming contexts to use in spoken language, where it has become part of standard slang.

In 2009, Microsoft described a security vulnerability in ActiveX as leaving Windows XP and Windows 2003 Server users open to a «Browse-And-Get-Owned» attack.

Variations

Other variations of the word owned include own3d, 0wn3d and pooned, terms which incorporate elements of «leetspeak».

The past tense and past participle, pwned, may also be spelled: ownt, pwnt, pwnd, pwn’d pwn3d, poned or powned.

Pronunciations (Pwn)

Because it is primarily used in written form only, «pwn» has no single accepted pronunciation. Common pronunciations include «pone», «pawn», «puh-own», and «pwen».

Customization and Configuration

  • To enable reCAPTCHA
    1. Find the entry and enter your private key within double quotes ()
    2. Find the entry and enter your Site Key within double quotes ()
  • To change the language of the reCAPTCHA widget
  • To enable/disable the password meter
  • To enable enable/disable the password generator
    • Find the entry and set it to or (without quotes)
    • Find the entry and set it to a numeric value (without quotes) to set the entropy of the generated password
  • To enable server-side password entropy meter
  • To enable restricted group checking
    1. Find the entry and add any groups that are sensitive. Accounts in these groups (directly or inherited) will not be able to change their password.
  • Find the entry and set it to your default Active Directory domain. This should eliminate confusion about using e-mail domains / internal domain names. NOTE: if you are using a subdomain, and you have errors, please try using your top-level domain.
  • To provide an optional parameter to the URL to set the username text box automatically
    1. This helps the user in case they forgot their username and, also comes in handy when sending a link to the application or having it embedded into another application where the user is already signed in.
  • To specify which (DC) attribute is used to search for the specific user.
    • With the it is possible to select one of six Attributes that will be used to search for the specifiv user.
    • The possible values are:
      • or
      • or
      • or
      • or
      • or
  • The rest of the configuration entries are all pretty much all UI strings. Change them to localize, or to brand this utility, to meet your needs.

Running as a sub-application

To run as a sub-application you need to modify the value in the file to be the base URL for PassCore. For example you might have PassCore setup at /PassCore so you would put

<base href="/PassCore/" />

[править] Употребление

Ещё в начале 1990-х мем употреблялся хакерами при получении контроля над чужим компьютером (сервером), при взломе/порче сайта и пр.

В конце 90-х начал употребляться в кругу геймеров. Фраза «I Own» также употреблялась как опечатка (намеренная или случайная) от «I Won» (я выиграл). Позже фраза «I Pwn» употреблялась как опечатка от «I Own».

Сейчас термин «owned» употребляется не только в виртуальном, но и реальном мире. Сопровождает большое поражение либо унижение, которое либо является смешным для наблюдателей, либо в котором проявляется доминирующая (побеждающая, унижающая) сторона. Близко по смыслу к «FAIL!» Как это читается?

Никак. Большая часть литспика вообще не предназначена к употреблению иначе как в текстовом виде. Есть мнения, что надо читать pwn как (то есть как pawn — пешка), (как pron prawn — креветка), , , , и так далее. Однако чаще всего в обычной речи удобней просто заменить слово на «owned».

В русскоязычном игровом фэндоме более-менее ушатался вариант чтения «павнед»: «я тебя отпавнил/запавнил» (я тебя поимел), «ПАВНЕД, сука» (с пренебрежением), «я павнил, когда ты ламеров по локалкам гонял» (заткнись, нуб) и прочие негодующие илитарные школьные междометия.

Предполагается также прочтение «пвнэд!», с ударением на «п». И да, ударные согласные так же реальны, как безударное «ё».

Pwned относится к темам:

Онлайн-игрыGrammar Nazi

Mass Multiplayer Online Games и браузерки

Предшественники PBeM • Galaxy • Галаксиане
Основы Онлайн-игра • MMORPG • Браузерная игра • Игровой этикет
Производители Blizzard Entertainment • 1st Playable Productions • Valve • Wargaming (критика)
Российские и СНГ Аллоды Онлайн • Войны русов • Консулы • Годвилль • Амулет Дракона • fantlandiya.ru • Monopoly-one • My lands • Rage of Hero • World of Tanks • Stalker Online • 4Story Войны Королевств • Warface • Война • Копатель онлайн • Сказка • Троецарствие • Шарарам в Стране Смешариков
Зарубежные • World of Warcraft • Asheron’s Call • Critical Strike Portable • DotA (Dota 2) • Diablo III • Empyrion — Galactic Survival • Kugeln.io • Lineage • Minecraft • Counter-Strike • Second Life • Skyrim • Team Fortress • X-COM (Unimod • Список прозвищ лунатиков) • The Elder Scrolls • Fallout • EVE Online • T.E.R.A. • Aion • Agar.io • Pokemon Go • StarCraft (жаргон, сюжет, DLC, тактики, троллинг, юниты)
Инциденты Взломы Battle.Net • Борьба с Company of Heroes 2 • Борьба с MMORPG • Ислам и MMORPG
Сайты SteamTwitch • Ag.ru • android-phones.ru • clife.ru • eAthena • Epic Games Store • FreeArena • GameGuru • Gamer.ru • GameReplays • GeoGuessr • Good Game • Hypixel • In4game • l2-top.ru • Maxigame.by • Minecraft-on.ru • Mmorpg-shop.ru • Mod-games.ru • moigry.net • Multoigri.ru • Nexusmods • Origin • Paradox Wikis • Play Shake • Proevo.ru • Prosims • Romewar.ru • Sc2tv • Stopgame.ru • torrentigruha.ru • Twitch plays pokemon • VINEWOOD • whitegames.net • Игровой канал Вампир • Игропедия • Сайт виртуальных питомцев • Спортивные Точки • Хроники Мордрага • Эра-игр • Huya
Люди Dafran • Pomi • Майкер • R.G. Механики • Empire.ZERG • AtheneWins • GrayFiend • Pavellgamechannel • Евгеха • IKS Slon • Данил Ишутин • Дмитрий Михайлов • Егор Маркелов • Abver • Adolf_Ra • Brat_OK • DIMAGA • Hell Yeah! • LennyFirst • MinD ContRoL • Nameoliss • Twaryna • Masyaka • Prolike Chro • ZERGTV• Sneaky
Сообщества Игровой клан • Тридевятые кланы • Движение утят
Аналитика Зарабатывание денег • Читерство • StarCraft: в Корее, неспортивные аспекты, сервера RU и EU, спор о лучшей стороне
Мемы и жаргон 0 ход • Pwned • Ачивмент • Ганк • Гриферство • Дюп • Жаргон MMORPG • Жаргон МПМ • Качински и неизвестность • Кек • Летсплей • Пасхальное яйцо • ПОТРАЧЕНО • Распространённые выражения на Твиче (Осуждение) • Стример • Читер • Шевелись, Плотва • Школосервер
Модификации и разное GTA: Криминальная Россия • Playkey • SA-MP (сампер) • Blizzard vs. Games Workshop • Геймерское кресло • Мадарбург • Низкоуровневый контент

Grammar Nazi

Мета Граммар-наци • Sic
Сайты грамматического унижения The Rules • Tak-zhe.ru • Tsya.ru • Vtechenie.ru • Udarenie.info
Как правильно? Орфографические ошибки • Грамота.ру • В/на Украине (фильтр РВП) • Битва за Беларусь
Мемы Covfefe • Pwned • ПОТРАЧЕНО • Йа криветко • Узбагойся
Жаргон и прочее Жаргон падонков • Аффтар • Neprivet.ru

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure: all Watchtower checks happen on your local device.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match, then we know this password is known and should be changed.

Troy offers a detailed write-up of how this works in his Pwned Password v2 announcement. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this stuff as fascinating as I do.

Notes

  • HaveIBeenPwned breach data is downloaded every time the check is run as the data file is small.
  • Cloudbleed data is only downloaded once and then cached here: (Windows) or (Linux) as this is currently a ~70MB download. If you wish to refresh the cache, simply delete this file.
  • As KeePass doesn’t have a native method for determining when an entry’s password was last changed, keepass2-haveibeenpwned will use the history entries if any exist and compare their passwords.
  • Username/password checking could take a while to complete as HIBP applies a rate limit on requests, which means we can only check one username/password every 1.6s
  • Common usernames (such as admin & root) are not removed from the check and will likely result in false positives in your results, however these should be immediately obvious.

Avoid password breaches, stay safe and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent out into the vast reaches of the internet, it’s known, and I can’t use it anymore. It’s the same reason that was a strong password until this comic came out.

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password. I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as I am. It’s what got me the most excited when I saw Troy’s announcement!

Use the Google Chrome web browser

Google has always been on the ball when it comes to security audits and password security. I have previously written about how the Google Chrome web browser had been updated so as to include a password checkup feature to check if your password had been compromised. That worked well for anyone who also used the Google Chrome password manager to save your passwords. But things have just got better, and the latest version of the browser, Chrome 79, will now warn you if your web passwords have been stolen without having to save them to the browser first. The new feature will warn you of the presence of a password in a breach compromise database of some 4 billion entries, as you start logging into a site. The feature is still being rolled out, but everyone should have access to it very soon. You can check by going to the browser settings under «Sync and Google Services.»

Others

  1. Recon-ng module byTim Tomes
  2. Ruby Gem by Carl Sampson
  3. Ruby Gem by Michael Henriksen
  4. Maltego Transform by Sudhanshu Chauhan
  5. Angular JS module by Brad Cavanagh
  6. Firefox OS app by Zshawn Syed
  7. IFTTT recipe by Nick Scoman
  8. WordPress plugin by Evan Herman
  9. Node.js module by Justin Hall
  10. Node.js command line tool by Justin Hall
  11. Chrome extension by Antreas Pogiatzis
  12. Telegram project by Luke Anderson
  13. Microsoft Flow Notification by Jon Gallant
  14. Java client by Dario Oreščanin
  15. Elixir client by Samar Acharya
  16. Slackbot by Samar Acharya
  17. JPwned Java library by Dariush Moshiri
  18. Go package by Juan Ignacio Rizza
  19. .NET library by Valters Tomsons
  20. Databreach Search by Faster Broadband
  21. R package by Steph Locke
  22. Joomla! Plugin by Schultz IT Solutions
  23. Alexa Skill by Neal Shyam
  24. Bash script by Navan Chauhan
  25. PowerShell module by Mark Ukotic
  26. Devise extension by Michael Banfield
  27. Telegram bot by Konstantin Maleev
  28. WordPress plugin by Dan Dulaney
  29. Windows 10 Password Manager by Sergio Pedri
  30. NPM package by Franklin van de Meent
  31. Golang OSINT framework by Francesco Giordano
  32. Bash script by Jimmy Wall
  33. Password Store extension by Darshit Shah
  34. Active Directory Pwned Password integration by Jackson Van Dyke
  35. Google Assistant by Matt Carroll
  36. Clojure client by Nicholas Labarre
  37. KeePass plugin by Janis Estelmann
  38. Nimble client by Dominik Picheta
  39. Go package by Mason Johnson
  40. Python script by Quentin Rhoads
  41. Ansible role by John Imison
  42. FastBound: integration with Pwned Passwords
  43. Perl module by Pete Houston
  44. Passwordstate: integration with Pwned Passwords
  45. Pwned Checker Drupal module by Ronan Leroy
  46. OctoberCMS plugin by Luke Towers
  47. TYPO3 extension by Torben Hansen
  48. Spybot Identity Monitor Desktop app
  49. Kotlin interface by Mark Nenadov
  50. Telegram bot by Francesco Garbo
  51. Bash script by M1ndFl4y
  52. .NET client by Anders Åberg
  53. Slack bot by Pedro Leiva
  54. Chrome Extension by Keshav Malani
  55. OpenCart integration by Todor Donev
  56. NPM package by Dheeraj Joshi
  57. Laravel validator by Stephen Rees-Carter
  58. Discord bot by Nick Bowling
  59. Leon open-source personal assistant by Louis Grenard
  60. CURL password generator by Matthew Justice
  61. Ruby client by P. Warshavski
  62. Sooty — The SOC Analysts all-in-one CLI tool to automate and speed up workflow
  63. Rust library by Caleb
  64. Active Directory PwnCheck by Aaron Guilmette
  65. haveibeenpwned4j Java Library by Martin Spielmann
  66. KoçSistem Gözcü Parola Modulü Chrome Extention by KoçSistem
  67. Golang project by Prahesa Kusuma Setia
  68. Command line tool by Fionn Fitzmaurice
  69. Data Breach Info Chrome extension by The Golden Step
  70. Data Breach Info Firefox Extension by The Golden Step
  71. Email Unfo Chrome extension by The Golden Step
  72. Email Unfo Firefox Extension by The Golden Step
  73. Password Unfo Chrome extension by The Golden Step
  74. Password Unfo Firefox Extension by The Golden Step
  75. Bash script by Alan Johnson
  76. WordPress plugin by Scott Millar

Usage

  • Install the plugin into KeePass, this will add an entry to the Tools menu for «Have I Been Pwned?»
  • Clicking this entry will open a sub-menu with entries for the different breach types to check
  • Clicking these entries will open a prompt asking which breach to check, or all, whether to check only entries that have not been modified since the breach date. You also have the option of auto-expiring any breached entries and including any deleted entries.
  • Running the check will result in a dialog listing all the breached entries, and from which breach they originated (entries can appear multiple times if they appear in multiple breach lists). These can then be modified directly from the list.
  • In the case of username breaches the dialog will also list accounts that have been breached but are not stored in the database
  • Right clicking on entries, or groups in the KeePass interfaces will also show the «Have I Been Pwned?» menu items, to allow the checks to be run on more specific sets of entries.

С какой целью создан сайт haveibeenpwned?

Сайт HIBP имеет две основные цели:

  • информирование пользователей;
  • поддержание и развитие практических навыков работы в области безопасности у создателя проекта.

Ошеломляющее количество взломанных данных включает в себя информацию о миллиардах пользователей, полученную от множества различных веб-сайтов, которые были каким-либо образом скомпрометированы. Достаточно посмотреть краткую статистику и ее масштабы, как минимум, приводят в ужас:

Через руки создателя проекта (Трой Ханта) проходят огромные базы данных персональной информации пользователей. Он не распространяет и не продает эти данные 3-м лицам, напротив — он дает возможность узнать: находитесь ли Вы, среди числа взломанных аккаунтов.

Хант начал работу еще в конце 2013 года. На тот период времени, он анализировал различного рода тенденции возникающие в нарушениях данных, например, как одно из общепринятых — использование одного и того же пароля для разных аккаунтов.

, — сказал Хант. Еще в октябре, 2013 году — компания Adobe была взломана, вследствие чего пострадали 153 миллиона пользователей, их учетные записи (адреса электронной почты, имена, пароли и другая информация) попала в руки к хакерам. Естественно, были и другие компании.

Если кто-то является потенциальной или уже реальной жертвой, при этом не знает об этом — он полностью подвергает себя риску. Хакер имеет возможность воспользоваться скомпрометированной информацией и применить ее в своих корыстных целях: обогащения, унижения, шантажа, уничтожения и другим методам социальной инженерии. Зачастую компании не информируют своих клиентов или пользователей о нарушении данных, до тех пор, пока это не произошло, что, как следствие их защищает и в то же время, делает их еще более уязвимыми для атак.

Если потенциальная жертва будет обладать информацией о нарушении — будет время для того, чтобы принять меры безопасности и защиты личных данных. Нарушения имеют довольно распространенный характер. Многие люди не подозревают какой масштаб и периодичность, с которой они возникают. Данные собранные на haveibeenpwned.com помогут жертвам не только узнать о существующих угрозах, но и позволят задуматься о серьезности рисков возникающих от кибератак в современном мире.

? Usage examples

Query for a single target
$ h8mail -t target@example.com
Query for list of targets, indicate config file for API keys, output to
$ h8mail -t targets.txt -c config.ini -o pwned_targets.csv
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -k "snusbase_token=$snusbase_token"
Query without making API calls against local copy of the Breach Compilation
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -sk
Search every .gz file for targets found in targets.txt locally, skip default checks
$ h8mail -t targets.txt -gz /tmp/Collection1/ -sk
Check a cleartext dump for target. Add the next 10 related emails to targets to check. Read keys from CLI
$ h8mail -t admin@evilcorp.com -lb /tmp/4k_Combo.txt -ch 10 -k "hunterio=ABCDE123"
Query username. Read keys from CLI
$ h8mail -t JSmith89 -q username -k "dehashed_email=user@email.com" "dehashed_key=ABCDE123"
Query IP. Chase all related targets. Read keys from CLI
$ h8mail -t 42.202.0.42 -q ip -c h8mail_config_priv.ini -ch 2 --power-chase
Fetch URL content (CLI + file). Target all found emails
$ h8mail -u "https://pastebin.com/raw/kQ6WNKqY" "list_of_urls.txt"

? Features

  • Email pattern matching (reg exp), useful for reading from other tool outputs
  • Pass URLs to directly find and target emails in pages
  • Loosey patterns for local searchs («john.smith», «evilcorp»)
  • Painless install. Available through , only requires
  • Bulk file-reading for targeting
  • Output to CSV file
  • Compatible with the «Breach Compilation» torrent scripts
  • Compatible with «Collection#1»

    Search cleartext and compressed .gz files locally using multiprocessing

  • Get related emails
  • Chase related emails by adding them to the ongoing search
  • Supports premium lookup services for advanced users
  • Custom query premium APIs. Supports username, hash, ip, domain and password and more
  • Regroup breach results for all targets and methods
  • Includes option to hide passwords for demonstrations
  • Delicious colors

APIs

Service Functions Status
Number of email breaches
URLs of text files mentioning targets
Number of related emails
Cleartext related emails, Chasing
Cleartext passwords, hashs and salts, usernames, IPs — Fast
Number of search-able breach results ()
Cleartext passwords, hashs and salts, usernames, IPs, domain
Last seen in breaches, social media profiles
Cleartext passwords, hashs and salts, usernames, IPs, domain
Cleartext passwords, hashs and salts, usernames, IPs, domain
Cleartext passwords, hashs and salts, usernames, IPs, domain, Bitcoin Wallets, IBAN

— API key required

Use the 1Password password manager

Using a password manager is recommended by numerous security experts as a way of not only storing passwords in a securely encrypted database, but also of generating truly random, complex and unique passwords for every site and service. However, there’s another reason you might want to use 1Password: it will also warn you if any of your passwords have been compromised. The Watchtower feature built into 1Password hooks into the Pwned Passwords search previously mentioned. Rather than having to manually enter every password you use in order to check if it has been stolen or not, Watchtower automates the process in the background. It gets updated whenever a new security breach is reported and added into the Have I Been Pwned database, immediately and automatically alerting you if your password has been found.

Troubleshooting

  • If you / your user’s current password never seems to be accepted for reset; the affected person may need to use a domain-connected PC to log in and reset their password on it first. Updated group policy settings could be blocking user changes, until a local login is completed.

If you find Exception from HRESULT: 0x800708C5 .The password does not meet the password policy requirements trying to change a password. Set ‘Minimum password age’ to 0 at ‘Default Domain Policy’.

LDAP Support

  • If your users are having trouble changing passwords as in issues #8 or #9 : try configuring the section in the file. Here are some guidelines:
    1. Ensure is set to
    2. Ensure is set to an AD user with enough permissions to reset user passwords
    3. Ensure is set to the correct password for the admin user mentioned above
    4. User @gadams65 suggests the following: Use the FQDN of your LDAP host. Enter the LDAP username without any other prefix or suffix such as or . Only the username.
  • You can also opt to use the Linux or macOS version of PassCore. This version includes a LDAP Provider based on Novell. The same provider can be used with Windows, you must build it by yourself.

Как уменьшить опасность и обезопасить данные от взлома

Пользователь может сделать более безопасным использование своих данных от учетных записей в интернете. Для этого, постарайтесь выполнить следующие требования:

  • Не используйте старые пароли от своих учетных записей для новых аккаунтов.
  • Не используйте одинаковые логины и пароли при регистрации на разных сайтах.
  • Используйте надежные и сложные пароли.
  • Для хранения паролей используйте специализированные программы — менеджеры паролей.
  • По возможности используйте двухфакторную аутентификацию.
  • Если есть возможность, используйте функцию «безопасные платежи», имеющуюся в некоторых антивирусах.

Не рекомендуется использовать снова старые пароли из-за того, что они могли быть ранее скомпрометированы. Новый пароль к учетной записи повысит общую безопасность. Вы, наверное, замечали, что многие сервисы запоминают старый пароль и не разрешают снова его использовать, при проведении изменений в настройках аккаунта пользователя.

Наиболее часто, при регистрациях в интернете, в качестве логина используется адрес электронной почты, потому что он нужен для обратной связи с пользователем. Из-за своей беспечности многие пользователи используют одинаковые пары логин — пароль на разных сайтах.

В этом случае, получив доступ к данным от одного аккаунта, злоумышленник сможет войти в другие учетные записи пользователя. Для большей безопасности имеет смысл пользоваться несколькими электронными почтовыми ящиками: для личных целей, для работы, для регистраций и т. п. Можно создать временную почту для регистраций.

При регистрации на сайтах следует пользоваться надежным паролем. Чем сложнее пароль, тем труднее его подобрать для взлома учетной записи. Онлайн сервисы генераторы паролей или программы менеджеры паролей помогут создать сложный, надежный пароль.

Если создано много разных паролей, их нереально все запомнить. Поэтому для хранения паролей подойдут программы — менеджеры паролей, например, бесплатная программа KeePass, или онлайн сервис LastPass. Для входа в приложение или на сервис хранения паролей, нужно будет создать и запомнить лишь один мастер-пароль, который должен быть надежным.

Вам также может быть интересно:

  • Проверка сайта на мошенничество онлайн — 10 способов
  • Проверка на вирусы онлайн — 5 сервисов

При двухфакторной аутентификации, для подтверждения входа в аккаунт, помимо ввода логина и пароля, на телефон пользователя придет SMS сообщение с дополнительным кодом, который необходимо ввести для входа в учетную запись или личный кабинет. Если вход совершается с другого устройства, а не с того, которое обычно используется, многие сервисы присылают предупреждения о попытке входа в аккаунт по электронной почте.

При проведении транзакций в интернете воспользуйтесь функцией «Безопасные платежи», которая встроена в некоторые антивирусы. Операция по переводу денег в интернете произойдет в изолированном окне браузера под защитой антивируса. Антивирус заблокирует кейлоггеры и возможность создания снимков экрана, будет следить за буфером обмена.

FAQ

Curious users can learn more from:

Paranoia users should check the plugin implementation.

What to do if I don’t trust haveibeenpwned.com?

<?php

use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\ClientInterface;
use League\Container\Container;

class YourCustomClient implements ClientInterface
{
    // Your implementation.
}

add_action('i_dpp_register', function (Container $container): void {
    $container->add(ClientInterface::class, YourCustomClient::class);
});

What to do if I don’t trust the plugin author?

Good question! You shouldn’t blindly trust any random security guide/plugin from the scary internet — including this one!

Review the plugin implementation.

I have installed this plugin. Does it mean my WordPress site is unhackable?

No website is unhackable.

To have a secure WordPress site, you have to keep all these up-to-date:

  • WordPress core
  • PHP
  • this plugin
  • all other WordPress themes and plugins
  • everything on the server
  • other security practices
  • your mindset

Strongly recommended:

  • WP Password Argon Two — Securely store WordPress user passwords in database with Argon2i hashing and SHA-512 HMAC using PHP’s native functions
  • wp-password-bcrypt

Yes. Example:

correct horse battery staple

How to disable WooCommerce password strength meter?

For testing only, use at your own risk!

add_action('wp_print_scripts', function () {
    wp_dequeue_script('wc-password-strength-meter');
}, 10000);

Besides wp.org, where can I give a review?

Thanks! Glad you like it. It’s important to let my boss knows somebody is using this project. Please consider:

  • ️️ star this Github repo
  • watch this Github repo
  • write blog posts
  • submit pull requests

[править] Происхождение

Мем относится к временам доисторическим — как считается, к некоей полулегендарной любительской карте для игры Warcraft, где гордое текстовое сообщение Player has been pwned выдавалось при задействовании определённого триггера. Впрочем, это могла быть и просто закрепившаяся опечатка — буквы «p» и «o» на клавиатуре рядом.

Более экзотическое предположение выводит глагол «to pwn» из английского «pawn» (шахматная пешка) и возводит мем к шахматам — якобы ситуация «You have been pawned» описывает исход игры, когда шах и мат ставится королю соперника пешкой. Так ли это — не ясно, но проигравший соперник в таком случае явно и безусловно «pwned».

Возможно, что это сокращенное «pure owned» — «поимели вчистую».

Также возможно происхождение от того же английского «pawn», но в значении «залог» (в ломбарде). То есть, «you’ve been pawned» при желании можно перевести, как «тебя продали с потрохами». То есть, опять-таки поимели.

Истина, как всегда и буквы, где-то рядом.

Data

To give you an idea of the data you can see from this API, here are some example JSON outputs.

>> req = HIBP.get_breach("adobe")
>> req.execute()
>> print(json.dumps(req.response, indent=4, sort_keys=True))
{
    "AddedDate": "2013-12-04T00:00:00Z",
    "BreachDate": "2013-10-04",
    "DataClasses": ,
    "Description": "In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, <em>encrypted</em> password and a password hint in plain text. The password cryptography was poorly done and <a href=\"http://stricture-group.com/files/adobe-top100.txt\" target=\"_blank\">many were quickly resolved back to plain text</a>. The unencrypted hints also <a href=\"http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html\" target=\"_blank\">disclosed much about the passwords</a> adding further to the risk that hundreds of millions of Adobe customers already faced.",
    "Domain": "adobe.com",
    "IsActive": true,
    "IsRetired": false,
    "IsSensitive": false,
    "IsVerified": true,
    "LogoType": "svg",
    "Name": "Adobe",
    "PwnCount": 152445165,
    "Title": "Adobe"
}
>> req = HIBP.get_domain_breaches("linkedin.com")
>> req.execute()
>> print(json.dumps(req.response, indent=4, sort_keys=True))
    {
        "AddedDate": "2016-05-21T21:35:40Z",
        "BreachDate": "2012-05-05",
        "DataClasses": ,
        "Description": "In May 2016, <a href=\"https://www.troyhunt.com/observations-and-thoughts-on-the-linkedin-data-breach\" target=\"_blank\">LinkedIn had 164 million email addresses and passwords exposed</a>. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.",
        "Domain": "linkedin.com",
        "IsActive": true,
        "IsRetired": false,
        "IsSensitive": false,
        "IsVerified": true,
        "LogoType": "svg",
        "Name": "LinkedIn",
        "PwnCount": 164611595,
        "Title": "LinkedIn"
    }

Currently Supported Breach Lists

Site/Domain based

  • Cloudbleed vulnerability list — Checks the domains of any entries that appear in the Cloudbleed vulnerability list. This has potential to produce false positives due to the way this list was produced.

Username based

Have I Been Pwned (HIBP) — Checks the usernames of any entries against the Have I Been Pwned? list curated by (Troy Hunt)[https://www.troyhunt.com/]. This service requires you to register for an API key via https://haveibeenpwned.com/API/Key
. The cost of API key is $3.50 per month (Credit card required).

Password based

Have I Been Pwned (HIBP) — Checks the passwords of any entries against the Have I Been Pwned? list curated by Troy Hunt.

This checker sends a small portion of the password hash to HIBP and then checks the full hash locally against the list of hashes returned by HIBP. This service does not send your password, nor enough of the hash to expose your password to HIBP.

What can I do to prevent this in the future?

If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

Another way to prevent getting this page in the future is to use Privacy Pass. You may need to download version 2.0 now from the Chrome Web Store.

Cloudflare Ray ID: 554c93e00d78c2e0 • Your IP : 91.146.8.87 • Performance & security by Cloudflare

Pwned Passwords are 555,278,657 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online systems. Read more about how HIBP protects the privacy of searched passwords.

Generate secure, unique passwords for every account Learn more at 1Password.com

Configuration

You can customize this error message by modifying the YAML file.

# config/locales/devise.en.yml
en:
  errors:
    messages:
      pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"

By default passwords are rejected if they appear at all in the data set.
Optionally, you can add the following snippet to
if you want the error message to be displayed only when the password is present
a certain number of times in the data set:

# Minimum number of times a pwned password must exist in the data set in order
# to be reject.
config.min_password_matches = 10

By default responses from the PwnedPasswords API are timed out after 5 seconds
to reduce potential latency problems.
Optionally, you can add the following snippet to
to control the timeout settings:

config.pwned_password_open_timeout = 1
config.pwned_password_read_timeout = 2

How to warn existing users when they sign in

You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset.

To enable this, you must override , like this:

# app/controllers/application_controller.rb

  def after_sign_in_path_for(resource)
    set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
    super
  end

For an Active Admin application the following monkey patch is needed:

# config/initializers/active_admin_devise_sessions_controller.rb
class ActiveAdmin::Devise::SessionsController
  def after_sign_in_path_for(resource)
    set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
    super
  end
end

To prevent the default call to the HaveIBeenPwned API on user sign-in (only
really useful if you’re going to check after sign-in as used above),
add the following to :

config.pwned_password_check_on_sign_in = false

Customize warning message

The default message is:

You can customize this message by modifying the locale file.

# config/locales/devise.en.yml
en:
  devise:
    sessions:
      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."

Customize the warning threshold

By default the same value, is used as the threshold for rejecting a passwords for new user sign-ups and for warning existing users.

If you want to use different thresholds for rejecting the password and warning
the user (for example you may only want to reject passwords that are common but
warn if the password occurs at all in the list), you can set a different value for each.

To change the threshold used for the warning only, add to

# Minimum number of times a pwned password must exist in the data set in order
# to warn the user.
config.min_password_matches_warn = 1

Note: If you do have a different warning threshold, that threshold will also be used
when a user changes their password (added as an error!) so that they don’t
continue to be warned if they choose another password that is in the pwned list
but occurs with a frequency below the main threshold that is used for new
user registrations ().

Disabling in test environments

Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.

class User < ApplicationRecord
  devise :invitable ...  :validatable, :lockable
  devise :pwned_password unless Rails.env.test?
end

1935-1950s – Chess Rumors

The term “pwn” and the concept of “’owning’ an opponent” intersected at a murky point in history but its’ usage is rumored to have its’ roots in chess.

Alexander Alekhine was a Chess Grandmaster known for his dominating openings by using his pawns to control the crucial center spaces of the board. During his matches, Alekhine was known to drink heavily and spout anti-semetic remarks. There is an infamous match in 1935 against a Dutch master named Euwe, in which Alekhine was believed to be drunk. Before starting the match he said to Euwe in a very broken heavily accented russian voice «I will pawn to your knight» (a common variation of his defense was to box his opponents knights using 2 pawns and his white bishop) which ended up sounding like «Evil pwn you tonight». Unfortunately for Alehkine, he gave away his game-plan. Euwe was able to take advantage and Alehkine lost the match. Raymond Dennis Keene, a chess grandmaster, columnist, and author posted a comment on chessgames.com refuting this, writing that he had discussed Alekhine with Euwe and that Alekhine was not drunk during the 1935 match. The word pwn has nonetheless purportedly resurfaced periodically in the chess community.

Оцените статью
Рейтинг автора
5
Материал подготовил
Андрей Измаилов
Наш эксперт
Написано статей
116
Добавить комментарий