Web says "Password breached", how does it know, technically?

Post all other topics which do not belong to any other category.
Post Reply
Copy link
xoft
Burner Inserter
Burner Inserter
Posts: 19
Joined: Thu Aug 25, 2016 4:08 pm
Contact:
Contact xoft

Web says "Password breached", how does it know, technically?

Post by xoft »

Hi,
the other day I logged into my account on factorio.com just to find out a big fat yellow warning at the top of the page saying:
Password breached
Your password has previously appeared in a data breach unrelated to factorio.com. Please change it as soon as possible on your profile page. For more information visit https://haveibeenpwned.com/Passwords

I was wondering, how can the web know that? Does that mean that it stores my password in plaintext, or in a reversible form, so that it could check through HIBP's API? If the web stored the password with the best current practices in mind, salted and hashed, it could not check with HIBP's API simply because it wouldn't know my actual password. So what's going on here?

Sorry if this is the wrong place to ask, can't find anywhere that would seem more appropriate.
Top
torne
Filter Inserter
Filter Inserter
Posts: 343
Joined: Sun Jan 01, 2017 11:54 am
Contact:
Contact torne

Re: Web says "Password breached", how does it know, technically?

Post by torne »

It knows your password in plain text *while you are logging in*, because you just typed it into a form and submitted it, so it can check at that time without the stored password being reversible.
Top
User avatar
vinzenz
Factorio Staff
Factorio Staff
Posts: 354
Joined: Mon Aug 02, 2021 6:45 pm
Contact:
Contact vinzenz

Re: Web says "Password breached", how does it know, technically?

Post by vinzenz »

xoft wrote: Fri Feb 25, 2022 4:58 pm Hi,
the other day I logged into my account on factorio.com just to find out a big fat yellow warning at the top of the page saying:
Password breached
Your password has previously appeared in a data breach unrelated to factorio.com. Please change it as soon as possible on your profile page. For more information visit https://haveibeenpwned.com/Passwords

I was wondering, how can the web know that? Does that mean that it stores my password in plaintext, or in a reversible form, so that it could check through HIBP's API? If the web stored the password with the best current practices in mind, salted and hashed, it could not check with HIBP's API simply because it wouldn't know my actual password. So what's going on here?

Sorry if this is the wrong place to ask, can't find anywhere that would seem more appropriate.
To stop account hijacks we started checking passwords at login time against the haveibeenpwned api. Only a subset of the SHA1 of your password is sent to them to facilitate the check. We don't store plaintext passwords in our database.
bringing the oops to devops
Top
xoft
Burner Inserter
Burner Inserter
Posts: 19
Joined: Thu Aug 25, 2016 4:08 pm
Contact:
Contact xoft

Re: Web says "Password breached", how does it know, technically?

Post by xoft »

Thanks, that was exactly the info I was looking for.
Top
Post Reply

Return to “General discussion”