Am I the only one here who thinks typing your password to a stranger's website is a risk? How do you know he does not log it? how do you know he was not hacked and someone is not logging all passwords that are not on the list YET.
If you don't trust troy hunt / haveibeenpwned.com you can always download the data and analyze your password yourself. But if this is the case you should not trust any website with your password anwhere ever, and should not create accounts anywhere. Troy Hunt has shown himself a responsible security professional, and I trust him more to create a secure password query than some other security organizations.
Yes, with unique passwords for each services, you narrow the attack surface to compromise other accounts. But you still have to trust the operator to store and process this one - unique - password on this one service/website. It does not make any difference for the argument, if one or many accounts are potentially compromised. And you have to trust your password-manager software, since it is next to impossible to remember all the different passwords for all the different services you use.
This is absurd and impossible to remember, you should instead have at least 3 levels of password strenght, one high strenght for base services that are used to retrieve other accounts like facebook and e-mail, other for important services, and another for crap.
You're not expected to remember them all, you're expected to either wrote them down or use a password manager. That way you only really need to remember one very strong password.
Except that my 3 level system failed ages ago.
Originally I had one, then with more sites coming - several with bogus or recless implementation - it was extended to the aforementioned 3 tier one just to get f*cked up by 'knowing it better' god complex but stupid enforcers requesting or forbidding (!! how stupid is that!) characters. Not to mention leaks forcing me to introduce new ones, having eventually 5 layers with variations on each level because of the highly arbitrary rules of enforcers blocking my well thought of secure passwords.
All led to the situation that I have an encoded file on my computer with passwords (most just referrals/reminders/instructions not the actual password characters).
How stupid is that!
Writing down passwords!
Even into secured files, still, increased level of risk. A method with doubtful protection when someone is targeted for his/her secrets personally.
Stupid but that is reality.
Made necessary by recless developers.
The whole password infrastructure is dead as means of protection. It does not work against serious attackers, only agains random wanderers. And more and more against rightful users!
And the most was done to ruin it by those enforced the users to solve the problem on the user side that in fact lying in the system side.
Passwords will not fullfill their task if:
- allowing parties without permission to enter
- locking out righful parties
Very strict enforcers corrupt the system through the second point. Narrowmindedly focusing on not letting in unwanted elements cause the whole system to case working as intended, locking out and disallowing users to use it, defying the very purpose of existence.
Encouraging users not to use passwords that ever used by someone is just an extremely very radical level of enforcing and again trying to make users fix the inadequacy of the system developers.....
This is not solving systematic problems just conserving a bad habit plus making a bad situation even worse.
No, you shouldn't trust this site with your password, like you shouldn't trust any site with your password.
Choose a new password for every site folks, and if you want to use a site like this, make sure the original places you used the password have been updated to a new one.
The article explains in the "Cloudflare, Privacy and k-Anonymity" section how you can use k-Anonymity to query the API with (at least some) privacy, by just submit the first 5 characters of your password's hash.
