Passwordstate integration with Have I Been Pwned

If you are unfamiliar with Have I Been Pwned, it’s a website created by Troy Hunt that allows users to check whether the passwords they use have been compromised due to a data breach. If you wanted to check out Troy’s website to see how it works, please follow this link:

Passwordstate is now fully integrated with this online repository, and I’ll explain below the new tools and settings that we have in our software that works together with the Have I Been Pwned website.

You must be on Passwordstate version 8600 or higher to take advantage of these features.

First of the new features can be found under Tools -> Have I Been Pwned Password Check

This screen will allow you to manually enter any password you like, and see if it is a known compromised password in Troy’s database. If you need to think of a good strong password to use for a website for example, this tool will help you decide which password you should use.

Next, if you look under the Administration -> Bad Passwords tab, you can configure your system to use the Have I Been Pwned repository for your own Bad Passwords:

What this means is by default, any time someone adds, or updates a password in Passwordstate, it will do a check against Troy’s website first before allowing you to save it. If that online check finds that the password is ‘Pwned’, then the user will be informed they will need to choose a different password and will have to try to save it again.

As Have I Been Pwned has millions of passwords, using one that is compromised only once or twice for example might not be such a bad thing. It’s really the very common and simple passwords that users should be discouraged from using. For this reason, you can instead simply warn your Passwordstate users that the password resides in Troy’s database, and they should consider changing it to a different one.

If you’d like to turn o this warning instead of denying the users from saving the password, then edit your Password List and deselect this Bad Passwords option:

When a user is adding a new password, or updating an existing one, they will also have this new icon that will allow the m to quickly check the Have I Been Pwned status:

Next, we have an all new report which you can find under Administration -> Reporting called Have I Been Pwned Compromises:

Running this report will check every single shared password in your system against Have I Been Pwned, and will list any passwords that you should change.

If you just wanted to run this report against a single Password List instead of your entire Passwordstate database, then select your Password List, click List administrator Actions and then run the report from here:

Also, you can run this Have I Been Pwned report from our API. You find examples under Help -> Web API Documentation.

If you want to watch a video of this, we have this available on Youtube here:


Speak Your Mind