Is Your Password Secure? Find Out in a Split-Second With This New API

June 26, 2018 - 3 minutes read

Cybersecurity is serious business. Whether you’re a mobile app developer, casual web surfer, or e-commerce shopper, nobody likes having their passwords stolen. But as hacking methods advance, you can never be too safe about protecting your login credentials.

Rob Pope, our CTO, has been hard at work with Mauricio Payetta, founder of software consultancy firm XOOR, to create a new API that verifies if your password is safe. In a split-second, you can check your password against half a billion breached or weak ones.

Check it out here!


Believe it or not, some people still use the above title as a password. In a recent study of paid survey site CashCrate’s November 2016 security breach, it topped the list in terms of prevalence. Upon examining the 2,232,284 plain-text passwords involved in the hack, famous cybersecurity expert Troy Hunt found that 1,910,144 of them were already in his database of breached passwords — that’s an overwhelming 86%.

Now, of course, you’re probably not one of the people using ‘123456’ as a password; ‘123456789’ is much more superior in terms of security! But in all seriousness, you probably follow some common guidelines: making your password 8 characters long, including uppercase and lowercase letters, throwing in a few special characters, etc.

These recommendations (or requirements, depending on where you’re logging in) come from the National Institute of Standards and Technology (NIST). Many organizations look to NIST to see what their security policies and protocols should be. Recently, they updated their recommendation for creating a safe password. You should still do all of the above-mentioned practices, but now, you should also check your potential login credentials against weak and previously hacked passwords.

Avoid Having Your Password Pwned

The new Bad Password API built by Rob and Mauricio checks your potential password choice against the guidelines set forth in NIST Special Publication 800-63-3: Digital Authentication Guidelines. It confirms that your choice doesn’t match up with previously hacked and common passwords. The compiled list of bad passwords totals over 480 million.

The process to check your potential password is simple and fast. After registering, you send the SHA-1 hashed version of your password. For obvious reasons, you don’t send the actual password… unless you want to help grow the list… in which case, good on you! You then get the results back in a split-second. It’s that easy!

You can also build this API into your software to check your users’ passwords, if you’d like. Say goodbye to having to hold onto numerous databases of passwords! Rob and Mauricio plan to build out the API and include some other features in the future, but as it is, the API is ready to go.

We highly encourage you to give it a try — here’s the link again. Stay safe out there!

Tags: , , , , , , , , , , , , , , , , , ,