Checking HaveIBeenPwned.com for Thousands of Client Passwords

How many passwords do you have? Tens? Hundreds? Thousands?

When you create a new password, how do you know you’re not choosing a password that’s already compromised and out there on the web?

Well, you would need to use a service like DarkWeb ID (DWID) which we use as part of our POLARITY security bundle to crawl the dark web for our clients’ corporate email addresses. Or, check against Have I Been Pwned (HIBP), a similar service that provides a free database of known compromised user names and passwords.

If you’re just concerned about your own personal email address and passwords, simple enough — subscribe with your personal email at HIBP or search for your passwords to see if they’re already compromised as someone else’s password. If it returns any matches, update those passwords ASAP. And, make sure you use a strong, unique password for every login you set up!

But what if you’re an MSP managing thousands of login credentials for hundreds of companies?

Further, we document all kinds of logins with no associated email address. Things like routers, network switches, printers, IoT devices like cameras, smart outlets and light bulbs, the list goes on. These have no email address associated to monitor. But setting a compromised password on them still presents serious risk. Since these have no associated email address, we need to directly check the passwords they use against the HIBP database. With over 613 million unique passwords already compromised and listed in HIBP and thousands of passwords to manage, there isn’t enough time in the world to search for them manually!

Our solution

To fix this, we built a new integration. We now check every password we document for our clients in IT Glue against the HIBP password list. When we add or update a password in our system, our integration automatically checks it against the HIBP password database. If found in the HIBP database, we automatically create a ticket for our techTEAMs to resolve by changing that password.

While we’re well-aware of the importance of choosing strong passwords, there’s always the chance someone sets one that’s already compromised. Now, thanks to this new integration and alert workflow, we don’t need to wonder. We’re keeping our clients and our own business that much more secure automatically!