What is PasswordCheck?
PasswordCheck allows you to see if your password has been found in a data breach.
How does it work?
As you type your password into the box below, PasswordCheck automatically generates a unique string (the SHA-1 hash). When you press Search, the SHA-1 hash (not your password) is sent to an A-B Tech server which then sends it to the "Have I been pwned?" Passwords Search. This site has a database of over 500 million passwords' SHA-1 hashes; if your password's hash is found there, then an account of yours may have been compromised.
- What does SHA-1 mean?
- SHA stands for "Secure Hash Algorithm". SHA-1 is a version of SHA. PasswordCheck takes whatever you enter into the password field and creates a seemingly-random combination of 40 letters and numbers called a hash. Because of how SHA works, your password's hash will always be the same, and changing it in even the smallest way will result in a very different hash. Because Have I Been Pwned has a list of millions of SHA-1 hashes for passwords found in data breaches, we can safely look up your password by its hash.
- PasswordCheck says my password was not found. Is it safe to use?
- That depends. It is possible that your password is not among the millions of passwords in the database at Have I Been Pwned, but is still common or guessable enough that someone may discover it in an attack. For instance, "A-BTech#1!" is not in the database, but it may be something that an attacker can guess. Please review the password guidelines on the Password Reset page on the A-B Tech website.
- PasswordCheck says my password was found. Should I not use it?
- If you believe that you are the only person who has ever used the password that you are testing,
it is likely that an account of yours has been compromised. You may be able to find more information
by searching for your email addresses and usernames on the "Have I been pwned?" Front Page.
If you have never used that password before, then you should avoid using it now. Using a password that was found at Have I Been Pwned puts your account at risk if an attacker were to use a database of compromised passwords in an attack.
- Should I trust this site?
- Be very suspicious of any site that is asking you to enter your username, your email address, and
especially your password! Here are some points to help you to decide whether or not to use PasswordCheck:
- The URL in you web browser's address bar should start with "https://", then "passwordcheck.", then "abtech.edu". It may end in "/" or "/search".
- Look at your web browser's address bar. If the site is secure, most web browsers will show you a green checkbox, a green lock, a green background, etc. Google Chrome 68 and newer will warn you about insecure connections. Please take all security warnings about a site like this one seriously. If your web browser allows you to view more details about the secure connection, you should see that the connection is secured using a certificate from either Comodo or Internet2.
- PasswordCheck only sends the SHA-1 hash of your password to an A-B Tech server. You can see this by using your web browser's Web Developer Tools.
- The A-B Tech server actually only sends the first five characters of your password's SHA-1 hash to Have I Been Pwned. Our server receives a list of all of the hashes that start with those same five characters. PasswordCheck then looks through those hashes for yours on our server.
- PasswordCheck will never ask for your username, and it does not ask for your current password. PasswordCheck does not store anything that you enter into the password field. Server logs for this site are disabled (with the exception of error logs and minimal email notifications to the developer when there is a potential issue). And nothing that can be used to identify you is ever sent to Have I Been Pwned.