12

I remember some password managers like Google's would give me a warning about passwords that have been compromised.

My question is this. How is Google or any company able to see that the password I have chosen matches one that has been compromised?

My first thought on this is that they must have gotten it from 1 of 2 places. Either they themselves would do what a hacker would do and download a bunch of files with bulk information they could try for like 10 million account combinations. They could get this from where it would be seen first aka the dark web, or they get the bulk passwords from the company that says its been hacked and releases whose information was compromised. I am not sure though and would like to invite other opinions on how they are able to legally obtain the hacked data. Assuming they have some sort of contract with the government that says I promise not to do anything bad with this information.

In general there must be some way to get like a permit to explore on the dark web in order to get information on the latest hacks. Seems like the quickest way to counteract hacks.

SQB
  • 397
  • 4
  • 11
devin
  • 237
  • 2
  • 5
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Jan 03 '23 at 20:18
  • There is no issue. I am simply asking how does google get to know that my passwords have been compromised. They would have to get this information in what seems like an illegal way. How is it that google or any company can know that my passwords are compromised – devin Jan 03 '23 at 20:20
  • They would need to know what the password is. The hash of the password I don't think would count in this case I think they would need the actual password. In which case who is giving google this info? – devin Jan 03 '23 at 20:21
  • 2
    My question is like: How can a company create an application that checks for compromised passwords legally? – devin Jan 03 '23 at 20:23
  • 3
    Google and others services use user data obtained from data breaches https://haveibeenpwned.com/FAQs – Lars Beck Jan 04 '23 at 07:00
  • Notice that Google does not need information from outside sources: it has large enough customer base to gather own breach statistics from their own servers. – Revolver_Ocelot Jan 04 '23 at 11:42
  • 1
    I believe, most often the "warnings" are based upon an email address being on a breech list, not the actual passwords themselves. – Scott Jan 04 '23 at 11:42
  • 1
    To summarise the HIBP service: If my password is hunter2, the hashed version is f3bbbd66a63d4bf1747940578ec3d0103530e21d. HIBP takes leaked passwords and stores the hashes. It can then claim that a password with the hash f3bbbd... has been compromised, which can be checked by other applications. – cmbuckley Jan 04 '23 at 12:27
  • @devin "They would need to know what the password is. The hash of the password I don't think would count in this case I think they would need the actual password." -> While I'm sure Google also has a database of plaintext passwords, it would be a security failure if Google actually sent your potential password to Google's servers to check for a match. Instead, Google sends a one-way (i.e. irreversible) hash of your password to their server to compare to their database of poor passwords hashed with the same algorithm. – Jamin Grey Jan 05 '23 at 03:29

3 Answers3

23

Most of the question has nothing to do with the law, it's about technical how-to or how-does, which should be asked in Information Security SE. There are two possible legal questions: is it legal to break into a computer system and take a database of passwords, and it is legal to acquire such a database obtained by someone else. As should be known in the US, per 18 USC 1030, breaking into a computer is illegal in the US. Given that, it is extremely unlikely that Google illegally breaks into other computer systems to obtain passwords.

The aforementioned law criminalizes accessing computers without authorization, not (just) "taking" stuff from computers without authorization. The law does not criminalize receipt of illegally obtained material. Passwords are not protected by copyright. If Google were to induce someone to break into a computer system to get passwords, that would be legally actionable, however there is no law penalizing innocent receipt of illegally-obtained passwords (insofar as they are not protected by copyright).

It is not illegal to access the dark web, at least in the US (probably it is illegal in Saudi Arabia). Using stuff gotten from the dark web can easily be illegal (e.g. logging in to someone's bank account, or forging a passport). There are many services which monitor the dark web and report breaches, which is totally legal.

quarague
  • 3,456
  • 1
  • 12
  • 23
user6726
  • 214,947
  • 11
  • 343
  • 576
  • 1
    so it is ok for a company to monitor for password breaches on the darkweb and obtain a list of passwords. And then check each of its customers passwords with these leaked credentials and inform the customer that their password is leaked? – devin Jan 03 '23 at 21:30
  • @devin You don't necessarily need to visit the darkweb to get a list of account/password combinations. There are services in the open internet that can tell you whether an account has been compromised. Google could just buy the data from those. – PMF Jan 04 '23 at 09:47
  • 8
    They don't even have to buy the data necessarily. Anyone can download a free database of hashes of compromised passwords from https://haveibeenpwned.com/Passwords – bdsl Jan 04 '23 at 10:36
  • Another aspect would be regulations related to personally identifiable information, but just the password without user id would probably not be PII. – jpa Jan 04 '23 at 12:01
  • 7
    One point that I don't see mentioned: almost all password breaches are (or start as) hashed password breaches. So the fact that Google can tell you "your password was compromised" does not imply that Google servers ever knew your actual password. It's possible that the hash of your password got leaked and google is hashing your password on your device and comparing that to the leaked hash. So the whole premise is wrong. – GACy20 Jan 04 '23 at 15:16
  • 2
    Passwords that are found in "clear text" are: 1) either stored in clear text or with extremely bad security by the original service (e.g. using the wrong hash type, low number of iteratins, no salt etc) 2) or way too simple (e.g. "password", doesn't matter how hard you hash it it's going to be tried soon and discovered). – GACy20 Jan 04 '23 at 15:19
  • This question was already asked and closed on Information Security SE. Based on the question posed in the title of the post and in the last paragraph, the question was closed as it is a purely legal question. – doneal24 Jan 04 '23 at 17:02
  • 2
    However, the technical question "how did they do it" is not a legal question. So the problem is that the Q doesn't clearly distinguish the technical from the legal. – user6726 Jan 04 '23 at 17:33
  • 1
    "how did they (Google) do it?" would also be closed on Information Security as off topic. The only way to answer that question is to ask Google. If you did get an answer, implementing the API to download data (passwords in this case) is a topic for SuperUser SE. – doneal24 Jan 04 '23 at 18:56
  • @bdsl Presumably one way that Have I Been Pwned gets its password lists is by buying them from the dark web. – user253751 Jan 05 '23 at 16:15
  • @GACy20 - Not sure that would work in most cases given passwords should be hashed and salted – ScottishTapWater Jan 05 '23 at 16:56
  • @ScottishTapWater Yes and no. As I said: most password are known because they are stored in plaintext or with bad crypto, this includes using thing like unsalted md5 or stuff like that. People using that bad security are way more likely to have hackers get to their DBs anyway. For properly stored credentials in theory the only way to check that your password is there would be iterating over all the hashes and checking everytime... Unless you also have some other info (like username/email) that can be used to filter candidate hashes. In which cases you can just try those – GACy20 Jan 05 '23 at 17:03
  • @GACy20 - Aye I suppose you have a point there... if you've leaked your db there's a fair chance you weren't salting things properly or you were salting them with something easily guessable like the username – ScottishTapWater Jan 05 '23 at 17:37
3

Many jurisdictions have laws against obtaining or possessing computer software, data, and equipment if you intend to use them for nefarious purposes. In England and Wales the main legislation is the Computer Misuse Act 1990 (with various amendments, principally the Serious Crime Act 2015). Section 5A of the 1990 act, amended by the SCA 2015, prohibits obtaining data or programs with the intention of unauthorised access or impairment of the operation of a computer system (e.g. damage or denial of service).

Hence, obtaining password lists with the intent of unauthorised access would violate the law, but obtaining with a legitimate purpose would not necessarily be illegal.

However, if you possess personal data including passwords you would still have to follow various data protection laws. The General Data Protection Regulation (GDPR) would seem to require you to have the data for a legitimate purpose, for your possession of the data to be necessary for the purpose, and for you to take necessary steps to secure the data.

In practice, there may be cooperation between private computer security companies and law enforcement or other government agencies (e.g. GCHQ in the UK, CISA in the US), to set acceptable limits and codes of practice, but that is outside the scope of this board, and probably more for a computer security forum.

Stuart F
  • 357
  • 4
  • 8
  • 3
    I actually did ask this in the security forum of stack exchange, but I just can't escape the infinite rules that is stackoverflow. I must only ask this question in Law is what I was told – devin Jan 04 '23 at 11:41
  • 1
    Are there criminals stupid enough to admit that they really did obtain software or data for nefarious purposes? "I got this password list / cracker to test my own passwords" sounds like a pretty obvious defence against that computer misuse act. – Dmitry Grigoryev Jan 04 '23 at 12:35
  • @DmitryGrigoryev intent and purpose of action is determined by the court/judge/jury, and they do not have to (and often don't) accept the assertions of the defendant as true. Someone saying "I got this password list / cracker to test my own passwords" does not prevent them from being convicted for possessing that list with the intent of unauthorised access, if there is some evidence towards that - for example, attempt to use them in such a way, or talking with others about their plans. – Peteris Jan 05 '23 at 11:19
  • @Peteris If I do in fact attempt to access someone's bank account, isn't it enough to convict me for just that act? Additional charges for possession of cracking tools just punish less careful criminals who didn't manage to hide them properly. – Dmitry Grigoryev Jan 05 '23 at 12:38
  • @DmitryGrigoryev accessing someone's bank account with stolen credentials is a crime pretty much everywhere, however, not all of these statutes apply if someone unsuccessfully attempts to do the same thing. If the unauthorised access did not happen, then statutes for having/using tools with malicious intent are one of the ways to try and criminalize such attempts before any actual harm is done. – Peteris Jan 05 '23 at 17:09
  • @Peteris You are right, and I'm actually really surprised that in some jurisdictions one could be convicted for having a password cracker, but not for unsuccessfully attempting to crack someone else's password. – Dmitry Grigoryev Jan 09 '23 at 09:40
1

No, there is no contract or special permission to use compromised account data, some of breach alert services are run by individuals. The promise "not to do anything bad with this information" implicitly applies to everyone. If Google (or anyone else) starts misusing account data, someone will discover this and sue.

Obtaining such data is not illegal by itself. Distributing it on the other hand is definitely illegal: it would be either private data distribution without permission or facilitating computer breaches if password information is included. Note how such services never give you the option to download the entire database they are using, and don't allow you to see the compromised password corresponding to the login and vice versa.

Furthermore, keeping such data is subject to regulations. For instance, haveibeenpwned provides a way to request your personal data to be removed, most likely to fulfill the GDPR requirements.

Dmitry Grigoryev
  • 1,345
  • 11
  • 23
  • " Distributing it on the other hand is definitely illegal:" That would seem to be contradicted by the existence of https://haveibeenpwned.com/Passwords (which has been up for many years, and would almost certainly have been taken down by the owner if it was illegal). – Martin Bonner supports Monica Jan 04 '23 at 14:40
  • 1
    @MartinBonnersupportsMonica This site tries its best not to cause any trouble to anyone, but I wouldn't bet it's 100% legal. On the other hand, torrent sites have been around for decades now, despite their dubious legal status. – Dmitry Grigoryev Jan 04 '23 at 15:26
  • 1
    @MartinBonnersupportsMonica In a similar fashion, there exist services that allow you to locally check your password hashes against a list of breached hashes. To do so, these programs work with local copies of breach lists (and update these occasionally). This may look like distributing, but it is very well possible that the distibuted data is not actually anywhere close to a "list" of (hashes of) passwords, but rather Bloom filters - which are generated from such a list and can quite reliably test whether a given datum is or is not on the used list, but cannot be used to enumerate the list – Hagen von Eitzen Jan 04 '23 at 16:36
  • 2
    Depending on the jurisdiction the haveibeenpwned might be illegal but a US government agency requires that federal systems check new passwords against ones in known data breeches. NIST SP 800-63b page 14. – doneal24 Jan 04 '23 at 19:24
  • @HagenvonEitzen Thanks for mentioning the Bloom filters! I just wanted to repeat that HIBP stores much more than password hashes internally: it keeps e-mail addresses (or logins in general), names of the sites associated with the breach, etc. Perhaps a similar service which only keeps a giant Bloom filter and nothing else would have been bullet-proof legally. – Dmitry Grigoryev Jan 05 '23 at 09:17