Digital ID calls “compromised password” a password that has been previously exposed in at least one data breach, as reported by haveibeenpwned (HIBP). These passwords are at much greater risk of being used by hackers to try and log into an account.
HIBP has made available a list of passwords obtained from previous data breaches. In accordance with the National Institute of Standards and Technology’s recommendations, Digital ID checks your account password and your Master Key against it. We will not let you use a compromised combination as your account password or Master Key. If it is a password you use for other accounts, we strongly recommend you change those accounts’ credentials. You can use your Password Manager to generate new strong and unique passwords.
Your Master Key remains secret at all times
Maintaining your Master Key secret is a core feature of our security architecture. We don’t store it or keep any trace of it. This stays true even when it is checked against the list of compromised passwords. A protocol (based on cryptographic hashing and k-anonymity), much like the one used by HIBP when users search their database online directly, has been put in place to enable the anonymous verification of your Master Key without actually disclosing your Master Key, even to us.
Haveibeenpwned is a website that allows anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach. It was created in December 2013, and all the data on the site comes from “breaches” where data is exposed to people that should not have been able to view it.
In August 2017, HIBP created its Pwned Passwords service. As of July 2019, this database included 555,278,657 real world passwords previously exposed in data breaches.