How do I check which of my users have accounts with leaked passwords?

Last month, one guy’s login was hijacked by an attacker who carried out embarrassing damage to the site (Luckily, I backed up the site and was able to restore it). Post-mortem, I looked at his email account through haveibeenpwned.com and saw that the his account was accessed through one of the known password leaks listed on there.

Long story short our guy used his company email as a login for a site that leaked his password.

There are a ton of users on the site. Is there a good way to see which emails are “pwned” without needing to visit the previously mentioned link for each one of them?

https://www.reddit.com/r/WordPress/comments/sx3bhx/how_do_i_check_which_of_my_users_have_accounts/

Leaked passwords pose a significant risk to website security, as they can lead to unauthorized access and data breaches. It is crucial to ensure your WordPress users’ passwords are secure and have not been compromised. In this article, we’ll explore two methods for checking leaked passwords: using HaveIBeenPwned.com for manual lookup and the Passwords Evolved plugin for WordPress.

HaveIBeenPwned.com: manual lookup

HaveIBeenPwned.com is a website that maintains a comprehensive database of leaked passwords from various data breaches. You can manually check individual email addresses or passwords for potential leaks by visiting the site and entering the information into the provided search fields.

To check passwords manually:

  1. Visit HaveIBeenPwned.com
  2. Click on the “Passwords” tab at the top of the page
  3. Enter the password you wish to check and click “pwned?”
  4. The site will return results indicating if the password has been leaked

Please note that manually checking passwords might not be feasible for a large number of users and could potentially compromise privacy if not done carefully.

Passwords Evolved plugin for WordPress

The Passwords Evolved plugin is an alternative solution for checking leaked passwords in WordPress. This plugin integrates with HaveIBeenPwned.com’s API to automatically check users’ passwords during login and password changes, ensuring their passwords are not part of any known data breaches.

By default, the plugin will check new and changed passwords against the HaveIBeenPwned.com database. You can adjust the plugin settings as needed to suit your requirements.

Taking action on leaked passwords

If a user’s password is found to be leaked, it is crucial to take immediate action. Notify the affected user and request that they change their password as soon as possible. Encourage users to create strong, unique passwords by using a mix of uppercase and lowercase letters, numbers, and special characters. Additionally, consider enabling two-factor authentication (2FA) for added security.

Leave a Reply

Your email address will not be published. Required fields are marked *