How to be notified that your password has been stolen

Summary: Now you can be contacted if your email address appears in any new, publicly-released data breaches.

About a month ago I told you about have i been pwned?, a new site at which you could learn if your email address was included in one of several large data breaches.

The main improvement that needed to be added to the site, as its creator Troy Hunt himself acknowledged, was a notification service to allow users to enter an email address and be notified in the future if their address appeared in any databases added to the service. Troy has now added the notification service.

haveibeenpwned.com allows you to check whether an email address is in one of several publicly-released databases of breached email addresses, with a total of 154 million email addresses. Troy says the site has been wildly popular and that, by far, the number one request for a notification service.

When you click “Notify me if my address gets pwned in the future” you are presented with the screen below. If you have searched on an email address already, it is pre-populated in the field. You must then fill a CAPTCHA (this is unfortunately necessary for several reasons) and click “notify me of pwnage”.

The service then sends a confirmation email to the address entered. Click the verify link in the email and you are registered for notifications. Troy provided this sample notification email:

It’s still a free service which is good, but note that this not his day job. In fact, it’s costing him some money, but not much: “less … than what I spend on coffee…” So he sees no reason to charge for it, but if there is another major breach and he’s busy, you might not be able to expect him to enter the database and notifications to follow immediately. Troy wrote the site, in part, as an exercise in learning to program Windows Azure services, and he says it’s a good demonstration of how powerful services can be built and operated inexpensively on Azure.

Next on Troy’s roadmap: domain-wide verifications. You can be notified if any address in a domain is in a database. A more stringent verification process of some kind will be necessary, since he needs to know that the person receiving notification for example.com is actually authoritative for that domain.

About Larry Seltzer

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years.

[Source: ZDNet]