Nearly five billion login details have been circulating on the internet for various web sites, having been stolen or sold by hackers. This is the "new normal". You can check if any of your internet accounts have been compromised by logging into this site and checking: https://haveibeenpwned.com/. Although Club Log hasn't been compromised, the password you use in Club Log could well have been discovered elsewhere from re-use (or because it is so common, other people have used it and their accounts have been compromised).


How we test passwords


The way the https://haveibeenpwned.com/ site works is to collects as many password lists that are circulating on the dark web as possible. Everything they have has been leaked somewhere, by someone (or perhaps an insecure web service). The risk they are addressing is that those passwords are then exceedingly easy to test by automation on a wide range of sites, some of which are perfectly secure. Users have a habit of reusing the same password again and again, which makes the problem worse.


Every time you login to Club Log, a test (using an indirect representation of your password) will be made to see if  it is one of the compromised passwords listed on that site. If you get nagged about a compromised password, please take it seriously. 


Why we test passwords


You can protect not only your amateur radio log (which surely has some worth!) but also potentially avoid bigger problems by using a stronger password - or a strong password generator - whenever you use *any* internet site. Simple passwords put your data at risk and invite identity theft, and organised gangs are taking every opportunity. Security is therefore a shared responsibility for all of us.


How to choose a secure password


  • There are some good tips at https://www.wikihow.com/Create-a-Secure-Password which may help you.
  • Your account is secure provided you look after your password. It cannot be seen by Club Log's staff.
  • To keep your account from being accessed by anyone other than yourself, make sure you change your password periodically.
  • Never use the same password on multiple sites.
  • Never share your account details with anyone else. Club Log helpdesk members do not need your password.
  • For maximum security, consider enabling the Google Auth option (using your phone as a security check).
  • Use Application Passwords (Settings > App Passwords) with 3rd party sites like IOTA. Don't share your password.


But this is all so inconvenient! I hate it!


The problem with security is that it is a trade-off against convenience. Unfortunately, Club Log (and the internet) are shared services, so it is important that security takes priority for the benefit of all users. Try using a password manager if you find it hard to remember secure passwords, as most people report this removes their source of frustration effectively. For example, take a look at 1password.com.


Technical notes


Your password is never actually sent to the external site to be tested. The way it works is we take a SHA1 of the password (in memory) and present the first five characters of that hash to the external service. They return as complete set of all of the SHA1 hashes with that five character stem. We then check (in memory) if any of the full SHA1 hashes match the SHA1 hash of your password.


A SHA1 hash looks like this:

9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08


(that is the SHA1 of 'test').


The only part sent to the external site is: 9f86d.


See https://haveibeenpwned.com/API/v2