Online Help > Knowledge Base > Protocols and application > Remote Desktop Manager

Pwned Password Check

Description

 

In the InfoSec world, a pwned password is a password that has been exposed in data breaches (i.e. they are owned/pwned by hackers).

 

Using a pwned password significantly increases the chances of being the victim of a data breach. Pwned Check leverages Troy Hunt’s Pnwed Passwords API and  automatically checks to see if a  password that you’re using (or are thinking of using) has been pwned by hackers. If it has, you will be notifiied and can be proactive and choose something else to stay out of harm’s way. There are over half a billion passwords in the Pwned Passwords database.

 

Pwned Password Check explainer video

 

How to Set up the Pwned Password Check

 

In existing databases, Pwned check is not turned on automatically.

 

1. On the Administration tab, open Data Source Settings – Password Validation.

2. Choose Enabled from the list.

 

Administration - Data Source Settings - Password Validation

Administration - Data Source Settings - Password Validation

 

Remote Desktop Manager analyzes a password when you save an entry. A message is displayed when a password is found in the Pwned Passwords database. If you see this window you should change your password immediately. Remember to change it in Remote Desktop Manager and the actual account.

 

Warning to change a password that was included in a data breach

Warning to change a password that was included in a data breach

 

The Back End

Rest assured Remote Desktop Manager does NOT send your passwords to Pwned Passwords.

Here is how it works:

Pwned Password Check uses k-Anonymity.

Remote Desktop Manager only sends the first five characters of the SHA-1 password hast to the API.

The API sends back a list of every password hash that matches the first five characters of the hash. The API only sends back the second part of the hash.

Remote Desktop Manager compares the hashes on the list to the password hash for the password you want to use.

If there is a match you receive a warning.

 

Choose stronger passwords

Remote Desktop Manager makes it easy to make strong passwords. The built-in password generator creates secure passwords, following your specifications for password length and complexity. The password generator is available on every entry beside the field where you enter a password.

 

Password Generator is found on every entry where you include a password

Password Generator is found on every entry where you include a password

Remote Desktop Manager also has a password analyzer that provides feedback on all your passwords. A rating is included on the entry. It uses Zxcvbn to evaulate passwords.

You can also create a report of all your passwords by using the password analyzer in the Tools tab.

 

Tools - Password Analyzer

Tools - Password Analyzer