Week 9, 2018 - Pwned Passwords v2; Serverless Application Repository

By (3 minutes read)

The Pwned Passwords database has been updated with a very nice API and AWS has released their Serverless Application Repository.

Pwned Passwords v2

Troy Hunt, creator of Have I Been Pwned?, released an updated list of over 500 million passwords in combination with a new API. These lists are useful in detecting if your password has been compromised, either because you used it on a compromised site or someone else did. Obviously, good password hygiene is important and this helps there.

The downside with sites like this is that you should generally never post your password into a text field on a random webpage, regardless of what that site is, which is why the new API is so interesting.

The API uses something called k-anonymity. Which in this case means that instead of asking you to provide the entire password, it will only take the first 5 characters of the hashed password and return you a list of all the hashes that match that. This means that you only send a small portion of your hashed password, making it impossible for the other side to know what it is.

Accessing the API is already very easy as this gist shows1, but AgileBits already started integrating it into their password manager 1Password. It’s currently only usable if you have an account and log in to the web version of 1Password2, but I tried it out and it really works. I can also happily say that the randomly generated passwords I tested were clear. They say that they’ll be integrating this into the GuardTower functionality, which means in the future you’ll get notifications if your password is among the compromised ones. While I really like this from 1Password, I hope all other password managers will do something similar.

Serverless Application Repository

Announced at re:Invent 2017 and in private beta since then, AWS has now released the Serverless Application Repository. This repository allows you to install serverless applications that were created by other people, or submit your own to be installed by others.

The process of installing an application is very simple: in the Console, you click on create function and then you select the repository. This gives you an option to browse through the list or search. I don’t think the search functionality is very good though. It gives seemingly good results when you search for a term you might expect to have results like “slack”3, but when searching for something without results there is no indication that’s the case. I tried this by searching for “packer”4, and it gave me many pages of results. None of which actually matched.

Aside from the search, installing is easy enough. You get an overview of what it will do, which IAM permissions it will create, the license, README, etc. You can’t actually see the code until you install it though, but presumably AWS will have some check to prevent it from containing malware5. As it’s a SAM template, it will install it through CloudFormation and you end up with an unclear function name.

I don’t know yet how it will work with upgrades or how easy it is to submit something, but I’ll try that out soon.

  1. Thanks Ryan↩︎

  2. And then press the secret key combo mentioned in their blog post. ↩︎

  3. Which seems to account for about half of the items currently in the repository. ↩︎

  4. I’ve got a Lambda function that basically searches for long-running packer containers to kill and was wondering if it’s worth submitting that or if someone already had. ↩︎

  5. At least, I really hope so. ↩︎

comments powered by Disqus