Where did the data come from?
All of the breach and exposure data in our database is openly available on the public Internet, unfortunately. It's not always easy to find and requires plenty of digging to accumulate, but it's out there. And therein lies the problem: anyone with enough determination can find and use this data. PasswordPing is our solution to the problem.
Can't your service be used by cybercriminals?
While a cybercriminal could certainly sign up for a PasswordPing account and thus gain access to our data, they would ultimately be disappointed. Our database contains NO cleartext passwords or credentials. Additionally, our APIs NEVER return passwords or credentials in any form, hashed or otherwise. We also never return email addresses, except in cases where we are simply echoing back an email that was submitted in the initial request. Our APIs essentially just tell you if the password or credentials you submitted are known to have been exposed or not. This would not be of any use to a cybercriminal.
Is PasswordPing safe?
In a word, yes. We see the end result of poor security all day, every day, so securing our systems is our top priority. All of our APIs require SSL encryption and are only returning a yes/no determination about whether the submitted password or credentials are known to be compromised. We never store submitted data; it is kept in memory on our servers only long enough to perform the database lookup and then the memory is zeroed out at the end of the call.
Despite the fact that all passwords and credentials in our database are already publicly exposed, we nevertheless go to great lengths to secure this data as much as possible while still being able to use it for the service. The passwords in our database are never stored in cleartext and are only stored in a hashed format. The credentials in our database are only stored in a salted and strongly hashed format where we have absolutely no way of recovering the original data. If you would like more information about our security efforts, please Contact Us and we will send you a copy of our security whitepaper. If you have more stringent security requirements than a cloud-based service can provide, we can provide an on premises version. Contact Us for additional information.
Do you have user credit card numbers, bank account or other personal data?
No. Although some of the raw breach data we run across certainly includes this type of information, we store absolutely no financial or personal information.
Is there a limit on how many requests I can make using the free Password Strength Meter?
Our free version is limited to 100,000 API requests per month. The control will still function after this, it will simply no longer lookup the hacked status of the password and will only show standard password strength information.
What if PasswordPing goes down and I'm using the Password Strength Meter? Will my signup form go down?
In the event that our API is unavailable, the strength meter degrades gracefully to simply providing standard password strength information and simply loses the ability to classify passwords as compromised or not. The PasswordPing JS and CSS files which your site loads are hosted in a high availability CDN, which should always remain available even in the event of a complete failure of the PasswordPing infrastructure.