Securing User Passwords with "Have I Been Pwned"
Most developers are familiar with the website “Have I Been Pwned?“. Most non-developer and non-techie people have probably never heard of it. That’s ok, that’s what this blog post is for – to not only tell you about it, but to show you how to use it to keep your WordPress site safer.
First, the term “Pwned” originated in a game. It was a typo because the letters “P” and “O” are so close to the keyboard. Like many good mistakes in gaming, it was appropriated and now is common slang in technical and gaming circles for “Owned.” Depending on the context, it can mean that someone really beat you bad in a game, or that someone has compromised your server and now has access to it. Either way, you’ve been pwned. Pwned is never a good thing. 🙂
What’s “Have I Been Pwned?”
The website “Have I Been Pwned?” is more tech than a game. It was set up by Troy Hunt because, after every major data breach, he would do a post breech analysis of the data released over and over again, and see the same credentials and passwords being used. When a data breach occurs, the attackers will sell or release any user credentials they obtain.
Most users have the bad habit of reusing logins and passwords, so the credentials that work on one site may also work on another site. Thus if a user’s data is released from one site, it can be potentially disastrous for a user because the attackers can try their login and password on a multitude of other sites and gain access to more and more sites and data.