By Jolyon Pawlyn, on Aug 19, 2019

Protecting your Contentful accounts with Have I Been Pwned?

If you’ve been blocked creating a new password, don’t worry it’s not just you. While a six character password made up of just letters might have been sufficient in the past, now the standard is at least eight, with numbers and symbols mixed in –– if your password looks like your cat walked across your keyboard, that’s good.

But a password that looks like a keyboard-bashing isn’t your only defense, there’s also tools like “Have I been Pwned” and “Pwned passwords” to help protect your accounts against hackers. One way which Contentful uses this is by checking all Contentful passwords against “Have I been Pwned” and disallowing any ones that have been compromised.

Have you been pwned?

Created by Australian tech security expert, Troy Hunt, Have I been Pwned enables users to check if their personal information or passwords have been exposed in a data breach. For the uninitiated, the word "Pwned" refers to an account that has been victim to a data breach.

Checking passwords against his pwned passwords API keeps Contentful user accounts more secure and gives users a warning if their password has been compromised, a particularly useful feature if the same password has been used for multiple accounts. Data breaches and password leaks have struck companies such as Facebook, Target, Equifax and Yahoo, and countless others. So far over 11% of all the passwords we have checked against pwned passwords have been compromised.

And if your first thought is: Isn’t putting your password into a random website a bad idea? At no time are plain text passwords included in an API request. A strategy known as k-anonymity is used to keep passwords anonymous and only the hashed first five characters of a password are sent in a request.

Have I been Pwned has also launched Pwned Passwords which is a list of 320 million passwords from a range of different data breaches which we use to protect Contentful. It’s just another way we keep your accounts safe.

Get a password manager

And while we’re sure you have heard it before, it’s easy to take your security up a notch by getting a password manager.Password managers generate and remember different complex passwords for every account. While password managers were just for techies or the paranoid few, now they’re commonplace. They’re also the most important thing people can do to protect their privacy and security today.

For tried and tested password managers, turn to LastPass or 1Password. Both generate passwords, monitor accounts for security breaches, prompt your towards changing weak passwords and will sync between your devices.

For other ways to protect your digital privacy and your Contentful accounts, check out these articles:

More best practices for your passwords

We're ISO 27001 compliant. Here's why thats important.

Jolyon Pawlyn

Jolyon is a Ruby developer at Contentful.