And why were you reading my password again?

Because it's sends a partial hashed version to https://haveibeenpwned.com/ using their api and determines its a compromised password.

Why are you using a password so bad they need to warn you? 🤔

@C0D4 It's been long since I created this account. How suddenly I'm getting this mail now?

@girlwhocodes your password got leaked recently and added to the haveibeenpwnd database. That's probably why it started just now.

@girlwhocodes you logged in for the first time in ages?

Beats me on the "why now" part, I just know the "how"

https://github.blog/2018-07-31-new-...

Turns out they dont use the api, they have a copy of the entire dataset 😦
So... you know, I'd say you're password is in there somewhere.

@C0D4 No. I login in regular basis. I push almost daily.

Creepy

@girlwhocodes check HaveIBeenPwned, maybe it's a recent data breach.

@C0D4 it shows 1 breached site. But how may I know which site it could be. Or where may I need to tighten the security.

@girlwhocodes scroll down, it usually names them.

@girlwhocodes @C0D4 beat me to it.

It'll tell you

@C0D4 Gottit. Thanks. Shitty UI

@Stuxnet Yah what?

Does that to me too. I checked, and was not pawned. So ¯\_(ツ)_/¯
Github has gone to shit imho.

If your password is weak they just guessed it and found it, just like any one else could. They basically white hat hacked your password. They are kind enough to tell you that your password can be hacked. So accept their kindness and change your damn password!

@aggelalex Guessing and finding. Lmao. Do you work in that principle?

Haha, I see, the point is that email was late. Did they integrate such security notice just recently?

@PostMapping("/password/change")
public void changePass(String newPass, Principal user) {
PasswordStrength strength = determineStrength(newPass);
userService.updatePass(principal.getName(), newPass);
if(WEAK.equals(strength)) {
notificationService.schedulePasswordStrengthReminder(user.getName(), strength);
}
}

// and they don't even need to know what your pass is....

It is also entirely possible that they were hacked and now "your pass is weak" so they want you to change it before shit hits the fan. I mean, aside from very easy passes, a minimum 8 character pass of upper and lower case and number should not be "weak" per se.

@vintprox I didn't get any update regarding that.

@netikras Yah but why out of nowhere now they are sending this mail!

@C0D4 the dataset is just 15GB anyone can download it for free

What if someone takes over havebeenpawned. Then he can create "rock you v2.txt". It free wall estate for passwords.