Skip to main content
Deutsch
New Ticket

What is "Have I been Pwned"? - Knowledgebase / Questions about the product - Bare.ID - Support

This Article Category Knowledgebase

What is "Have I been Pwned"?

Authors list
  • Last updated: Mar 24, 2025

What does ‘pwned’ mean?

The word ‘pwned’ (as in ‘pawned’) has its origins in hacker culture and is a variation of the English word ‘owned’. The spelling was the result of a typing error due to the proximity of the ‘O’ and ‘P’ keys on the keyboard. The term means that someone has been compromised or hacked. Later on, the word became known to a wider audience through its use in the gaming scene. There it expresses dominance over an opponent who has been defeated (‘You just got pwned!’). A detailed article on the origin of the word can be found in this article.

What is ‘Have I been pwned’?

The website haveibeenpwned.com provides a database of known data leaks and hacks. Whenever personal information and credentials are leaked on the internet, they are added to the database. Internet users can use the website to check whether their email addresses and current passwords appear in such a data leak and take appropriate action if necessary.

How does Bare.ID use Have I been Pwned?

Have I been Pwned? also provides an Application Programming Interface (API) for integrating the security check into your own applications. Bare.ID uses this API to check on request whether user passwords have been leaked and need to be replaced. Passwords that have been leaked when used with other services and have ended up on corresponding lists can then no longer be used to log in to Bare.ID. The Bare.ID instance is thus protected against dictionary attacks in which the same password lists are used.

Will my passwords be transmitted to haveibeenpwned.com during verification?

The plain text password is never transmitted. The password is encrypted using a cryptographic hash function. The password cannot be reconstructed from the hash (the result of this encryption) and only a small part of the hash is sent to haveibeenpwned.com. Details can be found in the API documentation of haveibeenpwned.com.

Detailed instructions on how to activate the ‘Have I Been Pwned?’ functions in a Bare.ID instance can be found in the Bare.ID manual in the chapters Password Guidelines and Authentication.

This Article Category Knowledgebase
Author
Tolleiv Nietsch
Creation date
Apr 29, 2024
Last update
Apr 10, 2025
Publish date
Apr 29, 2024
Translations
English