search
CASE STUDIESPARTNERSSEE A DEMOBLOGVIDEOSLOGIN

Protecting against password reuse

This article describes how Perkville helps protects against credential stuffing, and what you can do to secure your account

Perkville helps protect your account from credential stuffingarrow-up-right, a type of attack where previously-gathered credentials from other data breaches (at other products) are used in order to gain access to a different product. Why does this work? Because many users re-use the same passwords across multiple products and services.

The best way to protect yourself from credential stuffing is to use a password manager, such as iCloud Keychain or 1Password, to generate a secure, unique password at every product you or your staff use.

hashtag
Validating that your password has not been implicated in a prior data breach at a different company

Perkville helps protect your account by, every time you log in, verifying that your password has not previously been implicated in a data breach at another company. How can we verify this? With the help of web application security expert Troy Hunt's Have I Been Pwnedarrow-up-right (HIBP), a free and oft-updated database of passwords from known data breaches.

When you log in, we hasharrow-up-right your password and send the first five bytes of the hash to HIBP's API. They return a list of matching hashes, and we look for a match to your hash. In this way, your password isn't sent to HIBP, but we are able to tell from HIBP if the password has appeared in a prior breach at another company (not Perkville!).

HIBP also returns the number of data breaches that have included each password, allowing us to generate a helpful message that includes that number.

These validation steps are sanctioned and strongly recommendedarrow-up-right by the Open Web Application Security project.

hashtag
What to do if your password has been compromised at another company

If you see a message like "Your current password has appeared in [ ] data breaches," all you have to do is follow the reset password flowarrow-up-right and select a new password.

We strongly recommend using a password manager, such as iCloud Keychain or 1Password, to generate a secure, unique password for every product you use.

If you use that password on any other service, we strongly recomend updating those other service passwords as well.

PreviousMiscellaneousNextIs it possible to pre-populate the email address field on the page for joining the reward program?

Last updated

Was this helpful?