Whether making their first move into the property market or taking the next step up the ladder, Rightmove is the first place many home hunters (and those who are just window shopping) turn to. Users of Rightmove trust us with their personal data as we help them find their next home and it’s important to us to keep their data secure. That’s why we’ve recently made a number of changes to our platform to make it as difficult as possible for malicious actors to gain access. In this article I’ll outline one of those changes.
Why we hold personal data
Rightmove exists to connect people searching for their next home with estate agents who list their properties on our portal. Home hunters interested in a particular property listing on Rightmove will make an enquiry about that property by sending us their personal data, such as telephone number or email address and we securely share that data with the estate agent marketing that property so the estate agent can contact them. Estate agents have a separate, secure, Rightmove platform that they must login to using a good old fashioned email address and password in order to access this personal data.
Stories from previous data breaches at other companies are a constant reminder to us that personal data is hugely valuable and malicious actors have sophisticated methods for trying to gain access to systems storing personal data. Should a malicious actor manage to gain access to our platform by compromising the password of one of our estate agent customers they could see the personal data of our home hunters, so our first step was to increase the security we applied to the passwords used by estate agents to access our platform.
Increasing password integrity
While enforcing the use of secure passwords by our estate agent customers is nothing new to us, we asked ourselves “what could we do to check the integrity of the passwords being used on our platform?”
Passwords with lower integrity are at a higher risk of being compromised (hacked), but what reduces password integrity? Well, the integrity of a password is reduced when more people know what that password is; this could be through the sharing of a password between multiple people, or the password has been leaked as a result of a phishing attempt, or because that password was previously leaked in a data breach. Once a malicious actor has acquired a password they can use it to attempt to login to other websites, such as personal email accounts, social media accounts or Rightmove!
Unfortunately there’s not a lot we can do when people share passwords or are phished and give up their password as these have a human element, however we can detect where a password has been identified in previous data breaches and could potentially be replayed by malicious actors to gain access to the personal data we have stored within the Rightmove platform. Enter the haveIbeenpwned API.
Have I been pwned?
Troy Hunt, who is a Regional Director at Microsoft set up the haveibeenpwned.com website to collect data from previous breaches that is in the public domain. Troy explains that the term “pwned” comes from computer gamer slang as a derivation of the word “owned” and is typically used to imply that someone has been controlled or compromised.
Troy’s website provides the search functionality to allow users to enter their email address, phone number and any passwords they are currently using to see if these have been leaked in previous data breaches.
Apart from the odd donation, Troy personally funds and maintains the service which is backed by a publicly accessible API (docs here). We integrated the API into our Rightmove services so we could check the passwords of our customers and determine if they had been exposed in previous data breaches. If so, these passwords would be considered as compromised and could be used by a malicious actor to gain access to our platform.
How we use the haveIbeenpwned API
Every time an estate agent logs in to our platform we need to send some information about the password to the haveIbeenpwned API. Fortunately the API doesn’t require the whole password nor does it require what we send to be in plaintext as doing so would be insecure.
The haveIbeenpwned API requires the first 5 characters of a SHA1 hash of the password in order to give us a response. As we’ve not provided the haveIbeenpwned API with the full password the API cannot tell us explicitly whether the password has been seen in a previous data breach, we have to work that out from the data the API responds with.
This data is a list of all the SHA1 suffixes for all of the passwords it has in its database that match the 5 character prefix that we sent followed by a count of the number of times it has been seen in previous breaches.
We then compare the suffix of the SHA1 hash we generated from the password with the data we get back from the haveIbeenpwned API and if that suffix appears in the results then we know a customer is using a compromised password.
For example the SHA1 hash of the string “password123” is “CBFDAC6008F9CAB4083784CBD1874F76618D2A97“.
(I’ve marked the prefix in red and the suffix in blue)
Making the following request to the haveIbeenpwned API, passing the prefix as a parameter: “https://api.pwnedpasswords.com/range/CBFDA” would yield results that look something like the following:
... C565F02AFBA54DFD1AAF12AD20473FB9C7C:2 C5A8C49CD024B82E517C98732CFB0F8A23C:1 C5DE2D08BADD5F48360C7D9CFAFEF4512EB:6 C6008F9CAB4083784CBD1874F76618D2A97:248071 C6336DEAF4B46A3601C03F20860547491AA:4 C6B5BD96BD11352481B6C0FB37BB187CC18:2 C7072648CD6A86864ABF6B8EAF55BB06A11:1 C7344664264EE723B679B1F8AE23F6E70B9:2 ...
Here we can see that the suffix of the SHA1 hash of “password123” has, unsurprisingly, appeared a large number of times: 248,071.
Notifying our estate agent customers
In the event that a customer is using a password that has appeared in a previous breach we request they reset their password by adding a notification to the screen when they login to indicate that they are using an unsafe password and by periodically sending them emails to remind them to reset their passwords.
These notifications have been well received by our customers who have been proactive in making sure their accounts remain secure.
Continuing to evolve the security of our platform
The methods used by malicious actors to gain access to websites continue to evolve and so must the security of our platform so we’ll have more to share in the future about how we implemented two factor authentication for our customers to add another layer of security to ensure the personal data we hold on our platform has even more protection.