Privacy-Preserving Compromised Credential Checking

Researchers from Cornell Tech and the University of Wisconsin-Madison have developed a next-generation, privacy-preserving compromised credential checking protocol called MIGP (Might I Get Pwned). The protocol allows clients to check for leaked credentials without revealing any information about their queried passwords or usernames. Unlike existing services that only alert users if their exact password is present in a data breach, MIGP also checks for similar passwords that have been exposed. This approach helps detect credential tweaking attacks, an advanced version of credential stuffing. Cloudflare has implemented and deployed the protocol within its infrastructure and open-sourced it under the BSD-3 License.