Whenever you change the password on your Trading 212 account, Trading 212 will check your new password against “Have I Been Pwned’s” collection of Top 100,000 passwords found in data breaches.
You will only be able to save a new password that passes the check. If the check does not pass, you will be asked to choose a more secure password.
Who is “Have I Been Pwned” (HIBP)?
HIBP is a website run by long-time and well-respected Security researcher Troy Hunt. Troy set up the website to collect all the passwords that were released in hacks and intrusions. With the records of close to 1,000 hacks on his site, Troy now has over 17.3 billion credentials. The same common passwords were getting compromised time after time, so Troy has chosen to make the Top 100,000 available so that we can all avoid them.
How do I know that you are not giving them my password?
Trading 212 will never send your password to any 3rd party.
Trading 212 will send the first 5 characters of a hash (the encrypted version) of your password to HIBP, and HIBP will send back all of the complete hashes they have that match that. Trading 212 will then determine if any of those match the hash of your password.
In addition to this, Trading 212 does not send any other information (such as email address), so the hashed information is never linked to a specific customer.
Why do you only do this when I change my password?
Trading 212 only stores cryptographically secure hashes of customer passwords, not the original text. This means that there is only a small window of opportunity to check a customer’s password before the hash gets stored in our systems.
Is the list up to date?
HIBP ingests all the major data dumps from breaches, usually within a few days of them becoming available. The data will be up to date at the point when a customer changes their password, but we do not periodically check the password outside of this because we do not know it.
Why do you do this?
It is known that people re-use passwords across sites, and at Trading 212 we want to do everything we can to prevent customers from being compromised. Evidence suggests that it is far more common that hackers log in with stolen credentials than any other form of hacking attack.
We also want to make it really difficult for hackers to guess customer account passwords, and this is another good reason to prevent simple ones.
What is a good password to choose?
We would suggest checking the rest of the account safety tips here.
Does this mean that I have been hacked?
No, it means that someone who has used the same password as you is trying to use, has been compromised in a breach in the past.