How we help protect your account
Protecting your personal information is very important to us, so we check publicly accessible databases of third party data breaches and let you know if your credentials are found when you sign up for an account, log in or change your password.
A data breach is a security incident in which a websites data is stolen by unauthorized individuals. Often this stolen data can contain usernames and passwords (credentials) for the breached website. Some of the most high profile data breaches are from Equifax, Uber, Yahoo, Dropbox, LinkedIn, Sony PlayStation Network and Adobe. A popular site for checking where your credentials may have been obtained from is Have I been pwned? Because passwords can be hard to remember, many people will reuse the same username and password on multiple sites. The stolen credentials are used to attack other sites to see if they were reused and gain access to the persons account on those sites.
To reduce the risk of your Qmee.com account being compromised because of a 3rd party data breach, and following the guidelines set out by The National Institute of Standards and Technology and The National Cyber Security Centre, we disallow passwords that have appeared in multiple data breaches.
Common and easy to guess passwords appear in breach lists regularly and are used in dictionary based attacks, so your password may be disallowed because it is a very commonly used password.
We agree. We're signed up to so many sites, how are we supposed to remember yet another password. Fortunately there are solutions. Password managers let you generate unique passwords for every account, and remember them for you. Most of the common browsers have built in password managers and there are some good 3rd party ones too.
Your password is safe and never leaves this site. In fact we never store your plain text password, just a cryptographic hash of it. This is why we only check on sign up, log in and password change. We take the password you submit, hash it and then send the first 5 characters of the hash to the pwned API, which then returns all password hashes that start with those 5 characters (this is known as k-Anonymity). We then compare your full hash with those returned to see if there is a match. This way we don't store your password and we don't send it to the API either.