'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password (troyhunt.com) 111
Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.
I have been pwned (Score:4, Funny)
Looks like my junk address that I set up for all my junky things has been junked!
Have I been Pwned? (Score:1, Insightful)
Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.
Re: (Score:1)
I'lll get to it in a minute; right now im still busy uploading nudes to facebook...
Re:Have I been Pwned? (Score:5, Informative)
Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.
I signed up to this. I have received:
On the day of signup: 1 confirmation email.
5 months later: an email notification about a breach.
That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.
Re: (Score:1)
Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.
I signed up to this. I have received:
On the day of signup: 1 confirmation email.
5 months later: an email notification about a breach.
That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.
I concur. I have only received a confirmation mail for each account I registered. Of course, that will all change once HIBP gets Pwned.
To check if your password has been pwned (Score:5, Informative)
To check if your password has been pwned without submitting it to them, find the sha1sum of the password, then use their API to check it. For example:
sha1sum: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
first five characters: 5baa6
the remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8
Use the prefix to visit their API:
https://api.pwnedpasswords.com... [pwnedpasswords.com]
Then search for the remaining characters in the page shown.
(I suspect even if you use the web form, it will only submit the sha1sum, but this is still safer.)
Re:To check if your password has been pwned (Score:4, Informative)
If they have your password, it is your password regardless of where they got it. Certainly if the password was part of a valid username/password pair, it's more problematic, but if the password is in this list, it will be relatively easy to crack. Being in this list is like being in a dictionary—it is likely that a cracker will try it if he makes a serious attempt to break in to your account.
Re: (Score:3)
If the password is in the list of known passwords, do not matter if it is yours or not, those are the passwords that bruteforce tools will try first... you know, testing one million passwords is way lot quicker than testing several trillion of passwords
Re: To check if your password has been pwned (Score:2)
Re: To check if your password has been pwned (Score:1)
No you donâ(TM)t brute force a remote login session. You copy the passwd database locally and brute force it there.
Re: (Score:2)
bingo!
Re: To check if your password has been pwned (Score:2)
Re: (Score:2)
let me check, i found a SQL injection in some random site, i dump the user emails and passwords, i crack then, i find some good auth pairs and now i will login to other totally different places.
I do not care if linkedin or adobe was hacked... but i do care about the info stolen, that can open million of accounts in millions of other sites to hackers and god knows what that may open (vpns, private files, auth data, inject trojans, send phishing attacks from known contacts)
so no, hacking a forum server will n
Re: To check if your password has been pwned (Score:2)
Re: (Score:2)
who is talking about system accounts? to "login" to a account is not only login to a system account, it is also login to any web site. :)
i know no password shadowing in web systems, as protection of SQL injections attacks or hacked machines dumping the database
Re: To check if your password has been pwned (Score:2)
Re: To check if your password has been pwned (Score:2)
Re: (Score:2)
Sha1 is not even considered secure any longer...
Re: (Score:2)
it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations
Re: (Score:2)
it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations
No, it isn't considered safe, because computers can compute SHA1 hashes fast enough to make brute force attacks feasible. You should be using computationally-intensive algorithms such as PBKDF2, bcrypt, etc.
Re: (Score:2)
a password that match a sha1 hash may not be the password that generated that hash ... but yes, they should improve that
Re: (Score:1)
What? (Score:1)
Re: (Score:2)
fine, you are one of the few that really create good passwords... yet almost everyone i know that are not tech pros use stupid simple passwords, reuse passwords all over the place and do not understand security. This tool is for then, to help then understand that sites get hacked, passwords stolen and they should change passwords and not reuse passwords
Don't need no Have I Been Pwned (Score:2)
Those of us who are security-conscious know they haven't been pwned. Those who don't use weak passwords, reuse the same password across multiple logins, and submit their email addy on random websites for more pwnage.
Re: Don't need no Have I Been Pwned (Score:3, Informative)
Re: (Score:2)
right, because you audit and configure all the sites you use, to make sure they aren't also hacked and your data stolen...
if you were really security-conscious guy, you would never said something like that
Re: (Score:2)
Re: (Score:2)
Fundamentally disagree. I use secure site passwords with a few exceptions, but they are stored somewhere, and I have a few "systems" depending on risk.
But, if someone knows the root of my system, they could easily brute force a number of passwords.
Or, they could hack my wife's iPad which has all my super-secure passwords in plain text...
There is always a weak link, and that list of weaknesses is likely less than 30-50 things.
Re: (Score:2)
1 - not all accounts on yahoo were hacked... and i do not know if the list of hacked users was even public at any time
2 - just because you do know some sites it doesn't mean that you were not there... some user DBs are simply stolen (like spam) or acquired when one company buys another, so you data may end in a totally different company/site that may have been hacked at sometime.
3 - just because you were drunk when you created that myspace account and do not remember, does not mean that you had no account!
Have Jehovah's Witnesses taken over 1Password? (Score:2)
As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts
Has the Watchtower Bible and Tract Society [jw.org] taken over 1Password? I wouldn't trust that organization with my online accounts for several reasons.
Re: Have Jehovah's Witnesses taken over 1Password? (Score:1)
The JWs noticed those wacky Mormons adding billions of names to their books [wired.com] and wanted a slice of the holy database action, so now, according to researcher Orla Long, The Watchtower is being used to amass email addresses to save souls via the internet.
Password manager (Score:3)
Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."
Re: (Score:2)
How about client-side salted hashes? Nobody can randomly guess something like 63DA4171F2D985441F1AE0C4F3C2AA27 as a password.
Re: (Score:2)
I have no idea what you are talking about. I'm a chemist, not a computer scientist.
Can you explain?
Re: (Score:2)
Re: (Score:2)
Heh, but the salt thing is old and wrong. Salt as much as you like.
The cult TV series Babylon 5 called it back in 1996 or something.
And kudos also to South Park for flipping the food pyramid, around three years ago.
Re: (Score:2)
Re: (Score:1)
Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."
Apple's. (Safari's) Since my computer is Apple, pretty sure Apple would already have access to this info anyway, so I'm minimizing the number of systems I'm obliged to trust.
If you are interested in maximum security and privacy in your online doings and your life, follow these simple steps and practices... (note that the degree of security and privacy goes up as the list proceeds, but at the same time they also get to be increasingly impractical for most people to do, and especially to have something r
Re: (Score:1)
That escalated gracefully.
Re: Password manager (Score:1)
Re: (Score:2)
https://github.com/simu/passwo... [github.com]
store a key, memorize a password and that is mostly it, a different password for all sites that you don't even need to store
Re: (Score:2)
I used to use LastPass, then I switched to EnPass, which I like a lot.
EnPass is free on desktops, has a reasonable one-time fee on mobile (once per mobile OS), and lets you store your encrypted password blob on your choice of several cloud providers. All encryption/decryption is handled at the client end, so the cloud folks can't access your data at all. They're using AES-128 or AES-256 (can't remember off-hand).
KeePass would also be a possibility, but I found the clients harder to use than the EnPass clien
Re: (Score:2)
Finally some useful advice. Thank you Crish! Enpass looks interesting. It works on my iPad and my other devices. And it has a USB plugin option as well, which is handy. The other ones you mentioned don't work on the iPad. So I think EnPass is a good password manager for me.
Re: (Score:2)
Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."
CodeBook [zetetic.net] is great. I've been using it since it was a Palm III app called STRIP (Secure Tool for Recalling Important Passwords. Their encryption layer is open source [zetetic.net], and they support syncing across devices via Dropbox, Google Drive, or local WiFi. It supports TOTP 2FA and will generate Diceware/xkcd style passwords. They have clients for Windows, iOS, Android, and Mac. The desktop version also has an agent that will fill out web form fields for you.
It's not a slick as some other password managers, but
Re: (Score:2)
You could probably spell better if you took your other hand off your dog's dick.
Re: l33t h@X0r suckers slashdot nerds (Score:1)
Re: (Score:2)
open a bug... either someone found a workaround or a bug, either way you should tell mozilla on the correct place (bugzilla.mozilla.org), not on a random site in the internet
Great, but also annoying (Score:3)
My mail shows up as pwnd. From the details of it, a site concerning a subject I'm not interested in, written in a language I don't speak and surely never registered with was pwnd and my password is all over the internet. Eventually finding the file where it's spread I unsurprisingly find that it's a password I never used.
Now my mail is "hacked" on a semi regular basis as my mail adress and the password I've never used is included in what to me seems like new compilations of old pwnd's
For not so surprising reasons my mail cannot be removed from HIBP and surely I can take one for the team, but it's still annoying AF.
Re: (Score:1)
Are you saying HIBP is not GDPR compliant, and refuses to remove your personally identifiable information from its database?
Re: (Score:1)
Why are HIBP storing my data? (Score:1)
Comment removed (Score:5, Insightful)
Re: (Score:2)
The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.
Add an ISO date to your format. ebay.com-20180626@example.com . Then when some random person from Shenzhen sells your address you just discontinue that one instead of quitting ebay forever. For bonus points look for that pattern in your greylister and match on today to avoid initial delay for website signups.
Re: (Score:1)
The e-mail users that I have posted to a public area are all on that list, no pastes. So they don't have my password. Same as slashdot's postmaster.
WebEagle Already Scans Dark Web (Score:1)
Stop "integrating" so much stuff (Score:2)
I wish they would stop "integrating" more and more stuff into Firefox. The whole point of Firefox was to be small and fast and configurable. This is yet another example of something that probably should be an addon. Even if they BUNDLE the addon, at least it gives the option to remove it if wanted or needed for some reason.
Puts the ass in password (Score:2)
"You've been pwned! (Mealey-mouthed words about nebulous undergrounds with your email and hash or something something com-pleet something somrthing trading)"
So...was it an ancient MMO I played for 2 months a decade ago, or is it a major email provider for my master account?
Dunni just sign up for password1.
Entered my address into HIBP ... (Score:2)
Low quality (Score:2)
I searched my addresses with Have I Been Pwned, and I get breaches from services I never used. That sounds low quality stuff.
The funniest point is report about password leak for an address for which the account has no password (only RSA key)
Great way to collect email addresses! (Score:2)
ntr