Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Firefox Security Databases Network Privacy The Internet

'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password (troyhunt.com) 111

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.
This discussion has been archived. No new comments can be posted.

'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password

Comments Filter:
  • by Master Moose ( 1243274 ) on Monday June 25, 2018 @11:04PM (#56846042) Homepage

    Looks like my junk address that I set up for all my junky things has been junked!

  • Have I been Pwned? (Score:1, Insightful)

    by dohzer ( 867770 )

    Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

    • by Anonymous Coward

      I'lll get to it in a minute; right now im still busy uploading nudes to facebook...

    • by thegarbz ( 1787294 ) on Tuesday June 26, 2018 @07:59AM (#56847148)

      Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

      I signed up to this. I have received:
      On the day of signup: 1 confirmation email.
      5 months later: an email notification about a breach.

      That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.

      • by Anonymous Coward

        Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

        I signed up to this. I have received:
        On the day of signup: 1 confirmation email.
        5 months later: an email notification about a breach.

        That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.

        I concur. I have only received a confirmation mail for each account I registered. Of course, that will all change once HIBP gets Pwned.

  • by piojo ( 995934 ) on Monday June 25, 2018 @11:41PM (#56846118)

    To check if your password has been pwned without submitting it to them, find the sha1sum of the password, then use their API to check it. For example:

    sha1sum: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
    first five characters: 5baa6
    the remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8

    Use the prefix to visit their API:
    https://api.pwnedpasswords.com... [pwnedpasswords.com]

    Then search for the remaining characters in the page shown.

    (I suspect even if you use the web form, it will only submit the sha1sum, but this is still safer.)

    • by ( 4475953 )

      Sha1 is not even considered secure any longer...

      • by higuita ( 129722 )

        it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations

        • it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations

          No, it isn't considered safe, because computers can compute SHA1 hashes fast enough to make brute force attacks feasible. You should be using computationally-intensive algorithms such as PBKDF2, bcrypt, etc.

          • by higuita ( 129722 )

            a password that match a sha1 hash may not be the password that generated that hash ... but yes, they should improve that

    • Assuming you're dumb enough to use the same password for multiple sites.
  • Why do I care if someone else mishandles the unique bullshit I gave them once upon a time. Surely, if I were stupid enough to use my email address as ID on someone else's computer, they would have a moral responsibility to use that email and contact me to let me know about the breach. If not, why do they want my email in the first place?
    • by higuita ( 129722 )

      fine, you are one of the few that really create good passwords... yet almost everyone i know that are not tech pros use stupid simple passwords, reuse passwords all over the place and do not understand security. This tool is for then, to help then understand that sites get hacked, passwords stolen and they should change passwords and not reuse passwords

  • Those of us who are security-conscious know they haven't been pwned. Those who don't use weak passwords, reuse the same password across multiple logins, and submit their email addy on random websites for more pwnage.

    • And those of us with an actual clue know that while much less likely than the layman's case we have no way to be 100% certain we *haven't* been owned. Yours is a mild case of Dunning Kruger I'm afraid.
    • by higuita ( 129722 )

      right, because you audit and configure all the sites you use, to make sure they aren't also hacked and your data stolen...

      if you were really security-conscious guy, you would never said something like that

    • While I do take proper measures to protect my data it seems that a lot of sites and businesses don't seem to care. There was one financial company that I dealt with that clearly stores passwords in plain text. I had to call them to get an issue resolved and there the person on the other end of the phone asked for my password as confirmation that I was who I said I was. Needless to say the accounts I had there are no longer there. I did similar test with the new financial company to see if they screwed it up
    • Fundamentally disagree. I use secure site passwords with a few exceptions, but they are stored somewhere, and I have a few "systems" depending on risk.

      But, if someone knows the root of my system, they could easily brute force a number of passwords.

      Or, they could hack my wife's iPad which has all my super-secure passwords in plain text...

      There is always a weak link, and that list of weaknesses is likely less than 30-50 things.

  • As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts

    Has the Watchtower Bible and Tract Society [jw.org] taken over 1Password? I wouldn't trust that organization with my online accounts for several reasons.

  • by tsa ( 15680 ) on Tuesday June 26, 2018 @12:16AM (#56846180) Homepage

    Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

    • by Dwedit ( 232252 )

      How about client-side salted hashes? Nobody can randomly guess something like 63DA4171F2D985441F1AE0C4F3C2AA27 as a password.

      • by tsa ( 15680 )

        I have no idea what you are talking about. I'm a chemist, not a computer scientist.
        Can you explain?

      • Comment removed based on user account deletion
        • by Bongo ( 13261 )

          Heh, but the salt thing is old and wrong. Salt as much as you like.

          The cult TV series Babylon 5 called it back in 1996 or something.
          And kudos also to South Park for flipping the food pyramid, around three years ago.

    • by Anonymous Coward

      Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

      Apple's. (Safari's) Since my computer is Apple, pretty sure Apple would already have access to this info anyway, so I'm minimizing the number of systems I'm obliged to trust.

      If you are interested in maximum security and privacy in your online doings and your life, follow these simple steps and practices... (note that the degree of security and privacy goes up as the list proceeds, but at the same time they also get to be increasingly impractical for most people to do, and especially to have something r

      • by Anonymous Coward

        That escalated gracefully.

    • That is not true. There are sites run by true security professionals, and my research indicates this is one of them. The fact that Mozilla is partnering up with them would tend to reinforce that conclusion. See also the EFF site. Surely you don't think the EFF is selling your data?
    • by higuita ( 129722 )

      https://github.com/simu/passwo... [github.com]

      store a key, memorize a password and that is mostly it, a different password for all sites that you don't even need to store

    • by chrish ( 4714 )

      I used to use LastPass, then I switched to EnPass, which I like a lot.

      EnPass is free on desktops, has a reasonable one-time fee on mobile (once per mobile OS), and lets you store your encrypted password blob on your choice of several cloud providers. All encryption/decryption is handled at the client end, so the cloud folks can't access your data at all. They're using AES-128 or AES-256 (can't remember off-hand).

      KeePass would also be a possibility, but I found the clients harder to use than the EnPass clien

      • by tsa ( 15680 )

        Finally some useful advice. Thank you Crish! Enpass looks interesting. It works on my iPad and my other devices. And it has a USB plugin option as well, which is handy. The other ones you mentioned don't work on the iPad. So I think EnPass is a good password manager for me.

    • by flink ( 18449 )

      Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

      CodeBook [zetetic.net] is great. I've been using it since it was a Palm III app called STRIP (Secure Tool for Recalling Important Passwords. Their encryption layer is open source [zetetic.net], and they support syncing across devices via Dropbox, Google Drive, or local WiFi. It supports TOTP 2FA and will generate Diceware/xkcd style passwords. They have clients for Windows, iOS, Android, and Mac. The desktop version also has an agent that will fill out web form fields for you.

      It's not a slick as some other password managers, but

  • by ISayWeOnlyToBePolite ( 721679 ) on Tuesday June 26, 2018 @01:44AM (#56846340)

    My mail shows up as pwnd. From the details of it, a site concerning a subject I'm not interested in, written in a language I don't speak and surely never registered with was pwnd and my password is all over the internet. Eventually finding the file where it's spread I unsurprisingly find that it's a password I never used.

    Now my mail is "hacked" on a semi regular basis as my mail adress and the password I've never used is included in what to me seems like new compilations of old pwnd's

    For not so surprising reasons my mail cannot be removed from HIBP and surely I can take one for the team, but it's still annoying AF.

    • Are you saying HIBP is not GDPR compliant, and refuses to remove your personally identifiable information from its database?

  • Does that not increase the likelihood of my data being pwnd again? Also, are they complying with data protection laws?
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday June 26, 2018 @04:47AM (#56846676)
    Comment removed based on user account deletion
    • The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.

      Add an ISO date to your format. ebay.com-20180626@example.com . Then when some random person from Shenzhen sells your address you just discontinue that one instead of quitting ebay forever. For bonus points look for that pattern in your greylister and match on today to avoid initial delay for website signups.

  • This is a good news and good to know that Mozilla is improving. Though, WebEagle - https://webeagle.com/ [webeagle.com] has already been helping web users by exposing data breaches for a very long time. WebEagle is an integrated web technology that monitors all forms of hacking activities, dark web, underground forums of hackers and hackers' database, to notify the web users in time, if and when their accounts are hacked or their data is leaked. Uers can even buy WebEagle's securty services basis their individual requirem
  • I wish they would stop "integrating" more and more stuff into Firefox. The whole point of Firefox was to be small and fast and configurable. This is yet another example of something that probably should be an addon. Even if they BUNDLE the addon, at least it gives the option to remove it if wanted or needed for some reason.

  • "You've been pwned! (Mealey-mouthed words about nebulous undergrounds with your email and hash or something something com-pleet something somrthing trading)"

    So...was it an ancient MMO I played for 2 months a decade ago, or is it a major email provider for my master account?

    Dunni just sign up for password1.

  • ... and it replied "You have now."

  • I searched my addresses with Have I Been Pwned, and I get breaches from services I never used. That sounds low quality stuff.

    The funniest point is report about password leak for an address for which the account has no password (only RSA key)

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...