top | item 17326575

(no title)

decafb | 7 years ago

That would make it possible to create a program that would check all the passwords in the keychain without sending data over the web. False positives wouldn't be an issue as the user can decide himself if he wants to update. Currently it still is a bit of a big filter to have on a mobile device - wonder how far it could be slimed down and to have just 99% accuracy.

I just wonder how one could create such a program that the users will have some guarantees that it will not leak stuff.

discuss

arthurfm|7 years ago

> I just wonder how one could create such a program that the users will have some guarantees that it will not leak stuff.

You could do what Okta does with its PassProtect [1][2][3] browser extension and use the Have I Been Pwned API along with k-Anonymity [4][5][6].

PassProtect is a browser plugin that makes it easy for people to see in the moment whether or not their password was exposed in a breach. With a real time, as-you-type notification, PassProtect quickly alerts users of possible "riskier" passwords so they can take action immediately and without compromising privacy. By using k-anonymity, PassProtect ensures that your passwords are never seen, stored, or sent over the network during this checking process.

We’ve also made it easy for developers to add this functionality directly into their app or website. By also surfacing related information and breach details, PassProtect promotes security awareness for users while relieving developers of the burden of tracking breaches and maintaining a homegrown tool.

[1] https://www.passprotect.io/

[2] https://www.okta.com/blog/2018/05/add-passprotect-to-your-we...

[3] https://chrome.google.com/webstore/detail/passprotect/cpimld...

[4] https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[5] https://blog.cloudflare.com/validating-leaked-passwords-with...

[6] https://github.com/OktaSecurityLabs/passprotect-js