Firefox is using the wonderful haveibeenpwned resource. There is also a public API for haveibeenpwned if you want to incorporate it into your own clients:
I've always been a huge fan of the project (and Troy) and understand that it's gotten to a point where he can't keep running it as a spare-time project, but I'm still not very happy about seeing it being shopped around. I can't see how this type of service needing to find a way to become a business will be a good thing overall, especially when it keeps getting integrated into other programs and services like this. Troy pledges that nothing will change, but every company getting acquired does that, and then things change anyway.
The best result would probably be something like Mozilla buying it and/or paying Troy to just keep doing what he's doing.
1Password uses the HIBP API too [0] which has actually saved me a few times.
The mechanics behind the v2 API (using k-anonymity with hashes [1]) are pretty interesting too. Troy has clearly put a lot of thought and time into what started as a pet project a few years ago and should be infinitely commended!
There are fundamental privacy risks to using the HIBP Pwned Passwords service which should be considered when implementing it. See my writeup here — https://cablej.io/blog/k-anonymity/. In short, despite claims of protecting privacy, a malicious server can recover user passwords in some cases even if they haven’t previously been compromised.
One thing HIBP does is match a password against a list of half a billion leaked passwords without regard for the username portion of the credentials. They do it because of the NIST guidance to compare credentials to known data leaks. The same NIST who's previous guidance was a complicated password entropy algorithm, which they later dropped.
I've always questioned the logic making 500,000,000 passwords off limits when no connection is made to the username. Work-factor hashing algorithms, rate limiting account locking and 2FA are supposed to protect user from brute force attacks. I think they can handle an attack based on 500 million possibilities.
Now, if they matched the username/password pair, that would be great.
OK, enough is enough. I'm switching to Firefox now.
Protip to Firefox: Advertise this feature more. The other stuff I don't really care about, and didn't really convinced me to move to Firefox. Fear is an excellent motivator, however.
Try and give Firefox Containers a test too. It's a Firefox extension made by Mozilla that creates separate environments where cookies and session data are not shared. It's a great feature I never want to do without. I use it to create a wall between work and personal web browsing.
You will be happy with the move, if you're coming from Chrome, most extensions/add-ons are available on Firefox so the transition was not tough for me. There are some things like getting used to the dev tools but that shouldn't be too bad :)
For non-tech users, privacy isn't a very good selling point.
Both my parents use Chrome because it's already installed on Android and works fine. My attempts to convince them to Firefox didn't work out even with multiple attempts.
The functionality is part of every decent password manager, which takes care of basically all your passwords, not the ones stored in your browser. So I don't understand the enthusiasm.
Is money involved in this partnership? If so, who paid whom?
What was the motivation behind this? Is there any study that shows any benefit from haveibeenpwned.com? I.e. has there been a decrease in hijacked accounts, etc?
I don't think there's been studies, but it seems obvious to me that the goal here is to prevent re-use of leaked passwords, and I'd consider it a surprising result if this wouldn't help in that.
CCP Games integrated it into Eve Online and says that it significantly reduced the number of players using insecure passwords:
> When we first implemented the check, about 19% of logins were greeted with the message that their password was not safe enough. Today, this has dropped down to around 11-12% and hopefully will continue to go down.
That sounds like a good reason to get your non-technical friends and relatives on Firefox.
(Edit: though I wonder whether the really non-technical ones will not interpret this as having to change the displayed saved password, rather than having to visit the website.)
It is storing your passwords in plaintext locally, since this is about passwords that are saved by the user in Firefox's password store (the Saved Logins feature). These can (and should) be protected with a master password, but you obviously need to unlock the store before logging into a website.
They're not storing your passwords remotely, though. They're asking haveibeenpwned which maintains a list of leaked login information from past breaches.
Firefox has a built-in password manager, so plaintext passwords are necessarily stored in that database. The backend comparison service they're using supports a near-zero-knowledge protocol that allows clients to check for compromised passwords in the database efficiently without ever sending the password (or even a hash of the password) to the backend.
Also they can just query all the usernames (email addresses) of the accounts and get notifications if any of those usernames have appeared in breaches.
That’s a nice feature, and I hope other browsers will adopt something similar soon. Also looking forward to the password generator that’s finally coming in Firefox 69. On a slight tangent, I wish the major browsers would agree on an interoperability standard for their built-in password managers.
Browsers that offer to save your passwords are password managers. They've just been downright abhorrent at it for years. Improving that seems worth doing?
It isn't doing this. It uses rough hash of the password to generate a bucket ID that could represent a large number of passwords. That information is the used to query a bucket for whether any passwords in the bucket exist.
For example, "password" hashes to "5DAA6", and the resulting bucket[1] lists secure hashes of several dozen passwords.
The client then generates another hash of the password (eg. "1E4C9B93F3F0682250B6CF8331B7EE68FD8"), and checks if that secure hash is in the bucket (it is, "password" has been compromised at least 3,730,471 known times).
haveibeenpwned doesn't accept plain-text passwords for checking, they use a k-anonymity model to protect both your passwords and the passwords in the database. the same goes for email addresses.
HIBP doesn't work that way really. You don't query for a site breach + email combination, you basically give your email address and then it returns back a list of breaches your email address was part of.
As far as HIBP linking your email to specific breaches, well, it is essentially using public data sets so that disclosure exists already (before HIBP even enters the picture). They are a bit more reserved with certain cases (the Ashley Madison breach for example), but even then if someone wanted to locate email addresses in that breach, they'd just go get that data set.
So, Firefox operates with yet another third party. I've never used this ''Have I been PWNed?'' drivel and don't intend to start, but I don't usually find myself using a Firefox-brand Firefox, either.
What's so compelling about this website? To me, this looks like yet another silly idea people coalesce around and find important. In having a discussion about this, someone mentioned how it's not that different from Facebook and Cloudflare in managing something technical for those who don't care to, and I find this a rather decent comparison. This is yet another centralized and completely unnecessary entity.
I don't see the appeal and I don't like what I regard as a stupid idea receiving so much attention from so many groups. This isn't surprising coming from Troy Hunt, however, who I best remember as the person bitching about an ad blocker blocking an ad he found acceptable.
So you're saying that the browser client will now be regularly sending secure information on a regular basis to a predictable IP, across HTTP (hopefully S, but I'm sure there will be a fallback), via dynamic path and across an unknown number of hops for transit. And this is supposed to be more secure.
I'm sure there's nothing to go wrong with that wonderful plan! Taking control away from the user is a great idea!
[+] [-] daveguy|6 years ago|reply
https://haveibeenpwned.com/API/v2
Please note rate limits/ abuse policy so everyone can use:
https://haveibeenpwned.com/API/v2#RateLimiting
(I am not affiliated)
[+] [-] Deimorz|6 years ago|reply
I've always been a huge fan of the project (and Troy) and understand that it's gotten to a point where he can't keep running it as a spare-time project, but I'm still not very happy about seeing it being shopped around. I can't see how this type of service needing to find a way to become a business will be a good thing overall, especially when it keeps getting integrated into other programs and services like this. Troy pledges that nothing will change, but every company getting acquired does that, and then things change anyway.
The best result would probably be something like Mozilla buying it and/or paying Troy to just keep doing what he's doing.
[+] [-] jakejarvis|6 years ago|reply
The mechanics behind the v2 API (using k-anonymity with hashes [1]) are pretty interesting too. Troy has clearly put a lot of thought and time into what started as a pet project a few years ago and should be infinitely commended!
[0] https://blog.1password.com/finding-pwned-passwords-with-1pas...
[1] https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
[+] [-] cablej|6 years ago|reply
[+] [-] euroclydon|6 years ago|reply
I've always questioned the logic making 500,000,000 passwords off limits when no connection is made to the username. Work-factor hashing algorithms, rate limiting account locking and 2FA are supposed to protect user from brute force attacks. I think they can handle an attack based on 500 million possibilities.
Now, if they matched the username/password pair, that would be great.
[+] [-] AznHisoka|6 years ago|reply
Protip to Firefox: Advertise this feature more. The other stuff I don't really care about, and didn't really convinced me to move to Firefox. Fear is an excellent motivator, however.
[+] [-] mevile|6 years ago|reply
[+] [-] numbers|6 years ago|reply
[+] [-] paulirish|6 years ago|reply
(Disclosure: I work on Chrome, though on Developer Tools)
[+] [-] Ayesh|6 years ago|reply
Both my parents use Chrome because it's already installed on Android and works fine. My attempts to convince them to Firefox didn't work out even with multiple attempts.
[+] [-] user17843|6 years ago|reply
[+] [-] okasaki|6 years ago|reply
Is money involved in this partnership? If so, who paid whom?
What was the motivation behind this? Is there any study that shows any benefit from haveibeenpwned.com? I.e. has there been a decrease in hijacked accounts, etc?
[+] [-] Vinnl|6 years ago|reply
I don't think there's been studies, but it seems obvious to me that the goal here is to prevent re-use of leaked passwords, and I'd consider it a surprising result if this wouldn't help in that.
[+] [-] Deimorz|6 years ago|reply
> When we first implemented the check, about 19% of logins were greeted with the message that their password was not safe enough. Today, this has dropped down to around 11-12% and hopefully will continue to go down.
From https://www.eveonline.com/article/pu2gdi/account-security-im...
[+] [-] groovecoder|6 years ago|reply
[+] [-] Vinnl|6 years ago|reply
(Edit: though I wonder whether the really non-technical ones will not interpret this as having to change the displayed saved password, rather than having to visit the website.)
[+] [-] mwilliaams|6 years ago|reply
[+] [-] feanaro|6 years ago|reply
They're not storing your passwords remotely, though. They're asking haveibeenpwned which maintains a list of leaked login information from past breaches.
[+] [-] want2know|6 years ago|reply
As far as I understand [1] Firefox will notice you if the domain was breached and your password is older than the breach.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1559365
[+] [-] SAI_Peregrinus|6 years ago|reply
Also they can just query all the usernames (email addresses) of the accounts and get notifications if any of those usernames have appeared in breaches.
[+] [-] snek|6 years ago|reply
[+] [-] groovecoder|6 years ago|reply
[+] [-] qzw|6 years ago|reply
[+] [-] r00fus|6 years ago|reply
Are you talking about an interop standard for storing/sharing passwords, or for generating them?
Because the latter is hobbled significantly by a twisting maze of password requirements and login form implementations by sites (banks, webmail, etc).
[+] [-] mnoorenberghe|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] bovermyer|6 years ago|reply
[+] [-] Groxx|6 years ago|reply
[+] [-] sp332|6 years ago|reply
[+] [-] dicks-in-ur-ass|6 years ago|reply
[deleted]
[+] [-] hartator|6 years ago|reply
[+] [-] hughes|6 years ago|reply
For example, "password" hashes to "5DAA6", and the resulting bucket[1] lists secure hashes of several dozen passwords.
The client then generates another hash of the password (eg. "1E4C9B93F3F0682250B6CF8331B7EE68FD8"), and checks if that secure hash is in the bucket (it is, "password" has been compromised at least 3,730,471 known times).
[1]: https://api.pwnedpasswords.com/range/5BAA6
[+] [-] groovecoder|6 years ago|reply
[+] [-] java-man|6 years ago|reply
Will this feature be enabled by default?
Can this be disabled?
[+] [-] snek|6 years ago|reply
https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR...
[+] [-] SketchySeaBeast|6 years ago|reply
[+] [-] jsgo|6 years ago|reply
As far as HIBP linking your email to specific breaches, well, it is essentially using public data sets so that disclosure exists already (before HIBP even enters the picture). They are a bit more reserved with certain cases (the Ashley Madison breach for example), but even then if someone wanted to locate email addresses in that breach, they'd just go get that data set.
[+] [-] groovecoder|6 years ago|reply
[+] [-] MrStonedOne|6 years ago|reply
They look at breached sites and rather or not you saved a login for that site on a date before the site was breached.
[+] [-] verisimilitudes|6 years ago|reply
What's so compelling about this website? To me, this looks like yet another silly idea people coalesce around and find important. In having a discussion about this, someone mentioned how it's not that different from Facebook and Cloudflare in managing something technical for those who don't care to, and I find this a rather decent comparison. This is yet another centralized and completely unnecessary entity.
I don't see the appeal and I don't like what I regard as a stupid idea receiving so much attention from so many groups. This isn't surprising coming from Troy Hunt, however, who I best remember as the person bitching about an ad blocker blocking an ad he found acceptable.
[+] [-] jedimastert|6 years ago|reply
[+] [-] groovecoder|6 years ago|reply
[+] [-] Endy|6 years ago|reply
I'm sure there's nothing to go wrong with that wonderful plan! Taking control away from the user is a great idea!
Except that it's not.