'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.

sure sure sure

go ahead. write down your email address there. go. go! if you think you got spam b4...

I have been pwned

[Master+Moose]

Looks like my junk address that I set up for all my junky things has been junked!

Have I been Pwned?

[dohzer]

Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

Re:Have I been Pwned?

I'lll get to it in a minute; right now im still busy uploading nudes to facebook...

Re:Have I been Pwned?

You will know if you've been pwned if you start getting copies of The Watchtower in your mailbox... :)

Re:Have I been Pwned?

Which is normally preceded by entering your email into 'Have I Been Pwned'.

Re:Have I been Pwned?

This is one of those cases where if you have to ask the question, then the answer is "If you really don't know, then the answer is probably yes. Assume you've been pwnt, and go change your ****ing password, idiot."

Re:Have I been Pwned?

Can I check also if my credit card is stolen if I give you its number, expiration date and csv?

Re:Have I been Pwned?

[thegarbz]

Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

I signed up to this. I have received:
On the day of signup: 1 confirmation email.
5 months later: an email notification about a breach.

That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.

Re:Have I been Pwned?

Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

I signed up to this. I have received:
On the day of signup: 1 confirmation email.
5 months later: an email notification about a breach.

That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.

I concur. I have only received a confirmation mail for each account I registered. Of course, that will all change once HIBP gets Pwned.

Screenshot feature

Today, I discovered the screenshot feature of Firefox. Perfect...

To check if your password has been pwned

[piojo]

To check if your password has been pwned without submitting it to them, find the sha1sum of the password, then use their API to check it. For example:

sha1sum: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
first five characters: 5baa6
the remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8

Use the prefix to visit their API:
https://api.pwnedpasswords.com...

Then search for the remaining characters in the page shown.

(I suspect even if you use the web form, it will only submit the sha1sum, but this is still safer.)

Re:To check if your password has been pwned

How can you tell if its 'your' password they have and not somebody elses who has the exact same password?

Re:To check if your password has been pwned

[butzwonker]

Sha1 is not even considered secure any longer...

Re:To check if your password has been pwned

So your password is so trivial that someone else might be using the same password ?

Re:To check if your password has been pwned

It's fine for this purpose. The reason we've gone off sha1 for password hashing is because a way to generate collisions has been found, which has no effect on its suitability for a lookup like this. You can't take the first 5 characters of an SHA-1 hash and reverse-engineer the original string from that.

Re:To check if your password has been pwned

That only goes for sites that use a different hashing method.

If the site is also using (un-salted) sha1, all you need is a collision.

(Though I believe the sha1 hole - for now - only allows chosen plaintext collisions, and not a collision for something you only know the hash for).

Re:To check if your password has been pwned

[johnsie]

Assuming you're dumb enough to use the same password for multiple sites.

Re:To check if your password has been pwned

Assuming you're dumb enough to use the same password for multiple sites.

Using throwaway accounts isn't dumb

Re:To check if your password has been pwned

That only goes for sites that use a different hashing method.

If the site is also using (un-salted) sha1, all you need is a collision.

(Though I believe the sha1 hole - for now - only allows chosen plaintext collisions, and not a collision for something you only know the hash for).

All you need is a collision TO DO WHAT? We're not talking about passwords, and you don't use salt for lookups.

Re:To check if your password has been pwned

[piojo]

If they have your password, it is your password regardless of where they got it. Certainly if the password was part of a valid username/password pair, it's more problematic, but if the password is in this list, it will be relatively easy to crack. Being in this list is like being in a dictionary—it is likely that a cracker will try it if he makes a serious attempt to break in to your account.

Re:To check if your password has been pwned

[higuita]

If the password is in the list of known passwords, do not matter if it is yours or not, those are the passwords that bruteforce tools will try first... you know, testing one million passwords is way lot quicker than testing several trillion of passwords

Re:To check if your password has been pwned

[higuita]

it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations

Re: To check if your password has been pwned

[Zero__Kelvin]

It is a myth that you can usually brute force a login system. That hasn't been a thing since they invented password shadowing. Any decent online system will have methods to make it impossible as well.

Re: To check if your password has been pwned

Every bit you remove from the hash makes an unrelated collision more likely.

Re: To check if your password has been pwned

No you donâ(TM)t brute force a remote login session. You copy the passwd database locally and brute force it there.

Re: To check if your password has been pwned

[higuita]

bingo!

Re:To check if your password has been pwned

[Dragonslicer]

it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations

No, it isn't considered safe, because computers can compute SHA1 hashes fast enough to make brute force attacks feasible. You should be using computationally-intensive algorithms such as PBKDF2, bcrypt, etc.

Re: To check if your password has been pwned

[Zero__Kelvin]

The sad thing is many people will read what you wrote without laughing.

Re: To check if your password has been pwned

[Zero__Kelvin]

No, not "Bingo". If you have that kind of access you are already in and don't need passwords.

Re: To check if your password has been pwned

Yes bingo, this is a primary reason why password reuse is bad. Crack it once for one place, works everywhere. Now not only do I have the forum I already controlled, I have your bank account. That's why these dumps are bad, essentially a database of the passwords you use for various sites that can then be trivially attempted on other sites.

Re: To check if your password has been pwned

[Zero__Kelvin]

You just switched to a completely different subject. The discussion is about secure systems and system security in theory. Your argument amounts to "You can't create a secure system that way because there are insecure systems that exist"

Re: To check if your password has been pwned

[higuita]

let me check, i found a SQL injection in some random site, i dump the user emails and passwords, i crack then, i find some good auth pairs and now i will login to other totally different places.

I do not care if linkedin or adobe was hacked... but i do care about the info stolen, that can open million of accounts in millions of other sites to hackers and god knows what that may open (vpns, private files, auth data, inject trojans, send phishing attacks from known contacts)

so no, hacking a forum server will not give you all that, but hacking passwords could do it

Re:To check if your password has been pwned

[higuita]

a password that match a sha1 hash may not be the password that generated that hash ... but yes, they should improve that

Re: To check if your password has been pwned

[Zero__Kelvin]

Again, nobody was arguing that password reuse was a good idea, and that is literally a different subject. You may be too new to the scene to understand how effective "John the Ripper" style offline cracking techniques were in general, and why they invented password shadowing to close the attack vector.

Re: To check if your password has been pwned

[higuita]

who is talking about system accounts? to "login" to a account is not only login to a system account, it is also login to any web site. :)
i know no password shadowing in web systems, as protection of SQL injections attacks or hacked machines dumping the database

What?

[owenferguson]

Why do I care if someone else mishandles the unique bullshit I gave them once upon a time. Surely, if I were stupid enough to use my email address as ID on someone else's computer, they would have a moral responsibility to use that email and contact me to let me know about the breach. If not, why do they want my email in the first place?

Re:What?

[higuita]

fine, you are one of the few that really create good passwords... yet almost everyone i know that are not tech pros use stupid simple passwords, reuse passwords all over the place and do not understand security. This tool is for then, to help then understand that sites get hacked, passwords stolen and they should change passwords and not reuse passwords

Re:What?

Yeah you should totally use a bespoke password for every single site on the internet, and change them every 3 months, making sure none of those new passwords are similar to the previous ones and remember it all because using any sort of password saving tool just defeats the purpose turning it into a single point of failure.

EASY!

Don't need no Have I Been Pwned

[Rosco+P.+Coltrane]

Those of us who are security-conscious know they haven't been pwned. Those who don't use weak passwords, reuse the same password across multiple logins, and submit their email addy on random websites for more pwnage.

Re:Don't need no Have I Been Pwned

"Those of us who are security-conscious know they haven't been pwned."

Heh - between the hardware hacks and side channel attacks, don't bet on it.

Re: Don't need no Have I Been Pwned

[Zero__Kelvin]

And those of us with an actual clue know that while much less likely than the layman's case we have no way to be 100% certain we *haven't* been owned. Yours is a mild case of Dunning Kruger I'm afraid.

Re:Don't need no Have I Been Pwned

[higuita]

right, because you audit and configure all the sites you use, to make sure they aren't also hacked and your data stolen...

if you were really security-conscious guy, you would never said something like that

Re:Don't need no Have I Been Pwned

[Bob+the+Super+Hamste]

While I do take proper measures to protect my data it seems that a lot of sites and businesses don't seem to care. There was one financial company that I dealt with that clearly stores passwords in plain text. I had to call them to get an issue resolved and there the person on the other end of the phone asked for my password as confirmation that I was who I said I was. Needless to say the accounts I had there are no longer there. I did similar test with the new financial company to see if they screwed it up that badly and while I can't be sure they at least didn't ask for my password over the phone. Then again they all seem to use your name and last 4 of SSN as good enough authentication.

At this point even though I take steps to protect myself I just assume that those who have my data aren't protecting it properly and it will leak. So with this mindset good personal security measures mean that all I am able to do is limit the damage. A better way of thingking would be :
"Those of us who are security-conscious assume we will get pwned"

Re:Don't need no Have I Been Pwned

[aaarrrgggh]

Fundamentally disagree. I use secure site passwords with a few exceptions, but they are stored somewhere, and I have a few "systems" depending on risk.

But, if someone knows the root of my system, they could easily brute force a number of passwords.

Or, they could hack my wife's iPad which has all my super-secure passwords in plain text...

There is always a weak link, and that list of weaknesses is likely less than 30-50 things.

Have I been Pwned is garbage

I entered my yahoo email and it came back with 6 'pwns';..... not one was that ACTUAL Yahoo hack.

Of the 6 sites that they did claim, I have never heard of 5 of them.

It also listed a myspace breach.. lol fuck no.

THey also claim I was part of an Adobe hack.. a site I never used, and never gave my email address to.

FF is shit and collabs likew this prove it.

Re:Have I been Pwned is garbage

[higuita]

1 - not all accounts on yahoo were hacked... and i do not know if the list of hacked users was even public at any time
2 - just because you do know some sites it doesn't mean that you were not there... some user DBs are simply stolen (like spam) or acquired when one company buys another, so you data may end in a totally different company/site that may have been hacked at sometime.
3 - just because you were drunk when you created that myspace account and do not remember, does not mean that you had no account! :D
    more seriously, probably someone refereed your email and you got a invite... the account was half created, waiting for you to click to enable it. Even if you didn't accept the invite and have no password, there is some info about you there. EU GDPR may help you here in the future, as keeping data without user concent is a big no-no and most sites must expire and remove those temporary accounts
4 - adobe is strange, either they got you contact via macromedia or other acquired company or you sometime entered your email to download something (even for a friend or parent)

notice that this is not a Firefox DB, this is a DB made by a security guy that parsed all public hacked lists with users and password and created a public DB and API... if the site says he got your email from those hacks, unless there is a big bug, for sure your data was posted in some public (darknet or not) site ... if you search well, you may even find yourself. Firefox is just making easier for normal people to understand that their "reused" password is not safe anymore

Re:Have I been Pwned is garbage

You're missing the point. If someone registers with on another site with my email its NOT the same thing.

If your password is idiot@slashdot.org anyone can use that as a login. Many sites don't use a verification email and just accept it as it (again, myspace has been dead for years, I never used it).

Security has tightened with verification email in the past few years, but many of the 'breaches' are very old.

The site is garbage, and FF has many more problems to fix than adding on stupid password 3rd party BS

Have Jehovah's Witnesses taken over 1Password?

[tepples]

As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts

Has the Watchtower Bible and Tract Society taken over 1Password? I wouldn't trust that organization with my online accounts for several reasons.

Re:Have Jehovah's Witnesses taken over 1Password?

Project was named by a novice to Life, or a new adherent to the sect's delusions.
From week to week it seems Mozilla are burying themselves deeper into the poo-heap.
Used FF since 0.2, but now seriously looking at alternatives (NOT Chrome!!!).

Re: Have Jehovah's Witnesses taken over 1Password?

[bestweasel]

The JWs noticed those wacky Mormons adding billions of names to their books and wanted a slice of the holy database action, so now, according to researcher Orla Long, The Watchtower is being used to amass email addresses to save souls via the internet.

Re:Have Jehovah's Witnesses taken over 1Password?

I switched to Palemoon in November, 2017, and it's been really good. I think you would like it.

Re:Have Jehovah's Witnesses taken over 1Password?

https://www.howtogeek.com/335712/update-why-you-shouldnt-use-waterfox-pale-moon-or-basilisk/

Password manager

[tsa]

Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

Re:Password manager

[Dwedit]

How about client-side salted hashes? Nobody can randomly guess something like 63DA4171F2D985441F1AE0C4F3C2AA27 as a password.

Re:Password manager

Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

Apple's. (Safari's) Since my computer is Apple, pretty sure Apple would already have access to this info anyway, so I'm minimizing the number of systems I'm obliged to trust.

If you are interested in maximum security and privacy in your online doings and your life, follow these simple steps and practices... (note that the degree of security and privacy goes up as the list proceeds, but at the same time they also get to be increasingly impractical for most people to do, and especially to have something resembling a useable internet surfing experience if you do them):
1. Don't use your any part of your real name in your user name.
2. Give a bogus name when you sign up rather than real.
3. Give a bogus DOB if they demand one, (you don't need to know when I was born, this is just so you can ask and I can tell you; I keep a copy of what I told whom (and redundant backups) so if they ever ask, I can retrieve the info).
4. Use this user name (and the password assoc. with it) on ONE. WEBSITE. ONLY. Create alternates for each other website or service you use, in no way resembling or related to each other.
5. Use a unique e-mail address when you sign up for the account in question, so that any e-mail address you have is only associated with one thing.
6. Change passwords regularly.
7. Start a business in Delaware and use THAT to form shell companies, and use THEM for things like getting PO Boxes and for leasing or renting apartments and/or vehicles... okay, admittedly, we've gone from reasonable to batshitcrazy levels of security, because... yeah.
8. burn off your fingerprints and have your irises surgically removed, and get plastic reconstructive surgery every two years to alter your appearance, then start an underground boxing club with a set of rules all members are obliged to follow, the first two of which, (redundantly,) are both that you can't discuss the club in question with anyone.
9. Move to a tropical rainforest jungle and live in a cave, as a hermit, have your voice box removed, and never speak to anyone again.
10. Die. No one will every bother you again, or at least if they do, you won't care.
Oh, and 11... when posting inane shit on slashdot, click "Post Anonymously".

Re:Password manager

[tsa]

I have no idea what you are talking about. I'm a chemist, not a computer scientist.
Can you explain?

Re:Password manager

[Hallux-F-Sinister]

How about client-side salted hashes? Nobody can randomly guess something like 63DA4171F2D985441F1AE0C4F3C2AA27 as a password.

If you salt your hashes too much, you do run an increased risk of hypertension, stroke, and even death. Word to the wise. ;-p I know they taste better that way, but it's important to exercise restraint. Instead of salt, (or in addition to a pinch, in proper moderation,) if you add some freshly ground black pepper and some butter... mmmmmm.... what were we talking about again?

Re:Password manager

"Which password manager do you recommend?"

Pen and motherfuckin' paper.

Re:Password manager

Enter your master password here: ________________

Re:Password manager

I tried entering my password there, but it didn't work. Are you sure you're legit? Please respond quickly. I'm worried that you might have tricked me.

Re:Password manager

[Bongo]

Heh, but the salt thing is old and wrong. Salt as much as you like.

The cult TV series Babylon 5 called it back in 1996 or something.
And kudos also to South Park for flipping the food pyramid, around three years ago.

Re:Password manager

Password Safe https://pwsafe.org/

That's the one Bruce Schneier is involved with.

Re:Password manager

KeePass 2 and variants (KeePassXC etc.)

Re:Password manager

My own. It's commercial but I won't tell you its name, because I currently cannot have new customers.

Since you cannot use mine, the second best thing is to write your own using a standard encryption library. It's easy. Or, use a text file on an encrypted volume.

Another important advice (since I'm in this "business" for two decades): Using a notebook for really important, rarely used passwords is generally safer, unless you live in an area with a lot of burglaries. You need to generate them randomly, though.

Re:Password manager

It's not totally clear to me either, but possibly he's talking about something like this:

* downloading the script from URL

          https://gallery.technet.microsoft.com/scriptcenter/Get-StringHash-aa843f71

* choosing one (or more) personal "salting string" (like a "master password")
* for site "www.cyberspace.tld" you use the script to hash a string which starts/ends with your "salting string" and includes the site domain
* the resulting hash is your password for that domain
* to enable generating a sequence of passwords for a domain, append "-1", "-2", etc. to the string you hash to get the password
* if you keep your salting string secret you can even store your passwords in a text file by storing only the string before hashing with something like %%% inserted where you put your salting string (if this file is exposed, your salting string still needs to be brute forced)

Re: Password manager

[Zero__Kelvin]

That is not true. There are sites run by true security professionals, and my research indicates this is one of them. The fact that Mozilla is partnering up with them would tend to reinforce that conclusion. See also the EFF site. Surely you don't think the EFF is selling your data?

Re:Password manager

Oh, sorry... when finding a URL for a string hash script I forgot you're on Apple. Just search for the equivalent (but remember you need to trust it) on whatever platform you are using....

Re:Password manager

If he doesn't respond quickly enough, just use 'Have I Been Pwned' to check if he has boned you.

Re:Password manager

[higuita]

https://github.com/simu/passwo...

store a key, memorize a password and that is mostly it, a different password for all sites that you don't even need to store

Re:Password manager

That escalated gracefully.

Re:Password manager

[chrish]

I used to use LastPass, then I switched to EnPass, which I like a lot.

EnPass is free on desktops, has a reasonable one-time fee on mobile (once per mobile OS), and lets you store your encrypted password blob on your choice of several cloud providers. All encryption/decryption is handled at the client end, so the cloud folks can't access your data at all. They're using AES-128 or AES-256 (can't remember off-hand).

KeePass would also be a possibility, but I found the clients harder to use than the EnPass client. The last time I tried to use KeePass, the Mac experience was pretty awful (the Mac client was a Mono app)... that may have changed. KeePass is nice because it's open source, if you're inclined to tinker or audit.

Re:Password manager

[tsa]

Finally some useful advice. Thank you Crish! Enpass looks interesting. It works on my iPad and my other devices. And it has a USB plugin option as well, which is handy. The other ones you mentioned don't work on the iPad. So I think EnPass is a good password manager for me.

Re:Password manager

[flink]

Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

CodeBook is great. I've been using it since it was a Palm III app called STRIP (Secure Tool for Recalling Important Passwords. Their encryption layer is open source, and they support syncing across devices via Dropbox, Google Drive, or local WiFi. It supports TOTP 2FA and will generate Diceware/xkcd style passwords. They have clients for Windows, iOS, Android, and Mac. The desktop version also has an agent that will fill out web form fields for you.

It's not a slick as some other password managers, but it works for me. $10 per mobile platform and $20 per desktop platform you use it on.

Here's the iOS store page - says it still supports iOS 9.

Re:Password manager

Enter your master password here: 127.0.0.1

Re:Password manager

[Hallux-F-Sinister]

Heh, but the salt thing is old and wrong. Salt as much as you like. The cult TV series Babylon 5 called it back in 1996 or something. And kudos also to South Park for flipping the food pyramid, around three years ago.

That's just what Big Sodium WANTS you to think. Did you happen to notice that Morton's was a sponsor of Babylon 5?!? At least I think they were... I'd heard they were putting salt in the water, so I have been thumbing my nose at them by drinking seawater instead... ("I'll show YOU," I thought,) and... my head feels funny... is it like, really bright in here? I think I'm going to sit down for a while...

l33t h@X0r suckers slashdot nerds

Everyone who entered an email addy will now get spammed to death. You stoopid libtards will probably blame Russia. LOL

Re:l33t h@X0r suckers slashdot nerds

A sage prognostication from someone who doesn't know how to spell "stupid". Thanks!

CATPCHA: "supplies"

Re:l33t h@X0r suckers slashdot nerds

[hyades1]

You could probably spell better if you took your other hand off your dog's dick.

Re: l33t h@X0r suckers slashdot nerds

[Zero__Kelvin]

Nope. I know many people who have used this site. You are wrong.

Ponyd

WTF does Pwned mean? Oh yeah, IT MEANS OWNED. Just say Owned. It not hard. It has the same amount of letters and it is spelled correctly. Is my email Owned? NO. Is my email address in the wild? Yes. So what? My email address gets exposed twice a day due to whoever I emailed getting harvested via malware. That's what SpamAssassin is for, or gmail junk mail, or outlook junk filter, or whatever. No one provides their real password for their email account with a linkedin form. Please stop pretending Pwned is a real word. It's a gamer misspelled term that shows lack of discipline in the age of memes. Words like Pwned have no real meaning in meatspace, which is where they send your paycheck. How do you pronounce it? Pee-wa-ned? Pa-wo-nd? IT"S FRICKING OWNED. Just say owned. Owned has weight and meaning. Using pwned means you are a tween. Also, woot sucks. You have been owned.

Re:Ponyd

WTF does Pwned mean? Oh yeah, IT MEANS OWNED. Just say Owned. It not hard. It has the same amount of letters and it is spelled correctly. Is my email Owned? NO. Is my email address in the wild? Yes. So what? My email address gets exposed twice a day due to whoever I emailed getting harvested via malware. That's what SpamAssassin is for, or gmail junk mail, or outlook junk filter, or whatever. No one provides their real password for their email account with a linkedin form. Please stop pretending Pwned is a real word. It's a gamer misspelled term that shows lack of discipline in the age of memes. Words like Pwned have no real meaning in meatspace, which is where they send your paycheck. How do you pronounce it? Pee-wa-ned? Pa-wo-nd? IT"S FRICKING OWNED. Just say owned. Owned has weight and meaning. Using pwned means you are a tween. Also, woot sucks. You have been owned.

... but, but, but it's being owned ON A COMPUTER. Totally different!

Fix the popup blocker

Mozilla, get the basics right, fix the popup blocker.

Re:Fix the popup blocker

[higuita]

open a bug... either someone found a workaround or a bug, either way you should tell mozilla on the correct place (bugzilla.mozilla.org), not on a random site in the internet

Great, but also annoying

[ISayWeOnlyToBePolite]

My mail shows up as pwnd. From the details of it, a site concerning a subject I'm not interested in, written in a language I don't speak and surely never registered with was pwnd and my password is all over the internet. Eventually finding the file where it's spread I unsurprisingly find that it's a password I never used.

Now my mail is "hacked" on a semi regular basis as my mail adress and the password I've never used is included in what to me seems like new compilations of old pwnd's

For not so surprising reasons my mail cannot be removed from HIBP and surely I can take one for the team, but it's still annoying AF.

Re:Great, but also annoying

[stub667]

Are you saying HIBP is not GDPR compliant, and refuses to remove your personally identifiable information from its database?

HIBP GDPR Compliancy?

How compliant is HIBP to the new GDPR regulations? Do we need a publicly accessible service to say to anyone if there are compromised credentials floating around on the web that could lead to Personally Identifiable Information being retrieved from the affected services that have been previously breached? Is this compliant?

Re:HIBP GDPR Compliancy?

[johnsie]

I'm guessing they are dodging GDPR by basing their data and companies outside the EU. Facebook recently moved millions of user accounts away from Ireland to do similar.

Re:HIBP GDPR Compliancy?

Seems that GDPR is directly addressed from the horse's mouth

Re:HIBP GDPR Compliancy?

Unsure how it relates to GDPR, but you are able to opt out and have your address removed from anything publicly available (now and in the future): https://haveibeenpwned.com/OptOut

Why are HIBP storing my data?

[johnsie]

Does that not increase the likelihood of my data being pwnd again? Also, are they complying with data protection laws?

Stop integrating bullshit

I want a lean firefox that does not have services integrated. Do it as an removeable extension!

What I do to secure email

[houghi]

I have my own domain name and I can have unlimited aliasses at my hosting company.
So I have separate addresses for separate websites, companies or other situations.

e.g. I will have bank.com@example.com, slashdot.org@example.com, spamaddres@example.com, holiday2018@example.com.

So if bank.com sends me an email, it will be to the address that they know, being bank.com@example.com. If I get an email from them to e.g. spamaddres@example.com or any other address, I know it is not them and thus a fake email. If i get an email to bank.com@example.com and it is NOT from bank.com I know that they have either been hacked (and not informed me) or sold my address. Neither wil be a good thing for their further business with me.

It is also very easy to filter as it is some sort of two factor verification where both from and to need to be correct.

And if an email address is compromised, I can just turn it off after I have changed it at the company.

The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.

All other companies behaved till now for the last 10+ years I use this system.

Re:What I do to secure email

[bill_mcgonigle]

The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.

Add an ISO date to your format. ebay.com-20180626@example.com . Then when some random person from Shenzhen sells your address you just discontinue that one instead of quitting ebay forever. For bonus points look for that pattern in your greylister and match on today to avoid initial delay for website signups.

Re:What I do to secure email

I do the same, over 450 email addresses created over the last decade. I've had several hacked. One company (Flushmate), several message boards.

Well worth the effort though, as I've caught numerous companies selling my email address to marketers.

Re:What I do to secure email

Exactly what I do, but shortened ISO date and no TLD: ebay180626@example.com

Important follow-up step: If you correspond with one of these entities via email, be sure to set up that identity in your mail client. If you don't and respond to their email with a From address of realme@example.com, you're fooked.

postmaster @ slashdot.org

[pigsycyberbully]

postmaster @ slashdot.org Oh no — pwned! Pwned on 1 breached site and found no pastes (subscribe to search sensitive breaches)
Go to the site put in a e-mail address and it will say it has been "pwned." When in actual fact it has not been they are using spam bots databases which adds postmaster to every domain name. Also when you first enter the site it will declare that whatever e-mail address you enter has been "pwned." try it for yourself try BillyNoMates @ NoMates . com .uk co. uk

Re:postmaster @ slashdot.org

[ebvwfbw]

The e-mail users that I have posted to a public area are all on that list, no pastes. So they don't have my password. Same as slashdot's postmaster.

Obligatory

Hey! that's the SHA1 of my luggage!

WebEagle Already Scans Dark Web

[NehaSen]

This is a good news and good to know that Mozilla is improving. Though, WebEagle - https://webeagle.com/ has already been helping web users by exposing data breaches for a very long time. WebEagle is an integrated web technology that monitors all forms of hacking activities, dark web, underground forums of hackers and hackers' database, to notify the web users in time, if and when their accounts are hacked or their data is leaked. Uers can even buy WebEagle's securty services basis their individual requirements, wherein, WebEagle deligently scans every activity that happens around your accounts. Best, Neha Communication Manager at WebEagle

Stop "integrating" so much stuff

[markdavis]

I wish they would stop "integrating" more and more stuff into Firefox. The whole point of Firefox was to be small and fast and configurable. This is yet another example of something that probably should be an addon. Even if they BUNDLE the addon, at least it gives the option to remove it if wanted or needed for some reason.

Re:Stop "integrating" so much stuff

They broke extensions and still aren't done writing a new extension API. Of course the things we don't want are going to be integrated and not extensions.

Pocket, sync, now this... All should be extensions that shouldn't be installed by default, but instead, if there's even one of them you don't want to install, you'll just have to download a browser that care about users.

A good test

I entered all my email addresses because I figures the best thing to do is whatever is the opposite of what slashdot tells me I should do. No. really.

How recent is the information?

I am pretty sure a lot of stuff in on lists somewhere but how old is that information. Was it a old password from a decade ago when someone hacked my information? Or was it more recent like a few months ago? What about duel authentication that many sites use now? I know myself a year or more ago I started dropping forums, blogs and sites like Disqus to protect my information from being hacked in the first place. Also I think Firefox is bloating into a massive pile of browser muck like Opera tried to do. Be all things to all people and it failed.

Puts the ass in password

[Impy+the+Impiuos+Imp]

"You've been pwned! (Mealey-mouthed words about nebulous undergrounds with your email and hash or something something com-pleet something somrthing trading)"

So...was it an ancient MMO I played for 2 months a decade ago, or is it a major email provider for my master account?

Dunni just sign up for password1.

Entered my address into HIBP ...

[PPH]

... and it replied "You have now."

INSECURE as fuck. Reverse lookup == YOUR PASSWORD

INSECURE as fuck.

  Reverse lookup == YOUR PASSWORD

Low quality

[manu0601]

I searched my addresses with Have I Been Pwned, and I get breaches from services I never used. That sounds low quality stuff.

The funniest point is report about password leak for an address for which the account has no password (only RSA key)

People still use Firefox?

Must be some real masochists out there.

Firefox 57 was the last straw for me, and what finally drove me away after years of steady decline in quality and usability. Fuck em.

Great way to collect email addresses!

[sproketboy]

ntr