Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password (troyhunt.com)

Posted by BeauHD on from the privacy-matters dept.

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.

4 of 111 comments (clear)

  1. To check if your password has been pwned by piojo · · Score: 4, Informative

    To check if your password has been pwned without submitting it to them, find the sha1sum of the password, then use their API to check it. For example:

    sha1sum: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
    first five characters: 5baa6
    the remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8

    Use the prefix to visit their API:
    https://api.pwnedpasswords.com...

    Then search for the remaining characters in the page shown.

    (I suspect even if you use the web form, it will only submit the sha1sum, but this is still safer.)

    --
    A cat can't teach a dog to bark.
    1. Re:To check if your password has been pwned by piojo · · Score: 3, Informative

      If they have your password, it is your password regardless of where they got it. Certainly if the password was part of a valid username/password pair, it's more problematic, but if the password is in this list, it will be relatively easy to crack. Being in this list is like being in a dictionary—it is likely that a cracker will try it if he makes a serious attempt to break in to your account.

      --
      A cat can't teach a dog to bark.
  2. Re: Don't need no Have I Been Pwned by Zero__Kelvin · · Score: 3, Informative

    And those of us with an actual clue know that while much less likely than the layman's case we have no way to be 100% certain we *haven't* been owned. Yours is a mild case of Dunning Kruger I'm afraid.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Re:Have I been Pwned? by thegarbz · · Score: 4, Informative

    Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

    I signed up to this. I have received:
    On the day of signup: 1 confirmation email.
    5 months later: an email notification about a breach.

    That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.