'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.

I have been pwned

[Master+Moose]

Looks like my junk address that I set up for all my junky things has been junked!

Have I been Pwned?

[dohzer]

Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

Re:Have I been Pwned?

I'lll get to it in a minute; right now im still busy uploading nudes to facebook...

Re:Have I been Pwned?

[thegarbz]

Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

I signed up to this. I have received:
On the day of signup: 1 confirmation email.
5 months later: an email notification about a breach.

That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.

Re:Have I been Pwned?

Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

I signed up to this. I have received:
On the day of signup: 1 confirmation email.
5 months later: an email notification about a breach.

That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.

I concur. I have only received a confirmation mail for each account I registered. Of course, that will all change once HIBP gets Pwned.

To check if your password has been pwned

[piojo]

To check if your password has been pwned without submitting it to them, find the sha1sum of the password, then use their API to check it. For example:

sha1sum: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
first five characters: 5baa6
the remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8

Use the prefix to visit their API:
https://api.pwnedpasswords.com...

Then search for the remaining characters in the page shown.

(I suspect even if you use the web form, it will only submit the sha1sum, but this is still safer.)

Re:To check if your password has been pwned

[butzwonker]

Sha1 is not even considered secure any longer...

Re:To check if your password has been pwned

[johnsie]

Assuming you're dumb enough to use the same password for multiple sites.

Re:To check if your password has been pwned

[piojo]

If they have your password, it is your password regardless of where they got it. Certainly if the password was part of a valid username/password pair, it's more problematic, but if the password is in this list, it will be relatively easy to crack. Being in this list is like being in a dictionary—it is likely that a cracker will try it if he makes a serious attempt to break in to your account.

Re:To check if your password has been pwned

[higuita]

If the password is in the list of known passwords, do not matter if it is yours or not, those are the passwords that bruteforce tools will try first... you know, testing one million passwords is way lot quicker than testing several trillion of passwords

Re:To check if your password has been pwned

[higuita]

it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations

Re: To check if your password has been pwned

[Zero__Kelvin]

It is a myth that you can usually brute force a login system. That hasn't been a thing since they invented password shadowing. Any decent online system will have methods to make it impossible as well.

Re: To check if your password has been pwned

No you donâ(TM)t brute force a remote login session. You copy the passwd database locally and brute force it there.

Re: To check if your password has been pwned

[higuita]

bingo!

Re:To check if your password has been pwned

[Dragonslicer]

it is not secure as it may be possible to create hash collisions with some time... but to hash a passwords is still perfectly save, you can't reverse a hash to get the password and bruteforce it is still a huge amount of combinations

No, it isn't considered safe, because computers can compute SHA1 hashes fast enough to make brute force attacks feasible. You should be using computationally-intensive algorithms such as PBKDF2, bcrypt, etc.

Re: To check if your password has been pwned

[Zero__Kelvin]

The sad thing is many people will read what you wrote without laughing.

Re: To check if your password has been pwned

[Zero__Kelvin]

No, not "Bingo". If you have that kind of access you are already in and don't need passwords.

Re: To check if your password has been pwned

[Zero__Kelvin]

You just switched to a completely different subject. The discussion is about secure systems and system security in theory. Your argument amounts to "You can't create a secure system that way because there are insecure systems that exist"

Re: To check if your password has been pwned

[higuita]

let me check, i found a SQL injection in some random site, i dump the user emails and passwords, i crack then, i find some good auth pairs and now i will login to other totally different places.

I do not care if linkedin or adobe was hacked... but i do care about the info stolen, that can open million of accounts in millions of other sites to hackers and god knows what that may open (vpns, private files, auth data, inject trojans, send phishing attacks from known contacts)

so no, hacking a forum server will not give you all that, but hacking passwords could do it

Re:To check if your password has been pwned

[higuita]

a password that match a sha1 hash may not be the password that generated that hash ... but yes, they should improve that

Re: To check if your password has been pwned

[Zero__Kelvin]

Again, nobody was arguing that password reuse was a good idea, and that is literally a different subject. You may be too new to the scene to understand how effective "John the Ripper" style offline cracking techniques were in general, and why they invented password shadowing to close the attack vector.

Re: To check if your password has been pwned

[higuita]

who is talking about system accounts? to "login" to a account is not only login to a system account, it is also login to any web site. :)
i know no password shadowing in web systems, as protection of SQL injections attacks or hacked machines dumping the database

What?

[owenferguson]

Why do I care if someone else mishandles the unique bullshit I gave them once upon a time. Surely, if I were stupid enough to use my email address as ID on someone else's computer, they would have a moral responsibility to use that email and contact me to let me know about the breach. If not, why do they want my email in the first place?

Re:What?

[higuita]

fine, you are one of the few that really create good passwords... yet almost everyone i know that are not tech pros use stupid simple passwords, reuse passwords all over the place and do not understand security. This tool is for then, to help then understand that sites get hacked, passwords stolen and they should change passwords and not reuse passwords

Don't need no Have I Been Pwned

[Rosco+P.+Coltrane]

Those of us who are security-conscious know they haven't been pwned. Those who don't use weak passwords, reuse the same password across multiple logins, and submit their email addy on random websites for more pwnage.

Re: Don't need no Have I Been Pwned

[Zero__Kelvin]

And those of us with an actual clue know that while much less likely than the layman's case we have no way to be 100% certain we *haven't* been owned. Yours is a mild case of Dunning Kruger I'm afraid.

Re:Don't need no Have I Been Pwned

[higuita]

right, because you audit and configure all the sites you use, to make sure they aren't also hacked and your data stolen...

if you were really security-conscious guy, you would never said something like that

Re:Don't need no Have I Been Pwned

[Bob+the+Super+Hamste]

While I do take proper measures to protect my data it seems that a lot of sites and businesses don't seem to care. There was one financial company that I dealt with that clearly stores passwords in plain text. I had to call them to get an issue resolved and there the person on the other end of the phone asked for my password as confirmation that I was who I said I was. Needless to say the accounts I had there are no longer there. I did similar test with the new financial company to see if they screwed it up that badly and while I can't be sure they at least didn't ask for my password over the phone. Then again they all seem to use your name and last 4 of SSN as good enough authentication.

At this point even though I take steps to protect myself I just assume that those who have my data aren't protecting it properly and it will leak. So with this mindset good personal security measures mean that all I am able to do is limit the damage. A better way of thingking would be :
"Those of us who are security-conscious assume we will get pwned"

Re:Don't need no Have I Been Pwned

[aaarrrgggh]

Fundamentally disagree. I use secure site passwords with a few exceptions, but they are stored somewhere, and I have a few "systems" depending on risk.

But, if someone knows the root of my system, they could easily brute force a number of passwords.

Or, they could hack my wife's iPad which has all my super-secure passwords in plain text...

There is always a weak link, and that list of weaknesses is likely less than 30-50 things.

Have Jehovah's Witnesses taken over 1Password?

[tepples]

As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts

Has the Watchtower Bible and Tract Society taken over 1Password? I wouldn't trust that organization with my online accounts for several reasons.

Re: Have Jehovah's Witnesses taken over 1Password?

[bestweasel]

The JWs noticed those wacky Mormons adding billions of names to their books and wanted a slice of the holy database action, so now, according to researcher Orla Long, The Watchtower is being used to amass email addresses to save souls via the internet.

Password manager

[tsa]

Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

Re:Password manager

[Dwedit]

How about client-side salted hashes? Nobody can randomly guess something like 63DA4171F2D985441F1AE0C4F3C2AA27 as a password.

Re:Password manager

Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

Apple's. (Safari's) Since my computer is Apple, pretty sure Apple would already have access to this info anyway, so I'm minimizing the number of systems I'm obliged to trust.

If you are interested in maximum security and privacy in your online doings and your life, follow these simple steps and practices... (note that the degree of security and privacy goes up as the list proceeds, but at the same time they also get to be increasingly impractical for most people to do, and especially to have something resembling a useable internet surfing experience if you do them):
1. Don't use your any part of your real name in your user name.
2. Give a bogus name when you sign up rather than real.
3. Give a bogus DOB if they demand one, (you don't need to know when I was born, this is just so you can ask and I can tell you; I keep a copy of what I told whom (and redundant backups) so if they ever ask, I can retrieve the info).
4. Use this user name (and the password assoc. with it) on ONE. WEBSITE. ONLY. Create alternates for each other website or service you use, in no way resembling or related to each other.
5. Use a unique e-mail address when you sign up for the account in question, so that any e-mail address you have is only associated with one thing.
6. Change passwords regularly.
7. Start a business in Delaware and use THAT to form shell companies, and use THEM for things like getting PO Boxes and for leasing or renting apartments and/or vehicles... okay, admittedly, we've gone from reasonable to batshitcrazy levels of security, because... yeah.
8. burn off your fingerprints and have your irises surgically removed, and get plastic reconstructive surgery every two years to alter your appearance, then start an underground boxing club with a set of rules all members are obliged to follow, the first two of which, (redundantly,) are both that you can't discuss the club in question with anyone.
9. Move to a tropical rainforest jungle and live in a cave, as a hermit, have your voice box removed, and never speak to anyone again.
10. Die. No one will every bother you again, or at least if they do, you won't care.
Oh, and 11... when posting inane shit on slashdot, click "Post Anonymously".

Re:Password manager

[tsa]

I have no idea what you are talking about. I'm a chemist, not a computer scientist.
Can you explain?

Re:Password manager

[Hallux-F-Sinister]

How about client-side salted hashes? Nobody can randomly guess something like 63DA4171F2D985441F1AE0C4F3C2AA27 as a password.

If you salt your hashes too much, you do run an increased risk of hypertension, stroke, and even death. Word to the wise. ;-p I know they taste better that way, but it's important to exercise restraint. Instead of salt, (or in addition to a pinch, in proper moderation,) if you add some freshly ground black pepper and some butter... mmmmmm.... what were we talking about again?

Re:Password manager

[Bongo]

Heh, but the salt thing is old and wrong. Salt as much as you like.

The cult TV series Babylon 5 called it back in 1996 or something.
And kudos also to South Park for flipping the food pyramid, around three years ago.

Re: Password manager

[Zero__Kelvin]

That is not true. There are sites run by true security professionals, and my research indicates this is one of them. The fact that Mozilla is partnering up with them would tend to reinforce that conclusion. See also the EFF site. Surely you don't think the EFF is selling your data?

Re:Password manager

[higuita]

https://github.com/simu/passwo...

store a key, memorize a password and that is mostly it, a different password for all sites that you don't even need to store

Re:Password manager

That escalated gracefully.

Re:Password manager

[chrish]

I used to use LastPass, then I switched to EnPass, which I like a lot.

EnPass is free on desktops, has a reasonable one-time fee on mobile (once per mobile OS), and lets you store your encrypted password blob on your choice of several cloud providers. All encryption/decryption is handled at the client end, so the cloud folks can't access your data at all. They're using AES-128 or AES-256 (can't remember off-hand).

KeePass would also be a possibility, but I found the clients harder to use than the EnPass client. The last time I tried to use KeePass, the Mac experience was pretty awful (the Mac client was a Mono app)... that may have changed. KeePass is nice because it's open source, if you're inclined to tinker or audit.

Re:Password manager

[tsa]

Finally some useful advice. Thank you Crish! Enpass looks interesting. It works on my iPad and my other devices. And it has a USB plugin option as well, which is handy. The other ones you mentioned don't work on the iPad. So I think EnPass is a good password manager for me.

Re:Password manager

[flink]

Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

CodeBook is great. I've been using it since it was a Palm III app called STRIP (Secure Tool for Recalling Important Passwords. Their encryption layer is open source, and they support syncing across devices via Dropbox, Google Drive, or local WiFi. It supports TOTP 2FA and will generate Diceware/xkcd style passwords. They have clients for Windows, iOS, Android, and Mac. The desktop version also has an agent that will fill out web form fields for you.

It's not a slick as some other password managers, but it works for me. $10 per mobile platform and $20 per desktop platform you use it on.

Here's the iOS store page - says it still supports iOS 9.

Re:Password manager

[Hallux-F-Sinister]

Heh, but the salt thing is old and wrong. Salt as much as you like. The cult TV series Babylon 5 called it back in 1996 or something. And kudos also to South Park for flipping the food pyramid, around three years ago.

That's just what Big Sodium WANTS you to think. Did you happen to notice that Morton's was a sponsor of Babylon 5?!? At least I think they were... I'd heard they were putting salt in the water, so I have been thumbing my nose at them by drinking seawater instead... ("I'll show YOU," I thought,) and... my head feels funny... is it like, really bright in here? I think I'm going to sit down for a while...

Re:l33t h@X0r suckers slashdot nerds

[hyades1]

You could probably spell better if you took your other hand off your dog's dick.

Great, but also annoying

[ISayWeOnlyToBePolite]

My mail shows up as pwnd. From the details of it, a site concerning a subject I'm not interested in, written in a language I don't speak and surely never registered with was pwnd and my password is all over the internet. Eventually finding the file where it's spread I unsurprisingly find that it's a password I never used.

Now my mail is "hacked" on a semi regular basis as my mail adress and the password I've never used is included in what to me seems like new compilations of old pwnd's

For not so surprising reasons my mail cannot be removed from HIBP and surely I can take one for the team, but it's still annoying AF.

Re:Great, but also annoying

[stub667]

Are you saying HIBP is not GDPR compliant, and refuses to remove your personally identifiable information from its database?

Why are HIBP storing my data?

[johnsie]

Does that not increase the likelihood of my data being pwnd again? Also, are they complying with data protection laws?

Re:HIBP GDPR Compliancy?

[johnsie]

I'm guessing they are dodging GDPR by basing their data and companies outside the EU. Facebook recently moved millions of user accounts away from Ireland to do similar.

What I do to secure email

[houghi]

I have my own domain name and I can have unlimited aliasses at my hosting company.
So I have separate addresses for separate websites, companies or other situations.

e.g. I will have bank.com@example.com, slashdot.org@example.com, spamaddres@example.com, holiday2018@example.com.

So if bank.com sends me an email, it will be to the address that they know, being bank.com@example.com. If I get an email from them to e.g. spamaddres@example.com or any other address, I know it is not them and thus a fake email. If i get an email to bank.com@example.com and it is NOT from bank.com I know that they have either been hacked (and not informed me) or sold my address. Neither wil be a good thing for their further business with me.

It is also very easy to filter as it is some sort of two factor verification where both from and to need to be correct.

And if an email address is compromised, I can just turn it off after I have changed it at the company.

The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.

All other companies behaved till now for the last 10+ years I use this system.

Re:What I do to secure email

[bill_mcgonigle]

The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.

Add an ISO date to your format. ebay.com-20180626@example.com . Then when some random person from Shenzhen sells your address you just discontinue that one instead of quitting ebay forever. For bonus points look for that pattern in your greylister and match on today to avoid initial delay for website signups.

WebEagle Already Scans Dark Web

[NehaSen]

This is a good news and good to know that Mozilla is improving. Though, WebEagle - https://webeagle.com/ has already been helping web users by exposing data breaches for a very long time. WebEagle is an integrated web technology that monitors all forms of hacking activities, dark web, underground forums of hackers and hackers' database, to notify the web users in time, if and when their accounts are hacked or their data is leaked. Uers can even buy WebEagle's securty services basis their individual requirements, wherein, WebEagle deligently scans every activity that happens around your accounts. Best, Neha Communication Manager at WebEagle

Re: l33t h@X0r suckers slashdot nerds

[Zero__Kelvin]

Nope. I know many people who have used this site. You are wrong.

Stop "integrating" so much stuff

[markdavis]

I wish they would stop "integrating" more and more stuff into Firefox. The whole point of Firefox was to be small and fast and configurable. This is yet another example of something that probably should be an addon. Even if they BUNDLE the addon, at least it gives the option to remove it if wanted or needed for some reason.

Re:Have I been Pwned is garbage

[higuita]

1 - not all accounts on yahoo were hacked... and i do not know if the list of hacked users was even public at any time
2 - just because you do know some sites it doesn't mean that you were not there... some user DBs are simply stolen (like spam) or acquired when one company buys another, so you data may end in a totally different company/site that may have been hacked at sometime.
3 - just because you were drunk when you created that myspace account and do not remember, does not mean that you had no account! :D
    more seriously, probably someone refereed your email and you got a invite... the account was half created, waiting for you to click to enable it. Even if you didn't accept the invite and have no password, there is some info about you there. EU GDPR may help you here in the future, as keeping data without user concent is a big no-no and most sites must expire and remove those temporary accounts
4 - adobe is strange, either they got you contact via macromedia or other acquired company or you sometime entered your email to download something (even for a friend or parent)

notice that this is not a Firefox DB, this is a DB made by a security guy that parsed all public hacked lists with users and password and created a public DB and API... if the site says he got your email from those hacks, unless there is a big bug, for sure your data was posted in some public (darknet or not) site ... if you search well, you may even find yourself. Firefox is just making easier for normal people to understand that their "reused" password is not safe anymore

Puts the ass in password

[Impy+the+Impiuos+Imp]

"You've been pwned! (Mealey-mouthed words about nebulous undergrounds with your email and hash or something something com-pleet something somrthing trading)"

So...was it an ancient MMO I played for 2 months a decade ago, or is it a major email provider for my master account?

Dunni just sign up for password1.

Entered my address into HIBP ...

[PPH]

... and it replied "You have now."

Re:Fix the popup blocker

[higuita]

open a bug... either someone found a workaround or a bug, either way you should tell mozilla on the correct place (bugzilla.mozilla.org), not on a random site in the internet

Low quality

[manu0601]

I searched my addresses with Have I Been Pwned, and I get breaches from services I never used. That sounds low quality stuff.

The funniest point is report about password leak for an address for which the account has no password (only RSA key)

Great way to collect email addresses!

[sproketboy]

ntr

Re:postmaster @ slashdot.org

[ebvwfbw]

The e-mail users that I have posted to a public area are all on that list, no pastes. So they don't have my password. Same as slashdot's postmaster.