Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password (troyhunt.com)

Posted by BeauHD on from the privacy-matters dept.

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.

10 of 111 comments (clear)

  1. I have been pwned by Master+Moose · · Score: 3, Funny

    Looks like my junk address that I set up for all my junky things has been junked!

    --
    . . .gone when the morning comes
  2. To check if your password has been pwned by piojo · · Score: 4, Informative

    To check if your password has been pwned without submitting it to them, find the sha1sum of the password, then use their API to check it. For example:

    sha1sum: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
    first five characters: 5baa6
    the remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8

    Use the prefix to visit their API:
    https://api.pwnedpasswords.com...

    Then search for the remaining characters in the page shown.

    (I suspect even if you use the web form, it will only submit the sha1sum, but this is still safer.)

    --
    A cat can't teach a dog to bark.
    1. Re:To check if your password has been pwned by piojo · · Score: 3, Informative

      If they have your password, it is your password regardless of where they got it. Certainly if the password was part of a valid username/password pair, it's more problematic, but if the password is in this list, it will be relatively easy to crack. Being in this list is like being in a dictionary—it is likely that a cracker will try it if he makes a serious attempt to break in to your account.

      --
      A cat can't teach a dog to bark.
    2. Re:To check if your password has been pwned by higuita · · Score: 2

      If the password is in the list of known passwords, do not matter if it is yours or not, those are the passwords that bruteforce tools will try first... you know, testing one million passwords is way lot quicker than testing several trillion of passwords

      --
      Higuita
    3. Re: To check if your password has been pwned by Zero__Kelvin · · Score: 2

      It is a myth that you can usually brute force a login system. That hasn't been a thing since they invented password shadowing. Any decent online system will have methods to make it impossible as well.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Password manager by tsa · · Score: 2

    Which password manager do you recommend? 1Password doesn't work on my old iPad with iOS 9, so that one is ruled out. Besides, I'd rather pay for a password manager than use a free one because 'free' means: "We know exactly which websites you visit and will sell this data gladly to everybody we meet."

    --

    -- Cheers!

  4. Great, but also annoying by ISayWeOnlyToBePolite · · Score: 2

    My mail shows up as pwnd. From the details of it, a site concerning a subject I'm not interested in, written in a language I don't speak and surely never registered with was pwnd and my password is all over the internet. Eventually finding the file where it's spread I unsurprisingly find that it's a password I never used.

    Now my mail is "hacked" on a semi regular basis as my mail adress and the password I've never used is included in what to me seems like new compilations of old pwnd's

    For not so surprising reasons my mail cannot be removed from HIBP and surely I can take one for the team, but it's still annoying AF.

  5. What I do to secure email by houghi · · Score: 4, Insightful

    I have my own domain name and I can have unlimited aliasses at my hosting company.
    So I have separate addresses for separate websites, companies or other situations.

    e.g. I will have bank.com@example.com, slashdot.org@example.com, spamaddres@example.com, holiday2018@example.com.

    So if bank.com sends me an email, it will be to the address that they know, being bank.com@example.com. If I get an email from them to e.g. spamaddres@example.com or any other address, I know it is not them and thus a fake email. If i get an email to bank.com@example.com and it is NOT from bank.com I know that they have either been hacked (and not informed me) or sold my address. Neither wil be a good thing for their further business with me.

    It is also very easy to filter as it is some sort of two factor verification where both from and to need to be correct.

    And if an email address is compromised, I can just turn it off after I have changed it at the company.

    The only company I was actually getting spam from was ebay. They gave the email address to the sellers and they started spamming me. SO no more goods from ebay for me.

    All other companies behaved till now for the last 10+ years I use this system.

    --
    Don't fight for your country, if your country does not fight for you.
  6. Re: Don't need no Have I Been Pwned by Zero__Kelvin · · Score: 3, Informative

    And those of us with an actual clue know that while much less likely than the layman's case we have no way to be 100% certain we *haven't* been owned. Yours is a mild case of Dunning Kruger I'm afraid.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  7. Re:Have I been Pwned? by thegarbz · · Score: 4, Informative

    Want to know if you've been pwned? Enter your email address right here to start receiving junk mail.

    I signed up to this. I have received:
    On the day of signup: 1 confirmation email.
    5 months later: an email notification about a breach.

    That was years ago. If this is the source of your junk mail then you must have the cleanest damn email inbox in the entire world.