Firefox is using the wonderful haveibeenpwned resource. There is also a public API for haveibeenpwned if you want to incorporate it into your own clients:
I've always been a huge fan of the project (and Troy) and understand that it's gotten to a point where he can't keep running it as a spare-time project, but I'm still not very happy about seeing it being shopped around. I can't see how this type of service needing to find a way to become a business will be a good thing overall, especially when it keeps getting integrated into other programs and services like this. Troy pledges that nothing will change, but every company getting acquired does that, and then things change anyway.
The best result would probably be something like Mozilla buying it and/or paying Troy to just keep doing what he's doing.
This is why I never check passwords against haveibeenpwned. The idea of sending your passwords to a third party is pretty crazy. Even when I knew the owner and trusted him, there’s no way I’d know everyone with access. And now the site could be sold to someone like Google and God knows what they would do with all that traffic.
I used to download the whole file and check locally, but it’s too much of a pain to do consistently.
I would even say that a project like this should be run by the government(s). I get that foreign politics would wreck havoc there, but governments have to deal with data breaches anyway.
I was a fan of the project. But when it went up for sale, I contacted him to ask for my details to be removed from his db (re the auto-notification stuff), and didn't get any response.
I'm no longer a fan.
Guess I shouldn't have trusted him with my personal information.
1Password uses the HIBP API too [0] which has actually saved me a few times.
The mechanics behind the v2 API (using k-anonymity with hashes [1]) are pretty interesting too. Troy has clearly put a lot of thought and time into what started as a pet project a few years ago and should be infinitely commended!
I just read through 1Password release notes [0], "Addressed a bug in the new popup where items were checked for vulnerable passwords even if you hadn't opted in to the Have I Been Pwned service." which also links to a KB article that talks about the security risks of HIBP [1]
I would be very concerned if my credentials are being shared in _any_ form with 3rd parties without my explicit permissions.
I hope this firefox feature is disabled by default.
There are fundamental privacy risks to using the HIBP Pwned Passwords service which should be considered when implementing it. See my writeup here — https://cablej.io/blog/k-anonymity/. In short, despite claims of protecting privacy, a malicious server can recover user passwords in some cases even if they haven’t previously been compromised.
One thing HIBP does is match a password against a list of half a billion leaked passwords without regard for the username portion of the credentials. They do it because of the NIST guidance to compare credentials to known data leaks. The same NIST who's previous guidance was a complicated password entropy algorithm, which they later dropped.
I've always questioned the logic making 500,000,000 passwords off limits when no connection is made to the username. Work-factor hashing algorithms, rate limiting account locking and 2FA are supposed to protect user from brute force attacks. I think they can handle an attack based on 500 million possibilities.
Now, if they matched the username/password pair, that would be great.
The thing is that all of the passwords in his database, are ones that the blackhats already know. As in, they not only have the hashes, but the full in-the-clear passwords. His sources for these lists are blackhats themselves, who happen to leak their copies of their password lists, one way or the other.
And all the major password cracking tools will typically try all the known bad passwords, before they try anything else. And they'll try all known likely variants, before making any potential brute-force attempts.
So, it doesn't matter if the password you want to use is on this list and you want to use it anyway, just because it has never been associated with your userid.
The simple fact that you're trying to use a known bad password that has ever been used before by anyone else, is enough to increase by many, many orders of magnitude the likelihood that someone will be able to crack your new favourite password.
Bad passwords are simply bad, regardless of who tries to use them. Some are worse than others, but they're all bad.
This aspect of HIBP helps you discover if any of your passwords have ever been cracked by anyone, and therefore now on the list of known bad passwords.
The results show how often it was breached so you could always just blacklist passwords leaked more then 100 times or so. The really dangerous ones are the "common" one word passwords used hundreds of thousands of times.
OK, enough is enough. I'm switching to Firefox now.
Protip to Firefox: Advertise this feature more. The other stuff I don't really care about, and didn't really convinced me to move to Firefox. Fear is an excellent motivator, however.
Try and give Firefox Containers a test too. It's a Firefox extension made by Mozilla that creates separate environments where cookies and session data are not shared. It's a great feature I never want to do without. I use it to create a wall between work and personal web browsing.
You will be happy with the move, if you're coming from Chrome, most extensions/add-ons are available on Firefox so the transition was not tough for me. There are some things like getting used to the dev tools but that shouldn't be too bad :)
I switched about two weeks ago. I had a few things I toggled in `about:config` but otherwise have been very happy. I appreciate how well Firefox works out of the box.
For non-tech users, privacy isn't a very good selling point.
Both my parents use Chrome because it's already installed on Android and works fine. My attempts to convince them to Firefox didn't work out even with multiple attempts.
The functionality is part of every decent password manager, which takes care of basically all your passwords, not the ones stored in your browser. So I don't understand the enthusiasm.
these are the reasons a browser built-in password manager is ideal for many people:
1. most people don't need many passwords outside of the browser.
2. in-browser password managers can offer a better user-experience than standalone password managers. (although, so far, firefox's built-in password manager is lagging behind in this regard.)
3. password managers integrated into the core of the browser have a smaller attack surface than those implemented as plugins.
4. users of a particular browser already trust the browser vendor with their passwords, at least enough to let the browser see and transmit them every time the user logs in to a site.
Is money involved in this partnership? If so, who paid whom?
What was the motivation behind this? Is there any study that shows any benefit from haveibeenpwned.com? I.e. has there been a decrease in hijacked accounts, etc?
I don't think there's been studies, but it seems obvious to me that the goal here is to prevent re-use of leaked passwords, and I'd consider it a surprising result if this wouldn't help in that.
CCP Games integrated it into Eve Online and says that it significantly reduced the number of players using insecure passwords:
> When we first implemented the check, about 19% of logins were greeted with the message that their password was not safe enough. Today, this has dropped down to around 11-12% and hopefully will continue to go down.
That sounds like a good reason to get your non-technical friends and relatives on Firefox.
(Edit: though I wonder whether the really non-technical ones will not interpret this as having to change the displayed saved password, rather than having to visit the website.)
It is storing your passwords in plaintext locally, since this is about passwords that are saved by the user in Firefox's password store (the Saved Logins feature). These can (and should) be protected with a master password, but you obviously need to unlock the store before logging into a website.
They're not storing your passwords remotely, though. They're asking haveibeenpwned which maintains a list of leaked login information from past breaches.
From that ticket, the comments discussing the domain and time of the breach are about adding that filtering to the existing feature, not about those being the only checks. The article is not false.
Firefox has a built-in password manager, so plaintext passwords are necessarily stored in that database. The backend comparison service they're using supports a near-zero-knowledge protocol that allows clients to check for compromised passwords in the database efficiently without ever sending the password (or even a hash of the password) to the backend.
Also they can just query all the usernames (email addresses) of the accounts and get notifications if any of those usernames have appeared in breaches.
But... will mozilla or the people behind haveibeenpwned know I am using a pwned password? Basically, by checking if you are under risk, do you leak info to 3rd parties that can be used against you, before having the opportunity to protect yourself? Is there any info aobut the near-zero knowledge protocol somewhere? It's a fascinating topic for sure.
That’s a nice feature, and I hope other browsers will adopt something similar soon. Also looking forward to the password generator that’s finally coming in Firefox 69. On a slight tangent, I wish the major browsers would agree on an interoperability standard for their built-in password managers.
which is an interop standard for websites to expose a "Change your password" page, which is a good place to start. It lets the password manager link directly to "your password for foo.com is expired/known to be leaked/weak, [change it here]"
> an interop standard for storing/sharing passwords
Is what we need. You can export from Chrome to a CSV, and you can import that CSV into 1Password, but no way to get those passwords into or out of Firefox that I've found (please tell me if you have a method..).
Browsers that offer to save your passwords are password managers. They've just been downright abhorrent at it for years. Improving that seems worth doing?
they certainly aren't as bad as they used to be, but the UX hasn't improved much. in-browser password managers these days have acceptable security and features like the one in the article are starting to surpass other password managers. but gawd, the UX.
my biggest qualm with the UX of firefox's password manager is the "master password" feature. it's a password you must enter to unlock your keychain. that's a must-have for me.
what firefox does wrong:
* it's rendered as a simple dialog prompt, identical to javascript's window.prompt. could be faked by a site for phishing.
* the unlock prompt launches once, about 30 seconds after the browser is launched (right while i'm in the middle of typing a URL) and grabs focus.
* if you don't provide a password, the prompt will show up again each time you visit a page that has a login form for which you have a saved password, even if the login form is hidden with CSS. many sites have login forms on every page.
* there's no way to unlock the keychain on a per-site basis or lock it again once you've unlocked it (besides closing the browser).
what i want is:
* when i'm about to log in to a site, i expect to provide my master password and have firefox autofill my saved password for this site only.
* if i need the password again later, or a password for a different site, i expect to have to provide my master password again.
* a dialogue that i can trust to have come from the browser itself rather than the webpage.
* not to be interrupted by the dialogue unless i need to access a saved password.
Readit News
https://haveibeenpwned.com/API/v2
Please note rate limits/ abuse policy so everyone can use:
https://haveibeenpwned.com/API/v2#RateLimiting
(I am not affiliated)
I've always been a huge fan of the project (and Troy) and understand that it's gotten to a point where he can't keep running it as a spare-time project, but I'm still not very happy about seeing it being shopped around. I can't see how this type of service needing to find a way to become a business will be a good thing overall, especially when it keeps getting integrated into other programs and services like this. Troy pledges that nothing will change, but every company getting acquired does that, and then things change anyway.
The best result would probably be something like Mozilla buying it and/or paying Troy to just keep doing what he's doing.
Mozilla could very well be one of the potential candidates for HIBP ownership.
I used to download the whole file and check locally, but it’s too much of a pain to do consistently.
I'm no longer a fan.
Guess I shouldn't have trusted him with my personal information.
The mechanics behind the v2 API (using k-anonymity with hashes [1]) are pretty interesting too. Troy has clearly put a lot of thought and time into what started as a pet project a few years ago and should be infinitely commended!
[0] https://blog.1password.com/finding-pwned-passwords-with-1pas...
[1] https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
I would be very concerned if my credentials are being shared in _any_ form with 3rd parties without my explicit permissions.
I hope this firefox feature is disabled by default.
[0] https://app-updates.agilebits.com/product_history/B5X [1] https://support.1password.com/kb/201907/
I've always questioned the logic making 500,000,000 passwords off limits when no connection is made to the username. Work-factor hashing algorithms, rate limiting account locking and 2FA are supposed to protect user from brute force attacks. I think they can handle an attack based on 500 million possibilities.
Now, if they matched the username/password pair, that would be great.
And all the major password cracking tools will typically try all the known bad passwords, before they try anything else. And they'll try all known likely variants, before making any potential brute-force attempts.
So, it doesn't matter if the password you want to use is on this list and you want to use it anyway, just because it has never been associated with your userid.
The simple fact that you're trying to use a known bad password that has ever been used before by anyone else, is enough to increase by many, many orders of magnitude the likelihood that someone will be able to crack your new favourite password.
Bad passwords are simply bad, regardless of who tries to use them. Some are worse than others, but they're all bad.
This aspect of HIBP helps you discover if any of your passwords have ever been cracked by anyone, and therefore now on the list of known bad passwords.
Protip to Firefox: Advertise this feature more. The other stuff I don't really care about, and didn't really convinced me to move to Firefox. Fear is an excellent motivator, however.
(+endorsement: it's a really great feature for power users)
(Disclosure: I work on Chrome, though on Developer Tools)
Both my parents use Chrome because it's already installed on Android and works fine. My attempts to convince them to Firefox didn't work out even with multiple attempts.
Deleted Comment
1. most people don't need many passwords outside of the browser.
2. in-browser password managers can offer a better user-experience than standalone password managers. (although, so far, firefox's built-in password manager is lagging behind in this regard.)
3. password managers integrated into the core of the browser have a smaller attack surface than those implemented as plugins.
4. users of a particular browser already trust the browser vendor with their passwords, at least enough to let the browser see and transmit them every time the user logs in to a site.
Is money involved in this partnership? If so, who paid whom?
What was the motivation behind this? Is there any study that shows any benefit from haveibeenpwned.com? I.e. has there been a decrease in hijacked accounts, etc?
I don't think there's been studies, but it seems obvious to me that the goal here is to prevent re-use of leaked passwords, and I'd consider it a surprising result if this wouldn't help in that.
> When we first implemented the check, about 19% of logins were greeted with the message that their password was not safe enough. Today, this has dropped down to around 11-12% and hopefully will continue to go down.
From https://www.eveonline.com/article/pu2gdi/account-security-im...
(Edit: though I wonder whether the really non-technical ones will not interpret this as having to change the displayed saved password, rather than having to visit the website.)
They're not storing your passwords remotely, though. They're asking haveibeenpwned which maintains a list of leaked login information from past breaches.
https://blog.cloudflare.com/validating-leaked-passwords-with...
As far as I understand [1] Firefox will notice you if the domain was breached and your password is older than the breach.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1559365
Also they can just query all the usernames (email addresses) of the accounts and get notifications if any of those usernames have appeared in breaches.
Are you talking about an interop standard for storing/sharing passwords, or for generating them?
Because the latter is hobbled significantly by a twisting maze of password requirements and login form implementations by sites (banks, webmail, etc).
which is an interop standard for websites to expose a "Change your password" page, which is a good place to start. It lets the password manager link directly to "your password for foo.com is expired/known to be leaked/weak, [change it here]"
Is what we need. You can export from Chrome to a CSV, and you can import that CSV into 1Password, but no way to get those passwords into or out of Firefox that I've found (please tell me if you have a method..).
Deleted Comment
my biggest qualm with the UX of firefox's password manager is the "master password" feature. it's a password you must enter to unlock your keychain. that's a must-have for me.
what firefox does wrong:
* it's rendered as a simple dialog prompt, identical to javascript's window.prompt. could be faked by a site for phishing.
* the unlock prompt launches once, about 30 seconds after the browser is launched (right while i'm in the middle of typing a URL) and grabs focus.
* if you don't provide a password, the prompt will show up again each time you visit a page that has a login form for which you have a saved password, even if the login form is hidden with CSS. many sites have login forms on every page.
* there's no way to unlock the keychain on a per-site basis or lock it again once you've unlocked it (besides closing the browser).
what i want is:
* when i'm about to log in to a site, i expect to provide my master password and have firefox autofill my saved password for this site only.
* if i need the password again later, or a password for a different site, i expect to have to provide my master password again.
* a dialogue that i can trust to have come from the browser itself rather than the webpage.
* not to be interrupted by the dialogue unless i need to access a saved password.
I'm just curious if they intend to fully replace third-party password managers.