
We're Baking ‘Have I Been Pwned’ into Firefox and 1Password - edward
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/
======
2T1Qka0rEiPr
I have such great respect for Troy and all the work he's done/is continuing to
do to promote good security practices. I just went on HIPB though and noticed
the advise for better security is "use 1Password" (after checking your email
for compromises).

This just seems a little too commercial to me and I'm not sure I like the
phrasing. I fully understand the need for Troy to be sponsored and it's great
that 1Password works well with his tooling, but it's _not the only solution_.
I'd feel a little less uneasy if it was phrased in such a way as "Use a
password manager, like 1Password".

~~~
BartBoch
This. I am using LastPass for example, because it is probably only password
manager, where you can completely disable auto-fill (you need to click on an
input field and then pick a profile - so it is "on demand" fill) which makes
automatic harvesting attacks much harder. I have switched from 1Password
exactly for that reason - 1Password is very aggressive in filling input fields
for you.

~~~
dzhiurgis
LastPass have a horrible security track record.

I’ve even caught them editing their wiki page, trying to erase their past,
which was reverted thanks to HN.

~~~
izietto
Not-so-happy LastPass user here: I evaluated alternatives, but LastPass is the
only one which somehow works on Linux/Firefox. I have even tried to make
pressure to 1password about that, without much success:
[https://discussions.agilebits.com/discussion/comment/410603/...](https://discussions.agilebits.com/discussion/comment/410603/#Comment_410603)

~~~
pluma
BitWarden works fine. I'm using Linux/Firefox as well, the rest of the time is
on Windows/Chrome. It's 100% open source:
[https://bitwarden.com/](https://bitwarden.com/)

~~~
spanishgum
I stopped using browser based password managers and switched to KeePass. It's
a bit more work to pull passwords and back them up, but for me it beats
trusting cloud services with security critical data.

~~~
Forbo
This! I love my setup. I use KeePassXC and sync my password db with NextCloud.
I love having an open source password manager that is useful across all of my
devices, be it Android, Linux, Mac or Windows.

~~~
meko
KeepassXC, syncthing, and keepass2android here.

------
jvehent
As many have commented, this isn't a new tool for technologists.

The goal of Firefox Monitor is to bring this functionality to non-technical
users, which requires a lot of user experience research to inform without
scaring people away from using the internet.

~~~
bfred_it
I’m confident that this is a first step towards integrating it into Firefox
itself.

1\. Test Firefox Monitor on the web

2\. Integrate it for all Firefox users

------
arthurfm
One feature I wish HIBP had was support for sub-domain addressing [1] and plus
addressing [2].

My main email address has the format 'example@fastmail.fm' and receives alerts
from HIBP if found in a data breach, but all of the related subdomain-based
email addresses do not (e.g. netflix@example.fastmail.fm,
google@example.fastmail.fm etc.)

Based on the 1Password screenshots in the linked article it would appear that
specific support for sub-domain/plus addressing may not be required?

However, Firefox Monitor looks like it has the same limitations as the HIBP
website/API and makes the alerts somewhat less useful when using sub-
domain/plus addressing.

[1]
[https://www.fastmail.com/help/receive/addressing.html](https://www.fastmail.com/help/receive/addressing.html)

[2]
[https://haveibeenpwned.uservoice.com/forums/275398-general/s...](https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/6774229-enable-
search-and-notifications-for-email-addresse)

~~~
bad_user
You can sign up to get notifications for an entire domain, meaning that you
can get notifications for any email with the "example.fastmail.fm" domain.

See here:
[https://haveibeenpwned.com/DomainSearch](https://haveibeenpwned.com/DomainSearch)

~~~
arthurfm
Thanks! I will give that a try.

------
ThePhysicist
I recently wrote a small tool to download the whole password database from
HIBP and turn it into a Bloom filter that can be used from Golang or Python.

The tool also includes a webserver that lets you check for plaintext password
matches (only recommended over a secure network) and SHA1 values:

[https://github.com/adewes/have-i-been-
bloomed](https://github.com/adewes/have-i-been-bloomed)

The filter is about 1.7 GB in size with a 10e-6 false positive rate, so it can
be used even on moderate hardware to check user passwords against the database
(the entire filter must be loaded into memory currently, though it would be
possible to use a memmapped file).

~~~
throwawaymath
You don't need to download them from HIBP. You can freely download all major
breach databases from databases.today. There really aren't many passwords not
represented in those databases which are present in others, but for everything
else you can just automatically download grab dumpmon like Hunt does.

Also, try google dorking site:vk.com/doc and "@gmail.com"...there are many
large password and email databases you can find that way which have not been
publicized. This includes many which are not in HIBP. I've tried to call
attention to this before but there isn't an active effort to crawl these.

Once you download, normalize and deduplicate the entire corpus of password
databases, you can find matches in real time for e.g. signup requests.

------
sanat
Congratulations @troyhunt Your project's making a bigger difference around the
world.

------
cbhl
I'm worried that this will just train people to start blindly clicking through
"pwned password" modal dialogs for CVVs and OTP/SMS 2FA codes, just like they
did for the "Do you want to view only the webpage content that was delivered
securely?" dialog in MSIE.

~~~
BartBoch
The wide public is not so interested in secured content really imo, but they
will rarely ignore warnings about their passwords. The password is like a pin
for your debit card. You don't mind people seeing your card (unsecured
content), but you will not share your pin code (password).

~~~
zrobotics
Next time you are in a checkout line, pay attention to how few people make any
attempt to prevent shoulder surfing their PIN. POS devices have gotten better
with shielded keypads, but there are still many machines that make it somewhat
difficult to obscure your PIN. The average person gives very little thought to
security, or at the very least gives little thought to possible threat models.

------
crb002
Make sure to not do it automatically, but on user interaction (like new Safari
password fills). Otherwise you leak usernames and tie them to browser sessions
which can be fingerprinted.

~~~
jasontedor
I think this is addressed by the use of k-anonymity which is described in the
section of the article titled “Enabling Anonymous Searches with k-Anonymity”.

------
lvh
This uses HIBP for the underlying dataset. I'm not sure what's added though.
Convenient UX? They claim to only send anonymized data out, but HIBP already
supports the underlying hash range queries -- that doesn't appear to be new
here.

~~~
JadoJodo
I suspect it'll warn you if any of the accounts you've saved in Firefox
(username/password) have been compromised. 1Password already does this¹ but
this is likely the Firefox implementation of it.

¹ - [https://blog.agilebits.com/2018/02/22/finding-pwned-
password...](https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-
with-1password/)

------
auganov
It's interesting how HIBP considers mainstream dating sites sensitive on par
with adult sites, while shady hacking related forums are fair game.

~~~
zrobotics
Have you considered the amount of PII the dating site is likely to have on
their average customer? Access to a dating profile is almost as good as
Facebook access to perpetrate identity theft.

~~~
detaro
That's not what makes a breach "sensitive" for HIBP, it's about breaches that
only can be checked if you authenticated your e-mail address or domain, so
that not everyone can check if you've used the site.

------
nabla9
"Have I been Pawned" should require email verification.

The way it's now, you can do searches for people's emails and get info of the
sites people have been using.

~~~
mrunkel
You realize they are only using data that is already publicly available right?

------
poorman
Troy has done great security work for the community at large. If you haven't
seen it check out one of his other projects [https://report-
uri.com](https://report-uri.com) that aggregates your Content Security Policy
reports for your site; a base security measure almost everyone should be
utilizing for their sites these days.

------
benbristow
What will happen when Have I Been Pwned gets Pwned?

Must be storing a lot of email addresses at this point.

~~~
msh
It is storing leaks so the data on the site is allready public one way or
another.

~~~
crtasm
It also has emails of people who sign up to its 'alert me if this address is
found in future leaks' service.

------
YvetteBrooks
"Have I been pwned" is just a more friendly than "Was my password easy?". But
the truth should be known!

~~~
detaro
Not only, since bad passwords aren't the only way passwords can leak, bad
password storage practices on a hacked site do it too.

HIBP also includes leaks that didn't include recoverable passwords, but other
personal data.

~~~
YvetteBrooks
Well, truth. If the password were ejected from let's say "the random" website
and you use the same one for all other ones you are kinda "pwned".

------
xiconfjs
So will this feature only be available in the web-version of 1password and not
in the stand-alone version? :(

~~~
flamtap
The latest versions of 1Password (I’m on 7) have great HIBP integration.
Really pleased with it so far.

------
Dolores12
It would also be cool to implement native email reader inside firefox and some
kind of messenger.

------
auslander
> Have I Been Pwned

You are. HN sits behind Cloudflare. Your SSL connection terminates at
Cloudflare to plaintext, and new SSL connection to HN is created.

Your login and password, IP and User-Agent and who knows what else, is in
clear view to Cloudflare - you've been pwned :))

~~~
mar77i
That's such an amazing thing about them.

I know a few places that... would pretty much die for such a global "MITM"
service, so I wonder if it's five corners financing it.

~~~
auslander
I need a browser extension (for Safari) to warn me if the site is behind
Cloudflare. I'll pay money :) I'm kinda protected by using VPN, IP is not my
ISP IP. But the rest, plus browser fingerprinting is busted.

Use this: www.cloudflare.com/ips/ and HTTP headers like CF-RAY

~~~
tomschlick
You could also just use the ASN of the network which is always cloudflare for
CF ips.

~~~
ReverseCold
That's not easy to retrieve from a browser extension without using an external
service, right?

------
auslander
Leave the Firefox alone, please. Pocket, HIBP, 1Password, Cloudflare ... Not
cool. 1Password has flawed sec rep [0], Cloudflare is pure MITM, stripping TLS
between you and webserver, the rest just network and data leaks I haven't
asked for.

For passwords best is KeepassXC, sync encrypted db via any file sharing.

[0]
[https://www.theregister.co.uk/2017/02/28/flaws_in_password_m...](https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/)

------
auslander
To Mozilla devs, if I may. Try OpenBSD approach to security, like in
[https://www.openbsd.org/security.html](https://www.openbsd.org/security.html)

------
yAnonymous
My problem with haveibeenpwned is that when you haven't been pwned, you've
just handed them your mail address.

Is there anything to alleviate those concerns other than "trust us, we're not
saving emails from queries"?

~~~
Piskvorrr
k-Anonymity. In other words, "I have hashed my e-mail address, here's the
beginning part _of the hash_ : 0deadbeef0, tell me if you have anything
matching that." "Yup, I have something that hashes to 0deadbeef0123456789abcd,
associated with these breaches, and something else that hashes to
0deadbeef0abc1056886516, associated with those breaches." Plaintext is not
exposed, and you're not even exposing the whole hash, so GL to anyone trying
to find out which if the hashes (if any) is yours, let alone what the
plaintext was.

[https://blog.mozilla.org/security/2018/06/25/scanning-
breach...](https://blog.mozilla.org/security/2018/06/25/scanning-breached-
accounts-k-anonymity/)

~~~
yAnonymous
Seems like a good solution. I was looking for this on the official HIBP
website, but it's not mentioned there.

Going public with this would probably be a good time to update the website.

~~~
cricalix
Read [https://www.troyhunt.com/were-baking-have-i-been-pwned-
into-...](https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-
and-1password/) as well.

------
auslander
It reads like a press release. Praises for Troy, Troy praises 1Password and
Cloudflare, great sell to naive Mozilla. Shareholders pat themselves on the
backs. Champagne, sir?

~~~
coldtea
And that's bad because? And Mozilla is "naive" because?

What's the angle? "Stick it to the Man", and stuff?

~~~
auslander
Security is hard. Adding 3rd party systems you don't control is not the way.

~~~
superflyguy
I use Firefox. Are you saying I'm now less safe? If I'm more safe but some
other people don't like the solution then I guess they can configure or fork
Firefox then we're all happy, right?

~~~
pbhjpbhj
Arguably, if Firefox is devoting resources to this then it's not got resources
to spend on other issues. That could in theory make it less secure.

HIBP and 1Password aren't making FF more secure, chances are they're
increasing attack surface in both directions (ie making compromise of
1Password more likely too).

~~~
ddalex
This is FUD.

~~~
pbhjpbhj
Can you explain what's incorrect in my post?

(FWIW it's not a position I hold, I've not looked at the situation properly
yet.)

~~~
ddalex
Sure, I'll take it point by point.

> Arguably, if Firefox is devoting resources to this then it's not got
> resources to spend on other issues.

This is a logical fallacy. It's like saying - if we wouldn't spend money on
the space program, we could feed Africa with that money. The problem here is
that this is not a zero-sum game: the people that worked on this (e.g. Troy
Hunt) wouldn't had the skills or inclination to bring other enhancements to
Firefox. Thus this is a net addition, and not to the detriment of other work

> That could in theory make it less secure

So adding a feature that helps people be more secure against a specific threat
(using bad passwords that have been broken) makes the product less secure?
This makes no sense, but it's just put in there to spread Fear (FF is less
secure because of added security features) and Doubt ("could in theory" ...
meaning we don't know, but lets put this out there)

> HIBP and 1Password aren't making FF more secure,

I tend to evaluate a security in context of a threat model. HIBP and 1Password
have very good track records of mitigating attacks on user passwords (by
notifying people about password breaches and thus decreasing the value of a
password breach, and by making easy for the average user to manage complex
passwords). As a result, the Firefox users have better tools to manage
password-based authentication, increasing their security.

> chances are they're increasing attack surface in both directions (ie making
> compromise of 1Password more likely too).

The evaluation of the "attack surface" here refers to the horizontal scale
(how many actors of the same type see the interface) whereas the concept of
reducing the "attack surface" refers to the vertical scale (how many types of
communication the actors see). Reducing the horizontal scale is known as
"security by obscurity" and it's a very bad idea to use it. A larger
horizontal scale has no impact on the security, see ciphered communication: an
encrypted message doesn't get less secure if more eyes see it, its security
only depends on how well the encryption works.

Assuming that 1Password doesn't use "security by obscurity", increasing its
footprint on the web will not decrease its security.

------
ccnafr
Mozilla has wasted a bunch of resources creating a pointless tool. Let me
explain why!

Last year, they promised to create an add-on that triggered when you visited
sites known to have been breached in the past, and let the user check if his
password was included in the leaked data, via HIBP:
[https://www.bleepingcomputer.com/news/security/firefox-
will-...](https://www.bleepingcomputer.com/news/security/firefox-will-warn-
users-when-visiting-sites-that-suffered-a-data-breach/)

Now, they announced Firefox Monitor, which is nothing but a standalone website
where you can check your email and see if it's been included in public
breaches. This is the same functionality of the main HIBP website. If people
want to check if their email was included in a breach, they'd just visit HIBP,
not Firefox Monitor.

Why does this website exist in the first place? They took a good idea that
used a proactive approach to alerting users of potentially leaked passwords
and they've created a Firefox-branded HIBP clone website that very few people
are gonna know about or even use.

Pointless use of resources, when they could have used them for something
actually useless.

~~~
kadenshep
You're ignoring how most users need things in front of their face. Most users
are not privacy or security "aware" in any manner. Putting it in the UI or
actively promoting these services is beneficial to the common web user.

And if it fails, it's at least worth it to learn why it failed. Was the UI
bad? Did it not promote the service in the right way? Did users not understand
the purpose of the tool?

I think the juice is worth the squeeze.

~~~
bradknowles
1\. Put it on the web first.

2\. Get it working well with UI, UX, etc....

3\. Then integrate it into the browser.

Seems like a totally logical flow to me.

~~~
sobani
But the browser is part of the UI/UX.

When Firefox warns you that you're (possibly) pwned when you browse to a
website or try to log in, then you can't get around combining step 2 and 3.

Or when Firefox compares your password database with HIBP, you can't get
around combining step 2 and 3.

------
zeroisnowfour
A much more honorable way to do this would have been to allow the search of a
hash of your email rather than your actual email.

~~~
rhencke
That's... exactly what they're doing?

~~~
zeroisnowfour
Double-checking source code @ haveibeenpwned.com. I see no javascript that
hashes your email address before submission.

~~~
rhencke
Sure, but that's not what the linked article is discussing as the basis for
integration with Firefox.

------
_pmf_
What could possible go wrong?

~~~
Piskvorrr
Shooting the messenger, that's what. People tend to confuse "X might have your
password" and "Y tells me 'something X something password', therefore Y hacked
me".

------
NVRM
You had been pwned anyway.

~~~
NVRM
Everything said that isn't politically correct is systematically downvoted
here on «hacker» news. I am enjoying your very low knowledge and your
smartphone attitude. LOL

~~~
detaro
You sure it's not you posting trite, basically irrelevant one-liners that's
presenting a "smartphone attitude"?

Nothing is politically incorrect about your post, but it doesn't add to the
discussion.

~~~
NVRM
There is no discussion here, just marketing stuffs.

~~~
auslander
Wow. How did you guess?

~~~
NVRM
By answers not politically correct systematically downvoted...!

~~~
auslander
Was joking, man :))

------
mattdennewitz
Excellent need, more than enough reason to switch. Now bake 1Password into
Firefox.

~~~
cpeterso
Not quite 1Password, but Mozilla is developing a cross-platform password
manager, tentatively called "Lockbox", that will support Firefox, Android,
iOS, and possibly a Chrome extension.

[https://mozilla-lockbox.github.io/](https://mozilla-lockbox.github.io/)

~~~
strken
I hope they add support for self-hosted backends. It'd be great to have a
self-hosted password manager developed by a company with an amazing security
team.

~~~
mnx
This would be really amazing.

------
homakov
Instead of actually fixing authentication they are baking "have this password
been exposed in plaintext" into the browsers.

What's the deal with WebAuthN? Such a basic functionality still not completed.

~~~
JumpCrisscross
> _Instead of actually fixing authentication they are baking "have this
> password been exposed in plaintext" into the browsers_

“Perfect is the enemy of good” [1].

[1]
[https://en.m.wikipedia.org/wiki/Perfect_is_the_enemy_of_good](https://en.m.wikipedia.org/wiki/Perfect_is_the_enemy_of_good)

~~~
homakov
I'd argue there is no "good" auth at the moment, only "poor". And upgrade to
authenticator-based "good enough" is much needed.

~~~
gldalmaso
[https://en.wiktionary.org/wiki/no_good_deed_goes_unpunished](https://en.wiktionary.org/wiki/no_good_deed_goes_unpunished)

