
Firefox to Warn When Saved Logins Are Found in Data Breaches - rahuldottech
https://www.bleepingcomputer.com/news/software/firefox-to-warn-when-saved-logins-are-found-in-data-breaches/
======
daveguy
Firefox is using the wonderful haveibeenpwned resource. There is also a public
API for haveibeenpwned if you want to incorporate it into your own clients:

[https://haveibeenpwned.com/API/v2](https://haveibeenpwned.com/API/v2)

Please note rate limits/ abuse policy so everyone can use:

[https://haveibeenpwned.com/API/v2#RateLimiting](https://haveibeenpwned.com/API/v2#RateLimiting)

(I am not affiliated)

~~~
Deimorz
Probably worth noting that Have I Been Pwned is now up for sale:
[https://www.troyhunt.com/project-svalbard-the-future-of-
have...](https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-
pwned/)

I've always been a huge fan of the project (and Troy) and understand that it's
gotten to a point where he can't keep running it as a spare-time project, but
I'm still not very happy about seeing it being shopped around. I can't see how
this type of service needing to find a way to become a _business_ will be a
good thing overall, especially when it keeps getting integrated into other
programs and services like this. Troy pledges that nothing will change, but
every company getting acquired does that, and then things change anyway.

The best result would probably be something like Mozilla buying it and/or
paying Troy to just keep doing what he's doing.

~~~
prepend
This is why I never check passwords against haveibeenpwned. The idea of
sending your passwords to a third party is pretty crazy. Even when I knew the
owner and trusted him, there’s no way I’d know everyone with access. And now
the site could be sold to someone like Google and God knows what they would do
with all that traffic.

I used to download the whole file and check locally, but it’s too much of a
pain to do consistently.

~~~
ascorbic
You don't send the password to him. Your browser hashes it, then sends the
first few characters of the hash to the API. You can look at the network panel
of you don't believe it. The protocol is fully documented on the site. I used
it to make a React hook to check your user's password when they sign up.
[https://github.com/ascorbic/use-pwned-
passwords](https://github.com/ascorbic/use-pwned-passwords)

~~~
prepend
Thanks for the comment. It’s enough of the hash shared for me to be
uncomfortable and for me to recommend not using it.

I applaud them for limiting the risk. But when the information shared with
them let’s a bad guy know the 500 possible matches out of trillions, that’s
not good.

It’s not literally clear text, which is nice. But it’s not without risk. And
it’s not a good practice to share portions of password hashes with untrusted
parties. Like a friendly hacker who runs a nonprofit site or whatever company
buys it.

~~~
tylerl
What you do with your own data is your decision, but if these details are
enough for you to _recommend_ that other people not use it, then your advice
needs to come with an "I ignore math in favor of uninformed prejudice"
disclaimer, because you're making things worse with your security mysticism.

~~~
prepend
That wouldn’t be a disclaimer that is accurate, so I don’t think I would use
it.

Anyone who takes my security recommendations is already familiar enough of my
math vs informed prejudices balance.

------
AznHisoka
OK, enough is enough. I'm switching to Firefox now.

Protip to Firefox: Advertise this feature more. The other stuff I don't really
care about, and didn't really convinced me to move to Firefox. Fear is an
excellent motivator, however.

~~~
mevile
Try and give Firefox Containers a test too. It's a Firefox extension made by
Mozilla that creates separate environments where cookies and session data are
not shared. It's a great feature I never want to do without. I use it to
create a wall between work and personal web browsing.

~~~
Vinnl
Handy link: [https://addons.mozilla.org/en-US/firefox/addon/multi-
account...](https://addons.mozilla.org/en-US/firefox/addon/multi-account-
containers/)

(+endorsement: it's a really great feature for power users)

~~~
tialaramex
The Facebook Container is very usable for non power users so long as they're
already uncomfortable enough with the all-consuming nature of Facebook to not
use Login with Facebook type features (which can't work from a container by
definition)

I'm not going to get my mother to use containers to keep her banking separate
from her knitted craft forums, the same way I'm not going to get her to use a
password manager, but I can install the Facebook Container and buy her a book
to write passwords in so she uses more than two different ones.

~~~
groovecoder
Disclaimer: Firefox sec eng who works on both this feature and Facebook
Container ...

The new 2.x release of Facebook Container allows people to use "Log in with
Facebook". To do so, it adds the site into the Facebook Container so sub-
resources and 3rd-party cookies are available to the Facebook SDK js.

It warns the user before they enable this on any site.

~~~
Vinnl
Thanks for your work! When I said Multi-Account Containers are great for Power
Users, I had in the back of my mind that Facebook Containers are great for
everyone who does not use MAC - it really is a pretty seamless experience, and
as opposed to MAC, does not require manual container selection.

------
okasaki
What data does this send and who receives it?

Is money involved in this partnership? If so, who paid whom?

What was the motivation behind this? Is there any study that shows any benefit
from haveibeenpwned.com? I.e. has there been a decrease in hijacked accounts,
etc?

~~~
Vinnl
There's more about how Mozilla obtains the data here:
[https://www.troyhunt.com/were-baking-have-i-been-pwned-
into-...](https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-
and-1password/#enablinganonymoussearcheswithkanonymity)

I don't think there's been studies, but it seems obvious to me that the goal
here is to prevent re-use of leaked passwords, and I'd consider it a
surprising result if this wouldn't help in that.

------
Vinnl
That sounds like a good reason to get your non-technical friends and relatives
on Firefox.

(Edit: though I wonder whether the really non-technical ones will not
interpret this as having to change the displayed saved password, rather than
having to visit the website.)

------
mwilliaams
How does Firefox compare your actual password to the leaked password without
storing your passwords in plaintext?

~~~
SAI_Peregrinus
Firefox has a built-in password manager, so plaintext passwords are
necessarily stored in that database. The backend comparison service they're
using supports a near-zero-knowledge protocol that allows clients to check for
compromised passwords in the database efficiently without ever sending the
password (or even a hash of the password) to the backend.

Also they can just query all the usernames (email addresses) of the accounts
and get notifications if any of those usernames have appeared in breaches.

~~~
throwaway66666
But... will mozilla or the people behind haveibeenpwned know I am using a
pwned password? Basically, by checking if you are under risk, do you leak info
to 3rd parties that can be used against you, before having the opportunity to
protect yourself? Is there any info aobut the near-zero knowledge protocol
somewhere? It's a fascinating topic for sure.

~~~
justusthane
Nope. Read the section on k-anonymity here: [https://www.troyhunt.com/were-
baking-have-i-been-pwned-into-...](https://www.troyhunt.com/were-baking-have-
i-been-pwned-into-firefox-and-1password/)

Essentially, the client hashes the password and then only sends the first 5
characters of the hash to HIBP. HIBP then returns the hashes of every password
whose hash begins with the same characters (approx 477 matches, according to
the article), and then it's up to the client to determine if there's a match.

~~~
prepend
I like the approach reduces the risk, but this isn’t sufficient for me to
actually trust a third party. The article calls out an example where the five
character hash prefix has 477 matches in the password file.

That’s a ridiculously small number of possible values for a powerful actor
trying to crack a password.

~~~
leejoramo
But your password is NOT one of just 477 known passwords. It is one of
2^(8*11) possible passwords that share the same first 5 bytes of a 16 byte
hash.

~~~
prepend
The way I understand their implementation [0] is that the client sha256s their
password and sends the first 5 characters, not bytes. The server then responds
with all the matching hashes. In the article the example was 477 matching
hashes.

So it’s not all possible hashes with that prefix, it’s only the hashes of
entries in the known passwords.

If the server was compromised, it would be able to know which users requested
which hash prefixes and compare that to the “known hashes” that match that
prefix. Not all passwords submitted are matches, but some are. And it’s likely
that a users pattern of testing particular hash prefixes could make it much
easier to crack a password.

[0] [https://blog.cloudflare.com/validating-leaked-passwords-
with...](https://blog.cloudflare.com/validating-leaked-passwords-with-k-
anonymity/)

~~~
snailmailman
The password isn’t necessarily in the list, and if it is it should be changed.
The service just returns the list and you check locally. The server _only_
gets the first few characters of the hash.

Knowing the hash prefix of someone’s password doesn’t help you guess it. You
can’t plan your guesses to have a matching prefix or anything. If your
password _is_ in the list, then the full hash is already out there and you
should stop using it, because it’s probably been brute forced by someone or
people are trying to guess it somewhere.

------
qzw
That’s a nice feature, and I hope other browsers will adopt something similar
soon. Also looking forward to the password generator that’s finally coming in
Firefox 69. On a slight tangent, I wish the major browsers would agree on an
interoperability standard for their built-in password managers.

~~~
r00fus
> On a slight tangent, I wish the major browsers would agree on an
> interoperability standard for their built-in password managers.

Are you talking about an interop standard for storing/sharing passwords, or
for generating them?

Because the latter is hobbled significantly by a twisting maze of password
requirements and login form implementations by sites (banks, webmail, etc).

~~~
vorpalhex
> an interop standard for storing/sharing passwords

Is what we need. You can export from Chrome to a CSV, and you can import that
CSV into 1Password, but no way to get those passwords into or out of Firefox
that I've found (please tell me if you have a method..).

~~~
apetresc
> You can export from Chrome to a CSV, and you can import that CSV into
> 1Password, but no way to get those passwords into or out of Firefox that
> I've found (please tell me if you have a method..).*

[https://github.com/kspearrin/ff-password-
exporter/blob/maste...](https://github.com/kspearrin/ff-password-
exporter/blob/master/README.md#ff-password-exporter) :)

------
bovermyer
Is Firefox trying to replicate all behavior of password managers?

~~~
Groxx
Browsers that offer to save your passwords _are_ password managers. They've
just been downright abhorrent at it for years. Improving that seems worth
doing?

~~~
woodrowbarlow
they certainly aren't as bad as they used to be, but the UX hasn't improved
much. in-browser password managers these days have acceptable security and
features like the one in the article are starting to surpass other password
managers. but gawd, the UX.

my biggest qualm with the UX of firefox's password manager is the "master
password" feature. it's a password you must enter to unlock your keychain.
that's a must-have for me.

what firefox does wrong:

* it's rendered as a simple dialog prompt, identical to javascript's window.prompt. could be faked by a site for phishing.

* the unlock prompt launches once, about 30 seconds after the browser is launched (right while i'm in the middle of typing a URL) and grabs focus.

* if you don't provide a password, the prompt will show up again each time you visit a page that has a login form for which you have a saved password, even if the login form is hidden with CSS. many sites have login forms on every page.

* there's no way to unlock the keychain on a per-site basis or lock it again once you've unlocked it (besides closing the browser).

what i want is:

* when i'm about to log in to a site, i expect to provide my master password and have firefox autofill my saved password for this site only.

* if i need the password again later, or a password for a different site, i expect to have to provide my master password again.

* a dialogue that i can trust to have come from the browser itself rather than the webpage.

* not to be interrupted by the dialogue unless i need to access a saved password.

~~~
Groxx
They seem to be working on the password manager in general lately(ish) e.g.
[https://lockwise.firefox.com/](https://lockwise.firefox.com/) , so I think
there's a decent chance that side of things will improve. Because yeah, it has
been an awful, nigh-unchanged experience for pretty much its whole existence.

~~~
woodrowbarlow
i hope so! i've seen a lot of recent announcements related to saved passwords.
but so far none of them have been about the UX.

------
hartator
How sending clear login and passwords to a third party website is ever a good
idea?

~~~
hughes
It isn't doing this. It uses rough hash of the password to generate a bucket
ID that could represent a large number of passwords. That information is the
used to query a bucket for whether any passwords in the bucket exist.

For example, "password" hashes to "5DAA6", and the resulting bucket[1] lists
secure hashes of several dozen passwords.

The client then generates another hash of the password (eg.
"1E4C9B93F3F0682250B6CF8331B7EE68FD8"), and checks if that secure hash is in
the bucket (it is, "password" has been compromised at least 3,730,471 known
times).

[1]:
[https://api.pwnedpasswords.com/range/5BAA6](https://api.pwnedpasswords.com/range/5BAA6)

~~~
MrStonedOne
This is also false.

Why would it need to send the passwords?

Could it not download a list of a every site that has ever been hacked along
with their domain list and the date of the hacking, then warn you if you have
a saved password for one of those domains that was saved before the domain was
hacked?

Because that's what it does.

------
java-man
Does it mean your browser is going to leak your sites/account information to a
third party?

Will this feature be enabled by default?

Can this be disabled?

~~~
SketchySeaBeast
[https://blog.mozilla.org/security/2018/06/25/scanning-
breach...](https://blog.mozilla.org/security/2018/06/25/scanning-breached-
accounts-k-anonymity/)

~~~
java-man
thank you.

------
verisimilitudes
So, Firefox operates with yet another third party. I've never used this ''Have
I been PWNed?'' drivel and don't intend to start, but I don't usually find
myself using a Firefox-brand Firefox, either.

What's so compelling about this website? To me, this looks like yet another
silly idea people coalesce around and find important. In having a discussion
about this, someone mentioned how it's not that different from Facebook and
Cloudflare in managing something technical for those who don't care to, and I
find this a rather decent comparison. This is yet another centralized and
completely unnecessary entity.

I don't see the appeal and I don't like what I regard as a stupid idea
receiving so much attention from so many groups. This isn't surprising coming
from Troy Hunt, however, who I best remember as the person bitching about an
ad blocker blocking an ad he found acceptable.

~~~
jedimastert
Do you maybe want to explain _why_ you think it's a bad idea instead of
spending three paragraphs dumping on it?

------
Endy
So you're saying that the browser client will now be regularly sending secure
information on a regular basis to a predictable IP, across HTTP (hopefully S,
but I'm sure there will be a fallback), via dynamic path and across an unknown
number of hops for transit. And this is supposed to be more secure.

I'm sure there's nothing to go wrong with that wonderful plan! Taking control
away from the user is a great idea!

Except that it's not.

~~~
ekimekim
The haveibeenpwned API uses a k-anonymity model, so that the client can check
a password in an efficient fashion (ie. without downloading the entire list of
pwned hashes), without also revealing the hash you're trying to check.

Basically, it asks for all pwned hashes that start with the same 5 characters
as your password's (hex-encoded) hash. So yes, there is an information leak
(the first 5 characters of your hash), but it's an extremely unimportant one.
Even knowing the first 5 characters, there's still 2^140 possible hashes it
could be. And of course they would then need a pre-image attack on SHA1 to
deduce your actual password from that.

More detail here: [https://www.troyhunt.com/were-baking-have-i-been-pwned-
into-...](https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-
and-1password/#enablinganonymoussearcheswithkanonymity)

Finally, I'm sure this option will be possible to disable, probably in
settings but certainly in about:config.

