I have such great respect for Troy and all the work he's done/is continuing to do to promote good security practices. I just went on HIPB though and noticed the advise for better security is "use 1Password" (after checking your email for compromises).
This just seems a little too commercial to me and I'm not sure I like the phrasing. I fully understand the need for Troy to be sponsored and it's great that 1Password works well with his tooling, but it's not the only solution. I'd feel a little less uneasy if it was phrased in such a way as "Use a password manager, like 1Password".
Right on the HIBP page, it says "Why 1Passsword?" where you can read his reasoning for why he recommends the service. You, as an informed consumer, are free to research the things you find in that link, like "what is a password manager?", and decide whether to accept his recommendation or not.
What, precisely, makes you uneasy that he advocates the product of a particular company that he has experience with, trusts, and discloses as having a partnership?
Good response. Specifically I was objecting to this response after submitting your email address - https://imgur.com/toJaSYW. It's not clearly an advert, but also feels a little too commercial for the average user who's probably just been sent the HIBP link but isn't necessarily technical.
This. I am using LastPass for example, because it is probably only password manager, where you can completely disable auto-fill (you need to click on an input field and then pick a profile - so it is "on demand" fill) which makes automatic harvesting attacks much harder. I have switched from 1Password exactly for that reason - 1Password is very aggressive in filling input fields for you.
The most 1Password has ever done (in my experience) is submit after I select the login to use, even on sites with only one login. I disabled that aspect, and I always have to toggle the helper via ctrl/cmd-\. It has never pre-filled a login field without me asking it to, and that's across v4, v5, v6, and v7.
Not-so-happy LastPass user here: I evaluated alternatives, but LastPass is the only one which somehow works on Linux/Firefox. I have even tried to make pressure to 1password about that, without much success: https://discussions.agilebits.com/discussion/comment/410603/...
I stopped using browser based password managers and switched to KeePass. It's a bit more work to pull passwords and back them up, but for me it beats trusting cloud services with security critical data.
This! I love my setup. I use KeePassXC and sync my password db with NextCloud. I love having an open source password manager that is useful across all of my devices, be it Android, Linux, Mac or Windows.
+1 for enpass, using it to manage and sync passwords between android/iphone/ipad/mac/linux (via dropbox). The single wart is it doesnt autofill firefox on android, you have to switch to a custom secure keyboard where you can manually fill on a field-by-field basis once you've authenticated with master pass or fingerprint.
Another thing I appreciate is that there is an npm module to decrypt your own wallet; this gives me confidence that I can access my secrets if there is some problem with the app or company.
1Password does in fact work on Linux and Firefox -- although it's not prominently advertised for some reason; I usually have to search for the page.
We have a team of developers using macOS and Linux, and we use the team functionality to manage both personal and company passwords. We made the switch to 1Password specifically because of Linux support [1].
I couldn't make it work 6 months ago, they answered to the issue I referenced above that it wasn't officially supported and they never sent any updates about that on that issue, so I supposed that the situation stayed the same. I wonder why they don't update their issues anyway
I haven't used it myself, but it was created by Wladimir Palant (creator of AdBlock Plus extension), I believe after they examined the LastPass extension and were rather unimpressed with its security practices.
They don't have a 'horrible track record'. LastPass has always had some of the fastest response times to security issues. They've had certain breaches in the past, but nothing that has exposed any users' passwords.
I like not having my passwords tied to a device, private key I could lose, etc. With an algorithm, I can still avoid credential stuffing, since all my account use totally different secure passwords, but I can derive them without having to look them up.
I realize someone could figure out my algorithm, but they'd probably need several of my passwords and at that point you're talking about a targeted attack.
Most normal websites don't make you rotate password. When a site has a breech and forces me to change it, I do have an addition to my algorithm for that. I use Keepass to store passwords that violate my algorithm (sites that don't allow my special chars, or that say my password is too long, etc.)
I'm on my third iteration of password algorithms. I use my password manager to store which algorithm I'm using for which site and try to update old ones to new ones as I encounter/use them.
There aren't that many exceptions to my rules, so I can usually remember those exceptions if I use them frequently enough.
Machine accounts that require rotation get their own special secure password that I don't use anywhere else.
Is this new behaviour? In the version of 1Password I have (6.8.8, Mac) it detects the website, but I have to click on the specific login using 1Password Mini to fill the fields. It's never done it automatically as far as I can tell.
It tends to be browsers which are gung-ho about automatically filling in login details.
Nope, I have used 1Password most of last year, maybe they changed it after the data harvesting attack from a few months ago, but for me, the tool was very aggressive in submitting data without me interacting with the website. At the time LastPass was the only major player with "click to launch" feature.
The only way I can think this would happen is if you clicked a URL from within 1Password, which would visit the site and then auto fill. Otherwise you have to press a hot key. That is literally how it has been for years with the only option to change being whether or not it tries to submit the login automatically after filling.
Think I missed that, what happened? I don't enable 1Password autofill or any of it's browser extensions, I just see it as additional attack vectors waiting to be compromised.
> 1Password isn’t affected by this problem because it doesn’t include an automatic autofill feature.
Are you sure we’re talking about the same app? I’ve used 1Password for years, and it’s never autofilled for me. Maybe it was actually your browser’s built-in keyring?
I think they're confusing the 1Password browser extension.
1Password has a native app, which I use on both windows and osx, and I just don't install their browser extension for autofill features.
Though, given that I avoid autofill like the plague, I could easily be misunderstanding the issue too. I'm speaking of a subject I don't use, I don't think anyone should haha.
Sorry, I completely screwed here. I think I am way overworked.
It's Dashlane that I was using, not 1Password.
After Dashlane I was using 1Password for a week but it was not for me, moved to Padlock and now with LastPass.
I have migrated to 1Pass and then from it to LastPass, thus the confusion.
I checked the history of my backups and somehow forgot about my migration from Dashlane that was the initial tool that would do autofills. Sorry for the confusion, I've should check that more thoroughly. A good sign for me it is time for a walk.
The KeePassXC browser integration also does it the way you describe where you choose a profile instead of having the firm already filled in when the page loads.
I use an installed 1Password app, and avoid browser autofill extensions like the plague. Browser extensions don't have a good track record I believe, regardless of company. I don't blame the companies, I blame browser extensions.
I see little benefit in autofill integration, I just click the button in my task bar, click copy, and paste. LastPass has been pretty sketchy in the past too, I don't trust them. I've been quite happy with 1Password, fwiw.
I've been using 1password for many years, and that's not how 1password works for me. There might be a setting to enable that behaviour somewhere, but by default, it doesn't autofill without prompting. That's true for every version, OS, browser plugin, desktop app, mobile, etc.
Edit: I just saw your comment that it was actually Dashlane that autofilled! Nevermind then. :)
Absolutely. I myself don't trust closed source and for-profit on such a sensitive matter. It's a matter of time before you have to deal with some bullshit. I'm leaning towards bitwarden, seems very nice.
Their file format specs are open, and there are opensource implementations of it. Sure - closed source isn't ideal - but this is as good as it gets. The 'opensource' alternatives have a way worse security trackrecord. I tried quite a few options - but always went back to 1pass...
I'll be checking out bitwarden for sure. It looks great. I'm ready to move away from Dashlane. While I haven't had any issues with it, I'd feel more comfortable having the data stored on my own servers. And the cost difference is pretty huge.
I recently discovered Enpass password manager (a mostly free alternative to 1password, only the mobile app has a pro version) also integrates HIBP into its desktop app.
As many have commented, this isn't a new tool for technologists.
The goal of Firefox Monitor is to bring this functionality to non-technical users, which requires a lot of user experience research to inform without scaring people away from using the internet.
One feature I wish HIBP had was support for sub-domain addressing [1] and plus addressing [2].
My main email address has the format 'example@fastmail.fm' and receives alerts from HIBP if found in a data breach, but all of the related subdomain-based email addresses do not (e.g. netflix@example.fastmail.fm, google@example.fastmail.fm etc.)
Based on the 1Password screenshots in the linked article it would appear that specific support for sub-domain/plus addressing may not be required?
However, Firefox Monitor looks like it has the same limitations as the HIBP website/API and makes the alerts somewhat less useful when using sub-domain/plus addressing.
I recently wrote a small tool to download the whole password database from HIBP and turn it into a Bloom filter that can be used from Golang or Python.
The tool also includes a webserver that lets you check for plaintext password matches (only recommended over a secure network) and SHA1 values:
The filter is about 1.7 GB in size with a 10e-6 false positive rate, so it can be used even on moderate hardware to check user passwords against the database (the entire filter must be loaded into memory currently, though it would be possible to use a memmapped file).
You don't need to download them from HIBP. You can freely download all major breach databases from databases.today. There really aren't many passwords not represented in those databases which are present in others, but for everything else you can just automatically download grab dumpmon like Hunt does.
Also, try google dorking site:vk.com/doc and "@gmail.com"...there are many large password and email databases you can find that way which have not been publicized. This includes many which are not in HIBP. I've tried to call attention to this before but there isn't an active effort to crawl these.
Once you download, normalize and deduplicate the entire corpus of password databases, you can find matches in real time for e.g. signup requests.
I'm worried that this will just train people to start blindly clicking through "pwned password" modal dialogs for CVVs and OTP/SMS 2FA codes, just like they did for the "Do you want to view only the webpage content that was delivered securely?" dialog in MSIE.
The wide public is not so interested in secured content really imo, but they will rarely ignore warnings about their passwords. The password is like a pin for your debit card. You don't mind people seeing your card (unsecured content), but you will not share your pin code (password).
Next time you are in a checkout line, pay attention to how few people make any attempt to prevent shoulder surfing their PIN. POS devices have gotten better with shielded keypads, but there are still many machines that make it somewhat difficult to obscure your PIN. The average person gives very little thought to security, or at the very least gives little thought to possible threat models.
Make sure to not do it automatically, but on user interaction (like new Safari password fills). Otherwise you leak usernames and tie them to browser sessions which can be fingerprinted.
I think this is addressed by the use of k-anonymity which is described in the section of the article titled “Enabling Anonymous Searches with k-Anonymity”.
This uses HIBP for the underlying dataset. I'm not sure what's added though. Convenient UX? They claim to only send anonymized data out, but HIBP already supports the underlying hash range queries -- that doesn't appear to be new here.
I suspect it'll warn you if any of the accounts you've saved in Firefox (username/password) have been compromised. 1Password already does this¹ but this is likely the Firefox implementation of it.
The main thing added here is a brand and some advertising, but that's not insignificant. Haveibeenpwned is a good service but it looks a whole lot like http://ismycreditcardstolen.com/ on first glance. If the Mozilla brand gets it to more people, that's a win.
I always assumed this was to avoid outing people as gay, to avoid kids working out that their mother started dating again, or to avoid an Ashley Madison-type scenario. Those seem more dangerous than being found to have an account on dodgy-carderz.com.
Have you considered the amount of PII the dating site is likely to have on their average customer? Access to a dating profile is almost as good as Facebook access to perpetrate identity theft.
That's not what makes a breach "sensitive" for HIBP, it's about breaches that only can be checked if you authenticated your e-mail address or domain, so that not everyone can check if you've used the site.
Troy has done great security work for the community at large. If you haven't seen it check out one of his other projects https://report-uri.com that aggregates your Content Security Policy reports for your site; a base security measure almost everyone should be utilizing for their sites these days.
I need a browser extension (for Safari) to warn me if the site is behind Cloudflare. I'll pay money :) I'm kinda protected by using VPN, IP is not my ISP IP. But the rest, plus browser fingerprinting is busted.
Use this: www.cloudflare.com/ips/ and HTTP headers like CF-RAY
same as with any other CDN, the load-balancer frontend of any cloud provider (e.g. if HIBP weren't behind Cloudflare, would you post the same about Azure, where its backend lives?), ...
I get why people are critical of SSL termination that talks to the backend over public channels unencrypted (which Cloudflare offers too), but for the HTTPS-to-HTTPS case they behave exactly like many other companies.
That I find it weird that people appear to single out Cloudflare (e.g. asking for a Cloudflare-detection extension) when there's nothing materially different about them from many other companies serving large parts of the web. Traffic is protected between you and an agent the site you are visiting trusts, just like in nearly every other hosting scenario. You're almost by definition not "pwned" if your traffic is seen by someone who is supposed to see it, as long as they treat it appropriately.
> You're almost by definition not "pwned" if your traffic is seen by someone who is supposed to see it,
Well ... Noone, repeat, Noone is supposed to see my traffic except the site owner. I just don't buy the 'trusted' CDN provider idea. 'treat it appropriately' - I'm past that.
Do you buy the idea of trusted hosting providers? Or does everyone need to own their hardware? Or are rented VMs ok? (where traffic isn't exposed by design, unlike with traditional hosting or ingress services by cloud providers, but could be accessed by the provider if it really wanted to)
> Nothing is wrong about CNN terminating SSL on CNN CDN nodes, it is part of CNN's infrastructure. In house.
But they don't, they use Fastly, at least that's where cnn.com points. Are they better than CF?
I did know that HN uses Cloudflare, yes, and if I distrusted Cloudflare specifically I'd maybe want something making sure I always know, but I kind of expect nowadays that sites use CDNs or cloud infrastructure and have no strong reason to distrust any of the many providers more than the others.
Leave the Firefox alone, please. Pocket, HIBP, 1Password, Cloudflare ... Not cool. 1Password has flawed sec rep [0], Cloudflare is pure MITM, stripping TLS between you and webserver, the rest just network and data leaks I haven't asked for.
For passwords best is KeepassXC, sync encrypted db via any file sharing.
I think a lot of people have my email address. You don't hear people worrying about spam so much these days (other than people who have the time and inclination to run their own mail servers). So it would seem to be a small price to pay to keep tabs on your passwords.
k-Anonymity. In other words, "I have hashed my e-mail address, here's the beginning part of the hash: 0deadbeef0, tell me if you have anything matching that." "Yup, I have something that hashes to 0deadbeef0123456789abcd, associated with these breaches, and something else that hashes to 0deadbeef0abc1056886516, associated with those breaches." Plaintext is not exposed, and you're not even exposing the whole hash, so GL to anyone trying to find out which if the hashes (if any) is yours, let alone what the plaintext was.
Agreed. However, for the average user, I think the risk posed by this new Firefox feature is smaller than the risk they're exposing themselves through ignorance.
Disagree. Respectfully :) Today we have age of free data harvest, 'land grab' by majors. Shining combination of your email, IP and user-agent as a default browser behaviour is just another leak.
Again: no-email-exposed-never-not-even-encrypted-or-hashed. So just an IP address and user agent; if that is a leak, I would recommend disconnecting from the network altogether.
It reads like a press release. Praises for Troy, Troy praises 1Password and Cloudflare, great sell to naive Mozilla. Shareholders pat themselves on the backs. Champagne, sir?
I use Firefox. Are you saying I'm now less safe? If I'm more safe but some other people don't like the solution then I guess they can configure or fork Firefox then we're all happy, right?
Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues. That could in theory make it less secure.
HIBP and 1Password aren't making FF more secure, chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
The GP posited a stance, the parent refuted the _possibility_ of it, I was stating it was possible. Indeed, is it not a quite reasonable and logical possibility?
If the parent addressed the actuality of it, perhaps with some factual basis, ... (Like "when FF did X in past they still quashed Y bugs, introduced Z features" - I know number of bugs/whatever isn't the best metric, but something factual) ...
I wonder what the controlling minds of Firefox are trying to achieve as a long-term goal; they seem to take an opposite stance to the "do one thing well" philosophy.
> Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues.
This is a logical fallacy. It's like saying - if we wouldn't spend money on the space program, we could feed Africa with that money. The problem here is that this is not a zero-sum game: the people that worked on this (e.g. Troy Hunt) wouldn't had the skills or inclination to bring other enhancements to Firefox. Thus this is a net addition, and not to the detriment of other work
> That could in theory make it less secure
So adding a feature that helps people be more secure against a specific threat (using bad passwords that have been broken) makes the product less secure? This makes no sense, but it's just put in there to spread Fear (FF is less secure because of added security features) and Doubt ("could in theory" ... meaning we don't know, but lets put this out there)
> HIBP and 1Password aren't making FF more secure,
I tend to evaluate a security in context of a threat model. HIBP and 1Password have very good track records of mitigating attacks on user passwords (by notifying people about password breaches and thus decreasing the value of a password breach, and by making easy for the average user to manage complex passwords). As a result, the Firefox users have better tools to manage password-based authentication, increasing their security.
> chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
The evaluation of the "attack surface" here refers to the horizontal scale (how many actors of the same type see the interface) whereas the concept of reducing the "attack surface" refers to the vertical scale (how many types of communication the actors see). Reducing the horizontal scale is known as "security by obscurity" and it's a very bad idea to use it. A larger horizontal scale has no impact on the security, see ciphered communication: an encrypted message doesn't get less secure if more eyes see it, its security only depends on how well the encryption works.
Assuming that 1Password doesn't use "security by obscurity", increasing its footprint on the web will not decrease its security.
Mozilla has wasted a bunch of resources creating a pointless tool. Let me explain why!
Last year, they promised to create an add-on that triggered when you visited sites known to have been breached in the past, and let the user check if his password was included in the leaked data, via HIBP: https://www.bleepingcomputer.com/news/security/firefox-will-...
Now, they announced Firefox Monitor, which is nothing but a standalone website where you can check your email and see if it's been included in public breaches. This is the same functionality of the main HIBP website. If people want to check if their email was included in a breach, they'd just visit HIBP, not Firefox Monitor.
Why does this website exist in the first place? They took a good idea that used a proactive approach to alerting users of potentially leaked passwords and they've created a Firefox-branded HIBP clone website that very few people are gonna know about or even use.
Pointless use of resources, when they could have used them for something actually useless.
>> ...that very few people are gonna know about or even use
"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."
You're ignoring how most users need things in front of their face. Most users are not privacy or security "aware" in any manner. Putting it in the UI or actively promoting these services is beneficial to the common web user.
And if it fails, it's at least worth it to learn why it failed. Was the UI bad? Did it not promote the service in the right way? Did users not understand the purpose of the tool?
Now, the screenshot doesn't have a URL in the address bar, suggesting it might be a built-in special page. But it also has a generic "Page title" in the tab title, so it looks like a modified stock image rather than an actual UI screenshot.
The screenshot on Troy Hunt's blog does show "https://www.mozilla.org/firefoxmonitor", but it's otherwise the same screenshot with the same generic "Page title", so it's probably equally fake.
(I tried to look for the actual bugzilla bug for this for more info, but didn't find anything.)
So, you conclude that it is a pointless tool because people can consult the HIPB website directly. Meanwhile, Troy Hunt, the creator of the HIPB website himself writes that this is a good idea.
The intentions are good, but yeah, it seems like an half-baked solution.
Why not integrate this tool directly into the browser UI? User goes to whatever website, input his login creds, Firefox reads the login email and sees if the email+url combo is in the HIBP database. If yes, a message will advise the user to change his password. End of story.
Shooting the messenger, that's what. People tend to confuse "X might have your password" and "Y tells me 'something X something password', therefore Y hacked me".
Everything said that isn't politically correct is systematically downvoted here on «hacker» news. I am enjoying your very low knowledge and your smartphone attitude. LOL
Please for heavens sake don't! Isn't it enough to have a binary blob for DRM? I don't want to have another binary blob in my firefox. And especially one which takes all my passwords and sends it to some companies cloud. You can't know what happens with this data because all parts are propriatary. I can't trust a binary blob with all my passwords.
Not quite 1Password, but Mozilla is developing a cross-platform password manager, tentatively called "Lockbox", that will support Firefox, Android, iOS, and possibly a Chrome extension.
I hope they add support for self-hosted backends. It'd be great to have a self-hosted password manager developed by a company with an amazing security team.
I don't recall any popular website using Basic Auth. FF must implement WebAuthN or whatever was last offered to fix auth. Have i been pwned brings nothing new to the table.
Well, that's the problem with browsers though: they need to support a slightly broader range of sites than just the currently popular ones; long tail and whatnot.
Now, I am all for actually secure auth, and support in browsers is the necessary first step; for "fixing auth", someone then needs to implement the other side of the equation, too (I do remember when OpenId+HW 2FA was supposed to have fixed this, a few years back).
As for "nothing new" - for the people of HN, perhaps. For the casual user, this is something radically new.
>I do remember when OpenId+HW 2FA was supposed to have fixed this
HW 2fa can never fix auth because it's hardware, and cannot scale. There are solutions out there, all what's left is to raise awareness to add it. Showing popular passwords will just move us to a new set of popular passwords and so on.
This just seems a little too commercial to me and I'm not sure I like the phrasing. I fully understand the need for Troy to be sponsored and it's great that 1Password works well with his tooling, but it's not the only solution. I'd feel a little less uneasy if it was phrased in such a way as "Use a password manager, like 1Password".