This just seems a little too commercial to me and I'm not sure I like the phrasing. I fully understand the need for Troy to be sponsored and it's great that 1Password works well with his tooling, but it's not the only solution. I'd feel a little less uneasy if it was phrased in such a way as "Use a password manager, like 1Password".
What, precisely, makes you uneasy that he advocates the product of a particular company that he has experience with, trusts, and discloses as having a partnership?
I’ve even caught them editing their wiki page, trying to erase their past, which was reverted thanks to HN.
No cloud, only USB keys. The thing is, I lost two of these USB keys! Had to rotate my passwords ;)
This is a 3rd party implementation of the bitwarden api, which gives me more confidence in the 1st party product.
We have a team of developers using macOS and Linux, and we use the team functionality to manage both personal and company passwords. We made the switch to 1Password specifically because of Linux support .
 See 1Password X: https://support.1password.com/getting-started-1password-x/
It's now as easy as adding the extension and logging in.
I haven't used it myself, but it was created by Wladimir Palant (creator of AdBlock Plus extension), I believe after they examined the LastPass extension and were rather unimpressed with its security practices.
I like not having my passwords tied to a device, private key I could lose, etc. With an algorithm, I can still avoid credential stuffing, since all my account use totally different secure passwords, but I can derive them without having to look them up.
I realize someone could figure out my algorithm, but they'd probably need several of my passwords and at that point you're talking about a targeted attack.
I'm on my third iteration of password algorithms. I use my password manager to store which algorithm I'm using for which site and try to update old ones to new ones as I encounter/use them.
There aren't that many exceptions to my rules, so I can usually remember those exceptions if I use them frequently enough.
Machine accounts that require rotation get their own special secure password that I don't use anywhere else.
It tends to be browsers which are gung-ho about automatically filling in login details.
Think I missed that, what happened? I don't enable 1Password autofill or any of it's browser extensions, I just see it as additional attack vectors waiting to be compromised.
> 1Password isn’t affected by this problem because it doesn’t include an automatic autofill feature.
Are you sure we’re talking about the same app? I’ve used 1Password for years, and it’s never autofilled for me. Maybe it was actually your browser’s built-in keyring?
1Password has a native app, which I use on both windows and osx, and I just don't install their browser extension for autofill features.
Though, given that I avoid autofill like the plague, I could easily be misunderstanding the issue too. I'm speaking of a subject I don't use, I don't think anyone should haha.
It's Dashlane that I was using, not 1Password.
After Dashlane I was using 1Password for a week but it was not for me, moved to Padlock and now with LastPass.
I have migrated to 1Pass and then from it to LastPass, thus the confusion.
I checked the history of my backups and somehow forgot about my migration from Dashlane that was the initial tool that would do autofills. Sorry for the confusion, I've should check that more thoroughly. A good sign for me it is time for a walk.
I use an installed 1Password app, and avoid browser autofill extensions like the plague. Browser extensions don't have a good track record I believe, regardless of company. I don't blame the companies, I blame browser extensions.
I see little benefit in autofill integration, I just click the button in my task bar, click copy, and paste. LastPass has been pretty sketchy in the past too, I don't trust them. I've been quite happy with 1Password, fwiw.
I've been using 1password for many years, and that's not how 1password works for me. There might be a setting to enable that behaviour somewhere, but by default, it doesn't autofill without prompting. That's true for every version, OS, browser plugin, desktop app, mobile, etc.
Edit: I just saw your comment that it was actually Dashlane that autofilled! Nevermind then. :)
The goal of Firefox Monitor is to bring this functionality to non-technical users, which requires a lot of user experience research to inform without scaring people away from using the internet.
1. Test Firefox Monitor on the web
2. Integrate it for all Firefox users
My main email address has the format 'firstname.lastname@example.org' and receives alerts from HIBP if found in a data breach, but all of the related subdomain-based email addresses do not (e.g. email@example.com, firstname.lastname@example.org etc.)
Based on the 1Password screenshots in the linked article it would appear that specific support for sub-domain/plus addressing may not be required?
However, Firefox Monitor looks like it has the same limitations as the HIBP website/API and makes the alerts somewhat less useful when using sub-domain/plus addressing.
See here: https://haveibeenpwned.com/DomainSearch
The tool also includes a webserver that lets you check for plaintext password matches (only recommended over a secure network) and SHA1 values:
The filter is about 1.7 GB in size with a 10e-6 false positive rate, so it can be used even on moderate hardware to check user passwords against the database (the entire filter must be loaded into memory currently, though it would be possible to use a memmapped file).
Also, try google dorking site:vk.com/doc and "@gmail.com"...there are many large password and email databases you can find that way which have not been publicized. This includes many which are not in HIBP. I've tried to call attention to this before but there isn't an active effort to crawl these.
Once you download, normalize and deduplicate the entire corpus of password databases, you can find matches in real time for e.g. signup requests.
You are. HN sits behind Cloudflare. Your SSL connection terminates at Cloudflare to plaintext, and new SSL connection to HN is created.
Your login and password, IP and User-Agent and who knows what else, is in clear view to Cloudflare - you've been pwned :))
I know a few places that... would pretty much die for such a global "MITM" service, so I wonder if it's five corners financing it.
Use this: www.cloudflare.com/ips/ and HTTP headers like CF-RAY
I get why people are critical of SSL termination that talks to the backend over public channels unencrypted (which Cloudflare offers too), but for the HTTPS-to-HTTPS case they behave exactly like many other companies.
Well ... Noone, repeat, Noone is supposed to see my traffic except the site owner. I just don't buy the 'trusted' CDN provider idea. 'treat it appropriately' - I'm past that.
Cloudflare is bad because it terminates ~10% of global traffic. How would I know that my HN login/password is known to Cloudflare? Did you know?
But they don't, they use Fastly, at least that's where cnn.com points. Are they better than CF?
I did know that HN uses Cloudflare, yes, and if I distrusted Cloudflare specifically I'd maybe want something making sure I always know, but I kind of expect nowadays that sites use CDNs or cloud infrastructure and have no strong reason to distrust any of the many providers more than the others.
For passwords best is KeepassXC, sync encrypted db via any file sharing.
¹ - https://blog.agilebits.com/2018/02/22/finding-pwned-password...
"We're Baking Have I Been Pwned into Firefox and 1Password"
The way it's now, you can do searches for people's emails and get info of the sites people have been using.
Must be storing a lot of email addresses at this point.
Is there anything to alleviate those concerns other than "trust us, we're not saving emails from queries"?
Going public with this would probably be a good time to update the website.
If you do half-trust them, if they're reasonable, they don't store the email addresses. They don't need to, for a simple search.
But the post is about integrating it into the browser, isn't it?
You don't click them :)
HIBP also includes leaks that didn't include recoverable passwords, but other personal data.
Last year, they promised to create an add-on that triggered when you visited sites known to have been breached in the past, and let the user check if his password was included in the leaked data, via HIBP: https://www.bleepingcomputer.com/news/security/firefox-will-...
Now, they announced Firefox Monitor, which is nothing but a standalone website where you can check your email and see if it's been included in public breaches. This is the same functionality of the main HIBP website. If people want to check if their email was included in a breach, they'd just visit HIBP, not Firefox Monitor.
Why does this website exist in the first place? They took a good idea that used a proactive approach to alerting users of potentially leaked passwords and they've created a Firefox-branded HIBP clone website that very few people are gonna know about or even use.
Pointless use of resources, when they could have used them for something actually useless.
"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."
And if it fails, it's at least worth it to learn why it failed. Was the UI bad? Did it not promote the service in the right way? Did users not understand the purpose of the tool?
I think the juice is worth the squeeze.
2. Get it working well with UI, UX, etc....
3. Then integrate it into the browser.
Seems like a totally logical flow to me.
When Firefox warns you that you're (possibly) pwned when you browse to a website or try to log in, then you can't get around combining step 2 and 3.
Or when Firefox compares your password database with HIBP, you can't get around combining step 2 and 3.
Firefox Monitor is just a page on the official Mozilla website.
>The site will offer recommendations
Now, the screenshot doesn't have a URL in the address bar, suggesting it might be a built-in special page. But it also has a generic "Page title" in the tab title, so it looks like a modified stock image rather than an actual UI screenshot.
The screenshot on Troy Hunt's blog does show "https://www.mozilla.org/firefoxmonitor", but it's otherwise the same screenshot with the same generic "Page title", so it's probably equally fake.
(I tried to look for the actual bugzilla bug for this for more info, but didn't find anything.)
(Disclosure: Although I work at Mozilla, I have not worked on Firefox Monitor)
Why not integrate this tool directly into the browser UI? User goes to whatever website, input his login creds, Firefox reads the login email and sees if the email+url combo is in the HIBP database. If yes, a message will advise the user to change his password. End of story.
What's the angle? "Stick it to the Man", and stuff?
HIBP and 1Password aren't making FF more secure, chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
Did I miss any announcement about 1Password becoming part of FF, or Mozilla helping in any way with development of 1Password?
On second point, why bother with some 3rd party? I trust mozilla, not its 'partners'
You stretched that argument to points that only Reed Richards could match...
If the parent addressed the actuality of it, perhaps with some factual basis, ... (Like "when FF did X in past they still quashed Y bugs, introduced Z features" - I know number of bugs/whatever isn't the best metric, but something factual) ...
I wonder what the controlling minds of Firefox are trying to achieve as a long-term goal; they seem to take an opposite stance to the "do one thing well" philosophy.
(FWIW it's not a position I hold, I've not looked at the situation properly yet.)
> Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues.
This is a logical fallacy. It's like saying - if we wouldn't spend money on the space program, we could feed Africa with that money. The problem here is that this is not a zero-sum game: the people that worked on this (e.g. Troy Hunt) wouldn't had the skills or inclination to bring other enhancements to Firefox. Thus this is a net addition, and not to the detriment of other work
> That could in theory make it less secure
So adding a feature that helps people be more secure against a specific threat (using bad passwords that have been broken) makes the product less secure? This makes no sense, but it's just put in there to spread Fear (FF is less secure because of added security features) and Doubt ("could in theory" ... meaning we don't know, but lets put this out there)
> HIBP and 1Password aren't making FF more secure,
I tend to evaluate a security in context of a threat model. HIBP and 1Password have very good track records of mitigating attacks on user passwords (by notifying people about password breaches and thus decreasing the value of a password breach, and by making easy for the average user to manage complex passwords). As a result, the Firefox users have better tools to manage password-based authentication, increasing their security.
> chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
The evaluation of the "attack surface" here refers to the horizontal scale (how many actors of the same type see the interface) whereas the concept of reducing the "attack surface" refers to the vertical scale (how many types of communication the actors see). Reducing the horizontal scale is known as "security by obscurity" and it's a very bad idea to use it. A larger horizontal scale has no impact on the security, see ciphered communication: an encrypted message doesn't get less secure if more eyes see it, its security only depends on how well the encryption works.
Assuming that 1Password doesn't use "security by obscurity", increasing its footprint on the web will not decrease its security.
Nothing is politically incorrect about your post, but it doesn't add to the discussion.
What's the deal with WebAuthN? Such a basic functionality still not completed.
“Perfect is the enemy of good” .
Now, I am all for actually secure auth, and support in browsers is the necessary first step; for "fixing auth", someone then needs to implement the other side of the equation, too (I do remember when OpenId+HW 2FA was supposed to have fixed this, a few years back).
As for "nothing new" - for the people of HN, perhaps. For the casual user, this is something radically new.
HW 2fa can never fix auth because it's hardware, and cannot scale. There are solutions out there, all what's left is to raise awareness to add it. Showing popular passwords will just move us to a new set of popular passwords and so on.