Hacker News new | past | comments | ask | show | jobs | submit login
We're Baking ‘Have I Been Pwned’ into Firefox and 1Password (troyhunt.com)
688 points by edward 8 months ago | hide | past | web | favorite | 191 comments

I have such great respect for Troy and all the work he's done/is continuing to do to promote good security practices. I just went on HIPB though and noticed the advise for better security is "use 1Password" (after checking your email for compromises).

This just seems a little too commercial to me and I'm not sure I like the phrasing. I fully understand the need for Troy to be sponsored and it's great that 1Password works well with his tooling, but it's not the only solution. I'd feel a little less uneasy if it was phrased in such a way as "Use a password manager, like 1Password".

Right on the HIBP page, it says "Why 1Passsword?" where you can read his reasoning for why he recommends the service. You, as an informed consumer, are free to research the things you find in that link, like "what is a password manager?", and decide whether to accept his recommendation or not.

What, precisely, makes you uneasy that he advocates the product of a particular company that he has experience with, trusts, and discloses as having a partnership?

Good response. Specifically I was objecting to this response after submitting your email address - https://imgur.com/toJaSYW. It's not clearly an advert, but also feels a little too commercial for the average user who's probably just been sent the HIBP link but isn't necessarily technical.

This. I am using LastPass for example, because it is probably only password manager, where you can completely disable auto-fill (you need to click on an input field and then pick a profile - so it is "on demand" fill) which makes automatic harvesting attacks much harder. I have switched from 1Password exactly for that reason - 1Password is very aggressive in filling input fields for you.

The most 1Password has ever done (in my experience) is submit after I select the login to use, even on sites with only one login. I disabled that aspect, and I always have to toggle the helper via ctrl/cmd-\. It has never pre-filled a login field without me asking it to, and that's across v4, v5, v6, and v7.

LastPass have a horrible security track record.

I’ve even caught them editing their wiki page, trying to erase their past, which was reverted thanks to HN.

Not-so-happy LastPass user here: I evaluated alternatives, but LastPass is the only one which somehow works on Linux/Firefox. I have even tried to make pressure to 1password about that, without much success: https://discussions.agilebits.com/discussion/comment/410603/...

BitWarden works fine. I'm using Linux/Firefox as well, the rest of the time is on Windows/Chrome. It's 100% open source: https://bitwarden.com/

I stopped using browser based password managers and switched to KeePass. It's a bit more work to pull passwords and back them up, but for me it beats trusting cloud services with security critical data.

I stopped as well, but went for a different setup: Tomb [1] and Pass [2]. There's even a combination of the two: pass-tomb [3], but I don't use it.

No cloud, only USB keys. The thing is, I lost two of these USB keys! Had to rotate my passwords ;)

[1]: https://github.com/dyne/Tomb [2]: https://github.com/zx2c4/password-store [3]: https://github.com/roddhjav/pass-tomb

This! I love my setup. I use KeePassXC and sync my password db with NextCloud. I love having an open source password manager that is useful across all of my devices, be it Android, Linux, Mac or Windows.

KeepassXC, syncthing, and keepass2android here.

Sure but good luck using KeePass across a team on multiple devices.

And you can self host it, which was what convinced me to switch from lastpass.


This is a 3rd party implementation of the bitwarden api, which gives me more confidence in the 1st party product.

Have you tried Enpass? It works on Linux and has plugins for Firefox and Chrome. https://www.enpass.io

+1 for enpass, using it to manage and sync passwords between android/iphone/ipad/mac/linux (via dropbox). The single wart is it doesnt autofill firefox on android, you have to switch to a custom secure keyboard where you can manually fill on a field-by-field basis once you've authenticated with master pass or fingerprint. Another thing I appreciate is that there is an npm module to decrypt your own wallet; this gives me confidence that I can access my secrets if there is some problem with the app or company.

1Password does in fact work on Linux and Firefox -- although it's not prominently advertised for some reason; I usually have to search for the page.

We have a team of developers using macOS and Linux, and we use the team functionality to manage both personal and company passwords. We made the switch to 1Password specifically because of Linux support [1].

[1] See 1Password X: https://support.1password.com/getting-started-1password-x/

I couldn't make it work 6 months ago, they answered to the issue I referenced above that it wasn't officially supported and they never sent any updates about that on that issue, so I supposed that the situation stayed the same. I wonder why they don't update their issues anyway

1Password X works on Firefox now as well. Source: I am using it with Firefox on Linux.

I couldn't make it work (see the link above)

That link refers to forum posts for January. Firefox has only been supported officially on stable versions since May.


It's now as easy as adding the extension and logging in.

It used to be horrendously broken, but it works now.

Have you tried Pain-free Passwords?

I haven't used it myself, but it was created by Wladimir Palant (creator of AdBlock Plus extension), I believe after they examined the LastPass extension and were rather unimpressed with its security practices.


I’m using Bitwarden on budgie / Firefox. Works great.

Thank you! I'll evaluate it

Not that it's the greatest solution, but 1Password does work on Linux using Wine.

Yeah, by no means I am an ambassador of them. For me, it was so-so vs bad really.

They don't have a 'horrible track record'. LastPass has always had some of the fastest response times to security issues. They've had certain breaches in the past, but nothing that has exposed any users' passwords.

I still use a pretty complex password algorithm:


I like not having my passwords tied to a device, private key I could lose, etc. With an algorithm, I can still avoid credential stuffing, since all my account use totally different secure passwords, but I can derive them without having to look them up.

I realize someone could figure out my algorithm, but they'd probably need several of my passwords and at that point you're talking about a targeted attack.

What do you do when you're asked to rotate your password every ninety days?

Most normal websites don't make you rotate password. When a site has a breech and forces me to change it, I do have an addition to my algorithm for that. I use Keepass to store passwords that violate my algorithm (sites that don't allow my special chars, or that say my password is too long, etc.)

I'm on my third iteration of password algorithms. I use my password manager to store which algorithm I'm using for which site and try to update old ones to new ones as I encounter/use them.

There aren't that many exceptions to my rules, so I can usually remember those exceptions if I use them frequently enough.

Machine accounts that require rotation get their own special secure password that I don't use anywhere else.

Not the parent, but I've haven't been asked this in years. I do periodically change important passwords, but I can't recall being forced to.

Is this new behaviour? In the version of 1Password I have (6.8.8, Mac) it detects the website, but I have to click on the specific login using 1Password Mini to fill the fields. It's never done it automatically as far as I can tell.

It tends to be browsers which are gung-ho about automatically filling in login details.

Nope, I have used 1Password most of last year, maybe they changed it after the data harvesting attack from a few months ago, but for me, the tool was very aggressive in submitting data without me interacting with the website. At the time LastPass was the only major player with "click to launch" feature.

The only way I can think this would happen is if you clicked a URL from within 1Password, which would visit the site and then auto fill. Otherwise you have to press a hot key. That is literally how it has been for years with the only option to change being whether or not it tries to submit the login automatically after filling.

> data harvesting attack

Think I missed that, what happened? I don't enable 1Password autofill or any of it's browser extensions, I just see it as additional attack vectors waiting to be compromised.

From your link:

> 1Password isn’t affected by this problem because it doesn’t include an automatic autofill feature.

Are you sure we’re talking about the same app? I’ve used 1Password for years, and it’s never autofilled for me. Maybe it was actually your browser’s built-in keyring?

I think they're confusing the 1Password browser extension.

1Password has a native app, which I use on both windows and osx, and I just don't install their browser extension for autofill features.

Though, given that I avoid autofill like the plague, I could easily be misunderstanding the issue too. I'm speaking of a subject I don't use, I don't think anyone should haha.

I use the browser extension. It does not autofill. I have to open the extension and then select the site before it will fill any form fields.

Sorry, I completely screwed here. I think I am way overworked.

It's Dashlane that I was using, not 1Password.

After Dashlane I was using 1Password for a week but it was not for me, moved to Padlock and now with LastPass.

I have migrated to 1Pass and then from it to LastPass, thus the confusion.

I checked the history of my backups and somehow forgot about my migration from Dashlane that was the initial tool that would do autofills. Sorry for the confusion, I've should check that more thoroughly. A good sign for me it is time for a walk.

Bitwarden has auto-fill disabled by default, and only enables it with a warning (“Use at your own risk”).

Good to know, the more alternatives the better.

The KeePassXC browser integration also does it the way you describe where you choose a profile instead of having the firm already filled in when the page loads.

Note, that's if you use autofill at all.

I use an installed 1Password app, and avoid browser autofill extensions like the plague. Browser extensions don't have a good track record I believe, regardless of company. I don't blame the companies, I blame browser extensions.

I see little benefit in autofill integration, I just click the button in my task bar, click copy, and paste. LastPass has been pretty sketchy in the past too, I don't trust them. I've been quite happy with 1Password, fwiw.

That's....simply not true?

I've been using 1password for many years, and that's not how 1password works for me. There might be a setting to enable that behaviour somewhere, but by default, it doesn't autofill without prompting. That's true for every version, OS, browser plugin, desktop app, mobile, etc.

Edit: I just saw your comment that it was actually Dashlane that autofilled! Nevermind then. :)

My 1password only autofills if I do ctrl+\, otherwise it does nothing.

I've never seen last password auto fill, I've always had to use cmd+\. What browser were you using?

FWIW Apple's Web browser Safari recently switched to this approach, both on iOS and macOS.

Absolutely. I myself don't trust closed source and for-profit on such a sensitive matter. It's a matter of time before you have to deal with some bullshit. I'm leaning towards bitwarden, seems very nice.

Their file format specs are open, and there are opensource implementations of it. Sure - closed source isn't ideal - but this is as good as it gets. The 'opensource' alternatives have a way worse security trackrecord. I tried quite a few options - but always went back to 1pass...

I'll be checking out bitwarden for sure. It looks great. I'm ready to move away from Dashlane. While I haven't had any issues with it, I'd feel more comfortable having the data stored on my own servers. And the cost difference is pretty huge.

I switched maybe 3 weeks ago. Love it. Highly recommended.

I recently discovered Enpass password manager (a mostly free alternative to 1password, only the mobile app has a pro version) also integrates HIBP into its desktop app.


Especially considering 1Password is not technically supported on linux.

You are "uneasy" about something provided by Troy for free? Which other password management products have integrated HIBP into their product?

He is also sponsored by cloudflare.

It does sounds like he is. On password managers - KeepassXC, open source.

As many have commented, this isn't a new tool for technologists.

The goal of Firefox Monitor is to bring this functionality to non-technical users, which requires a lot of user experience research to inform without scaring people away from using the internet.

I’m confident that this is a first step towards integrating it into Firefox itself.

1. Test Firefox Monitor on the web

2. Integrate it for all Firefox users

I think it will be a new tool for a lot a technologists too (ie myself)

One feature I wish HIBP had was support for sub-domain addressing [1] and plus addressing [2].

My main email address has the format 'example@fastmail.fm' and receives alerts from HIBP if found in a data breach, but all of the related subdomain-based email addresses do not (e.g. netflix@example.fastmail.fm, google@example.fastmail.fm etc.)

Based on the 1Password screenshots in the linked article it would appear that specific support for sub-domain/plus addressing may not be required?

However, Firefox Monitor looks like it has the same limitations as the HIBP website/API and makes the alerts somewhat less useful when using sub-domain/plus addressing.

[1] https://www.fastmail.com/help/receive/addressing.html

[2] https://haveibeenpwned.uservoice.com/forums/275398-general/s...

You can sign up to get notifications for an entire domain, meaning that you can get notifications for any email with the "example.fastmail.fm" domain.

See here: https://haveibeenpwned.com/DomainSearch

Thanks! I will give that a try.

I recently wrote a small tool to download the whole password database from HIBP and turn it into a Bloom filter that can be used from Golang or Python.

The tool also includes a webserver that lets you check for plaintext password matches (only recommended over a secure network) and SHA1 values:


The filter is about 1.7 GB in size with a 10e-6 false positive rate, so it can be used even on moderate hardware to check user passwords against the database (the entire filter must be loaded into memory currently, though it would be possible to use a memmapped file).

You don't need to download them from HIBP. You can freely download all major breach databases from databases.today. There really aren't many passwords not represented in those databases which are present in others, but for everything else you can just automatically download grab dumpmon like Hunt does.

Also, try google dorking site:vk.com/doc and "@gmail.com"...there are many large password and email databases you can find that way which have not been publicized. This includes many which are not in HIBP. I've tried to call attention to this before but there isn't an active effort to crawl these.

Once you download, normalize and deduplicate the entire corpus of password databases, you can find matches in real time for e.g. signup requests.

Congratulations @troyhunt Your project's making a bigger difference around the world.

I'm worried that this will just train people to start blindly clicking through "pwned password" modal dialogs for CVVs and OTP/SMS 2FA codes, just like they did for the "Do you want to view only the webpage content that was delivered securely?" dialog in MSIE.

The wide public is not so interested in secured content really imo, but they will rarely ignore warnings about their passwords. The password is like a pin for your debit card. You don't mind people seeing your card (unsecured content), but you will not share your pin code (password).

Next time you are in a checkout line, pay attention to how few people make any attempt to prevent shoulder surfing their PIN. POS devices have gotten better with shielded keypads, but there are still many machines that make it somewhat difficult to obscure your PIN. The average person gives very little thought to security, or at the very least gives little thought to possible threat models.

> Have I Been Pwned

You are. HN sits behind Cloudflare. Your SSL connection terminates at Cloudflare to plaintext, and new SSL connection to HN is created.

Your login and password, IP and User-Agent and who knows what else, is in clear view to Cloudflare - you've been pwned :))

That's such an amazing thing about them.

I know a few places that... would pretty much die for such a global "MITM" service, so I wonder if it's five corners financing it.

I need a browser extension (for Safari) to warn me if the site is behind Cloudflare. I'll pay money :) I'm kinda protected by using VPN, IP is not my ISP IP. But the rest, plus browser fingerprinting is busted.

Use this: www.cloudflare.com/ips/ and HTTP headers like CF-RAY

You could also just use the ASN of the network which is always cloudflare for CF ips.

That's not easy to retrieve from a browser extension without using an external service, right?

You're on, hired. Presentation with demo is at 4 July 10:00am GMT. Congrats :))

same as with any other CDN, the load-balancer frontend of any cloud provider (e.g. if HIBP weren't behind Cloudflare, would you post the same about Azure, where its backend lives?), ...

I get why people are critical of SSL termination that talks to the backend over public channels unencrypted (which Cloudflare offers too), but for the HTTPS-to-HTTPS case they behave exactly like many other companies.

What is your point? Mine is - Cloudflare reads in plaintext all data you think is SSL 'protected' between me and the website.

That I find it weird that people appear to single out Cloudflare (e.g. asking for a Cloudflare-detection extension) when there's nothing materially different about them from many other companies serving large parts of the web. Traffic is protected between you and an agent the site you are visiting trusts, just like in nearly every other hosting scenario. You're almost by definition not "pwned" if your traffic is seen by someone who is supposed to see it, as long as they treat it appropriately.

> You're almost by definition not "pwned" if your traffic is seen by someone who is supposed to see it,

Well ... Noone, repeat, Noone is supposed to see my traffic except the site owner. I just don't buy the 'trusted' CDN provider idea. 'treat it appropriately' - I'm past that.

Do you buy the idea of trusted hosting providers? Or does everyone need to own their hardware? Or are rented VMs ok? (where traffic isn't exposed by design, unlike with traditional hosting or ingress services by cloud providers, but could be accessed by the provider if it really wanted to)

Nothing is wrong about CNN terminating SSL on CNN CDN nodes, it is part of CNN's infrastructure. In house.

Cloudflare is bad because it terminates ~10% of global traffic. How would I know that my HN login/password is known to Cloudflare? Did you know?

> Nothing is wrong about CNN terminating SSL on CNN CDN nodes, it is part of CNN's infrastructure. In house.

But they don't, they use Fastly, at least that's where cnn.com points. Are they better than CF?

I did know that HN uses Cloudflare, yes, and if I distrusted Cloudflare specifically I'd maybe want something making sure I always know, but I kind of expect nowadays that sites use CDNs or cloud infrastructure and have no strong reason to distrust any of the many providers more than the others.

Leave the Firefox alone, please. Pocket, HIBP, 1Password, Cloudflare ... Not cool. 1Password has flawed sec rep [0], Cloudflare is pure MITM, stripping TLS between you and webserver, the rest just network and data leaks I haven't asked for.

For passwords best is KeepassXC, sync encrypted db via any file sharing.

[0] https://www.theregister.co.uk/2017/02/28/flaws_in_password_m...

Make sure to not do it automatically, but on user interaction (like new Safari password fills). Otherwise you leak usernames and tie them to browser sessions which can be fingerprinted.

I think this is addressed by the use of k-anonymity which is described in the section of the article titled “Enabling Anonymous Searches with k-Anonymity”.

This uses HIBP for the underlying dataset. I'm not sure what's added though. Convenient UX? They claim to only send anonymized data out, but HIBP already supports the underlying hash range queries -- that doesn't appear to be new here.

I suspect it'll warn you if any of the accounts you've saved in Firefox (username/password) have been compromised. 1Password already does this¹ but this is likely the Firefox implementation of it.

¹ - https://blog.agilebits.com/2018/02/22/finding-pwned-password...

The blog article on HIBP goes a bit into more technical detail:

"We're Baking Have I Been Pwned into Firefox and 1Password"


The main thing added here is a brand and some advertising, but that's not insignificant. Haveibeenpwned is a good service but it looks a whole lot like http://ismycreditcardstolen.com/ on first glance. If the Mozilla brand gets it to more people, that's a win.

In this case, convenience is huge.

This also has anonymized email lookup (using the same model as passwords) that is new.

It's interesting how HIBP considers mainstream dating sites sensitive on par with adult sites, while shady hacking related forums are fair game.

I always assumed this was to avoid outing people as gay, to avoid kids working out that their mother started dating again, or to avoid an Ashley Madison-type scenario. Those seem more dangerous than being found to have an account on dodgy-carderz.com.

Have you considered the amount of PII the dating site is likely to have on their average customer? Access to a dating profile is almost as good as Facebook access to perpetrate identity theft.

That's not what makes a breach "sensitive" for HIBP, it's about breaches that only can be checked if you authenticated your e-mail address or domain, so that not everyone can check if you've used the site.

To Mozilla devs, if I may. Try OpenBSD approach to security, like in https://www.openbsd.org/security.html

"Have I been Pawned" should require email verification.

The way it's now, you can do searches for people's emails and get info of the sites people have been using.

You realize they are only using data that is already publicly available right?

Troy has done great security work for the community at large. If you haven't seen it check out one of his other projects https://report-uri.com that aggregates your Content Security Policy reports for your site; a base security measure almost everyone should be utilizing for their sites these days.

What will happen when Have I Been Pwned gets Pwned?

Must be storing a lot of email addresses at this point.

It is storing leaks so the data on the site is allready public one way or another.

It also has emails of people who sign up to its 'alert me if this address is found in future leaks' service.

They are compromised anyway. They just will be compromised once more.

My problem with haveibeenpwned is that when you haven't been pwned, you've just handed them your mail address.

Is there anything to alleviate those concerns other than "trust us, we're not saving emails from queries"?

I think a lot of people have my email address. You don't hear people worrying about spam so much these days (other than people who have the time and inclination to run their own mail servers). So it would seem to be a small price to pay to keep tabs on your passwords.

k-Anonymity. In other words, "I have hashed my e-mail address, here's the beginning part of the hash: 0deadbeef0, tell me if you have anything matching that." "Yup, I have something that hashes to 0deadbeef0123456789abcd, associated with these breaches, and something else that hashes to 0deadbeef0abc1056886516, associated with those breaches." Plaintext is not exposed, and you're not even exposing the whole hash, so GL to anyone trying to find out which if the hashes (if any) is yours, let alone what the plaintext was.


Seems like a good solution. I was looking for this on the official HIBP website, but it's not mentioned there.

Going public with this would probably be a good time to update the website.

Well, if you don't trust them, obviously just don't use it.

If you do half-trust them, if they're reasonable, they don't store the email addresses. They don't need to, for a simple search.

> just don't use it

But the post is about integrating it into the browser, isn't it?

Which is exactly why the service won't query the plaintext, or even a complete hash.

But how do I keep not using it?

The same way I don't use Pocket or the Edit Controls in Firefox, or Pivot Tables in Excel.

You don't click them :)

Its all about defaults, what matters most, as it'll be used by majority of users. People will use whatever pops up or was put on taskbar.

Agreed. However, for the average user, I think the risk posed by this new Firefox feature is smaller than the risk they're exposing themselves through ignorance.

Disagree. Respectfully :) Today we have age of free data harvest, 'land grab' by majors. Shining combination of your email, IP and user-agent as a default browser behaviour is just another leak.

Again: no-email-exposed-never-not-even-encrypted-or-hashed. So just an IP address and user agent; if that is a leak, I would recommend disconnecting from the network altogether.

"Have I been pwned" is just a more friendly than "Was my password easy?". But the truth should be known!

Not only, since bad passwords aren't the only way passwords can leak, bad password storage practices on a hacked site do it too.

HIBP also includes leaks that didn't include recoverable passwords, but other personal data.

Well, truth. If the password were ejected from let's say "the random" website and you use the same one for all other ones you are kinda "pwned".

So will this feature only be available in the web-version of 1password and not in the stand-alone version? :(

The latest versions of 1Password (I’m on 7) have great HIBP integration. Really pleased with it so far.

It would also be cool to implement native email reader inside firefox and some kind of messenger.


Helps they have hundreds of employees to upvote the posts on HN too. I've been there :)


And apparently the downvotes!

What's unexplained are the content-less, conspiracy-theoretic, complaining, BS comments like the string of comments above this one.

It does feels like it. Businesses recognised social PR ages ago, I bet HN is no exception.

Mozilla has wasted a bunch of resources creating a pointless tool. Let me explain why!

Last year, they promised to create an add-on that triggered when you visited sites known to have been breached in the past, and let the user check if his password was included in the leaked data, via HIBP: https://www.bleepingcomputer.com/news/security/firefox-will-...

Now, they announced Firefox Monitor, which is nothing but a standalone website where you can check your email and see if it's been included in public breaches. This is the same functionality of the main HIBP website. If people want to check if their email was included in a breach, they'd just visit HIBP, not Firefox Monitor.

Why does this website exist in the first place? They took a good idea that used a proactive approach to alerting users of potentially leaked passwords and they've created a Firefox-branded HIBP clone website that very few people are gonna know about or even use.

Pointless use of resources, when they could have used them for something actually useless.

>> ...that very few people are gonna know about or even use

"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."


You're ignoring how most users need things in front of their face. Most users are not privacy or security "aware" in any manner. Putting it in the UI or actively promoting these services is beneficial to the common web user.

And if it fails, it's at least worth it to learn why it failed. Was the UI bad? Did it not promote the service in the right way? Did users not understand the purpose of the tool?

I think the juice is worth the squeeze.

1. Put it on the web first.

2. Get it working well with UI, UX, etc....

3. Then integrate it into the browser.

Seems like a totally logical flow to me.

But the browser is part of the UI/UX.

When Firefox warns you that you're (possibly) pwned when you browse to a website or try to log in, then you can't get around combining step 2 and 3.

Or when Firefox compares your password database with HIBP, you can't get around combining step 2 and 3.

Where in the official announcement did they say they're putting Monitor in the official UI?

Firefox Monitor is just a page on the official Mozilla website.

Where in the official announcement did they say that?

>Visitors to the Firefox Monitor website

>The site will offer recommendations

Now, the screenshot doesn't have a URL in the address bar, suggesting it might be a built-in special page. But it also has a generic "Page title" in the tab title, so it looks like a modified stock image rather than an actual UI screenshot.

The screenshot on Troy Hunt's blog does show "https://www.mozilla.org/firefoxmonitor", but it's otherwise the same screenshot with the same generic "Page title", so it's probably equally fake.

(I tried to look for the actual bugzilla bug for this for more info, but didn't find anything.)

https://bugzilla.mozilla.org/show_bug.cgi?id=1463301 describes the study that is being run to determine the best design for incorporating Firefox Monitor into the browser UI.

(Disclosure: Although I work at Mozilla, I have not worked on Firefox Monitor)

Thanks. So it looks like it is a website ( https://monitor.firefox.com/ ), and the browser will pop up a dialog that navigates users to it.

I mean, what wording confused this concept specifically?

And then everyone suffers through even more intrusions on their workflow because Johnny Newbie doesn't care

So, you conclude that it is a pointless tool because people can consult the HIPB website directly. Meanwhile, Troy Hunt, the creator of the HIPB website himself writes that this is a good idea.

Well, with respect, this is an undeniable win for Troy. I think that the parent comment was questioning how big a win it is for The Rest of Us.

The intentions are good, but yeah, it seems like an half-baked solution.

Why not integrate this tool directly into the browser UI? User goes to whatever website, input his login creds, Firefox reads the login email and sees if the email+url combo is in the HIBP database. If yes, a message will advise the user to change his password. End of story.

It reads like a press release. Praises for Troy, Troy praises 1Password and Cloudflare, great sell to naive Mozilla. Shareholders pat themselves on the backs. Champagne, sir?

And that's bad because? And Mozilla is "naive" because?

What's the angle? "Stick it to the Man", and stuff?

Security is hard. Adding 3rd party systems you don't control is not the way.

I use Firefox. Are you saying I'm now less safe? If I'm more safe but some other people don't like the solution then I guess they can configure or fork Firefox then we're all happy, right?

Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues. That could in theory make it less secure.

HIBP and 1Password aren't making FF more secure, chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).

> 1Password aren't making FF more secure

Did I miss any announcement about 1Password becoming part of FF, or Mozilla helping in any way with development of 1Password?

True on both. On first point, obvious areas they should focus are strong sandboxing of tabs and cookie cleaning by default.

On second point, why bother with some 3rd party? I trust mozilla, not its 'partners'

How do you know they are not? This sounds like the old "why are you not focusing on my pet peeve feature" entitlement.

>Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues. That could in theory make it less secure.

You stretched that argument to points that only Reed Richards could match...

The GP posited a stance, the parent refuted the _possibility_ of it, I was stating it was possible. Indeed, is it not a quite reasonable and logical possibility?

If the parent addressed the actuality of it, perhaps with some factual basis, ... (Like "when FF did X in past they still quashed Y bugs, introduced Z features" - I know number of bugs/whatever isn't the best metric, but something factual) ...

I wonder what the controlling minds of Firefox are trying to achieve as a long-term goal; they seem to take an opposite stance to the "do one thing well" philosophy.

This is FUD.

Can you explain what's incorrect in my post?

(FWIW it's not a position I hold, I've not looked at the situation properly yet.)

Sure, I'll take it point by point.

> Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues.

This is a logical fallacy. It's like saying - if we wouldn't spend money on the space program, we could feed Africa with that money. The problem here is that this is not a zero-sum game: the people that worked on this (e.g. Troy Hunt) wouldn't had the skills or inclination to bring other enhancements to Firefox. Thus this is a net addition, and not to the detriment of other work

> That could in theory make it less secure

So adding a feature that helps people be more secure against a specific threat (using bad passwords that have been broken) makes the product less secure? This makes no sense, but it's just put in there to spread Fear (FF is less secure because of added security features) and Doubt ("could in theory" ... meaning we don't know, but lets put this out there)

> HIBP and 1Password aren't making FF more secure,

I tend to evaluate a security in context of a threat model. HIBP and 1Password have very good track records of mitigating attacks on user passwords (by notifying people about password breaches and thus decreasing the value of a password breach, and by making easy for the average user to manage complex passwords). As a result, the Firefox users have better tools to manage password-based authentication, increasing their security.

> chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).

The evaluation of the "attack surface" here refers to the horizontal scale (how many actors of the same type see the interface) whereas the concept of reducing the "attack surface" refers to the vertical scale (how many types of communication the actors see). Reducing the horizontal scale is known as "security by obscurity" and it's a very bad idea to use it. A larger horizontal scale has no impact on the security, see ciphered communication: an encrypted message doesn't get less secure if more eyes see it, its security only depends on how well the encryption works.

Assuming that 1Password doesn't use "security by obscurity", increasing its footprint on the web will not decrease its security.

'This is FUD.' - this is FUD.

A much more honorable way to do this would have been to allow the search of a hash of your email rather than your actual email.

They do that, with the extra step of allowing k-anonimity (https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...)

That's... exactly what they're doing?

Double-checking source code @ haveibeenpwned.com. I see no javascript that hashes your email address before submission.

Sure, but that's not what the linked article is discussing as the basis for integration with Firefox.

Well the email k-anonymity is new that he added for this integration and Troy addresses why he’s not yet using it on HIBP in the article.

What could possible go wrong?

Shooting the messenger, that's what. People tend to confuse "X might have your password" and "Y tells me 'something X something password', therefore Y hacked me".

You had been pwned anyway.

Everything said that isn't politically correct is systematically downvoted here on «hacker» news. I am enjoying your very low knowledge and your smartphone attitude. LOL

You sure it's not you posting trite, basically irrelevant one-liners that's presenting a "smartphone attitude"?

Nothing is politically incorrect about your post, but it doesn't add to the discussion.

There is no discussion here, just marketing stuffs.

Wow. How did you guess?

By answers not politically correct systematically downvoted...!

Was joking, man :))

Yeah. There is a flaw with voting stuff in HN, you have to keep yourself 'in party line' to get votes, or to keep yourself from being downed.

Excellent need, more than enough reason to switch. Now bake 1Password into Firefox.

Please for heavens sake don't! Isn't it enough to have a binary blob for DRM? I don't want to have another binary blob in my firefox. And especially one which takes all my passwords and sends it to some companies cloud. You can't know what happens with this data because all parts are propriatary. I can't trust a binary blob with all my passwords.

Not quite 1Password, but Mozilla is developing a cross-platform password manager, tentatively called "Lockbox", that will support Firefox, Android, iOS, and possibly a Chrome extension.


I hope they add support for self-hosted backends. It'd be great to have a self-hosted password manager developed by a company with an amazing security team.

This would be really amazing.

Instead of actually fixing authentication they are baking "have this password been exposed in plaintext" into the browsers.

What's the deal with WebAuthN? Such a basic functionality still not completed.

> Instead of actually fixing authentication they are baking "have this password been exposed in plaintext" into the browsers

“Perfect is the enemy of good” [1].

[1] https://en.m.wikipedia.org/wiki/Perfect_is_the_enemy_of_good

I'd argue there is no "good" auth at the moment, only "poor". And upgrade to authenticator-based "good enough" is much needed.

I thought Firefox supported Web Authentication API since Version 60, as much as a standard that isn't finished yet can be supported?

"Fixing." Don't ask me how many sites are still only supporting Basic Auth, in 2018 - I frequent several. How is FF ("they") supposed to fix that?

I don't recall any popular website using Basic Auth. FF must implement WebAuthN or whatever was last offered to fix auth. Have i been pwned brings nothing new to the table.

Well, that's the problem with browsers though: they need to support a slightly broader range of sites than just the currently popular ones; long tail and whatnot.

Now, I am all for actually secure auth, and support in browsers is the necessary first step; for "fixing auth", someone then needs to implement the other side of the equation, too (I do remember when OpenId+HW 2FA was supposed to have fixed this, a few years back).

As for "nothing new" - for the people of HN, perhaps. For the casual user, this is something radically new.

>I do remember when OpenId+HW 2FA was supposed to have fixed this

HW 2fa can never fix auth because it's hardware, and cannot scale. There are solutions out there, all what's left is to raise awareness to add it. Showing popular passwords will just move us to a new set of popular passwords and so on.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact