Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Mozilla and 1Password Integrate 'Have I Been Pwned' Feature

Expanded Audience For Breach Notification Tool Should Improve Web Security
Mozilla and 1Password Integrate 'Have I Been Pwned' Feature
By tying into Have I Been Pwned, sites can alert users if their email address and password have been seen in breaches. (Source: 1Password)

While awareness of data breaches outside the technology community may be rising, many people still have no idea if their email addresses or passwords have ever been compromised.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

Cue this long-term problem: Anyone who's unaware that their data may have been stolen may keep using the same password over and over again. They may also reuse it across different sites, thus putting their personal information and accounts at risk. And websites - even innocent ones - may find themselves left having to help clean up the mess when fraudsters wielding stolen or dumped username and password combinations begin trying to use them across hundreds or thousands of sites to see where they might work.

Troy Hunt

To help, Troy Hunt, an Australian security expert, created a free service called Have I Been Pwned that lets users see if their email address has appeared in a breach. Subscribers get notified directly - via email - if that email address appears in a new breach. Hunt's service has proved to be popular, with even some governments now getting on board (see Breach Alert Service: UK, Australian Governments Plug In).

Since Have I Been Pwned's launch five years ago, it's steadily grown and now counts more than 2 million subscribers. But that's just a tiny fraction of web users who might have been exposed to the risks of data breaches, Hunt says.

Now, new integrations with Mozilla's Firefox browser and the password management application 1Password, announced Tuesday, will expand the free service's reach.

Email Monitor

Mozilla is launching a tool called the Firefox Monitor. The monitor checks a person's email address against Have I Been Pwned's data set and alerts users if the address has been seen in a data breach. Hunt repository contains some 5 billion email records now, of which 3.1 billion addresses are unique.

Firefox Monitor isn't live yet, but this is what it may look like. (Source: Mozilla)

Mozilla will soon open a beta program for 250,000 users. The service will run from Mozilla's website, and may eventually be wrapped into the browser either natively or as an add-on.

The Mozilla integration will expose HIBP to an install base of hundreds of millions of people. "There's going to be all of these people who never knew about their exposure to data breaches that are now going to learn via a really trusted name," Hunt says.

Firefox Monitor expands on a step that Mozilla took last November. It alerted people when they visited a website that had been previously breached, Hunt says. That information, which includes a description of the breach, comes from Have I Been Pwnd's public API.

"People got really, really excited about that," Hunt says. "I was honestly shocked at how much positive feedback there was."

1Password's Watchtower

1Password is making the same move as Mozilla. It is integrating an email check against Have I Been Pwned within its Watchtower feature. That will first be available in the web version of 1Password and eventually in the client application.

In February, 1Password integrated a feature from Have I Been Pwned called Pwned Passwords. Pwned Passwords allows people to check if their password has appeared in a data breach.

1Password warns if a password has appeared in a breach. (Source: Troy Hunt)

Pwned Passwords contains a database of 500 million compromised passwords and alerts people if their particular password has appeared in a breach. The service now gets some 8 million queries a day, Hunt says.

Safe Hash Matching

But sending email addresses or passwords to another service across the web, if handled incorrectly, creates serious privacy and security risks. Hence this question: How do you send either an email address or a password across the web to Have I Been Pwned in a way that if it should be intercepted, it won't give an attacker any useful information?

The solution is a concept called k-anonymity, which Cloudflare and Hunt worked on when Pwned Passwords was launched. Hunt describes the system in detail in a blog post, but here's a simplified explanation: On the client side, an email address gets turned into a SHA-1 hash.

An example of how an email address is anonymously matched using k-anonymity. (Source: Troy Hunt)

Only the six characters of the hash then get sent to Have I Been Pwned's API, Hunt says. Because there are 3.1 billion unique email addresses in Hunt's repository, there are a number of matches - on average, around 175.

Then, Have I Been Pwned sends back the roughly 175 hashes that match, after which Firefox or 1Password determines which one matches the full hash it has.

"The joy of this model is that there's never anything sent to me which can - with any degree of confidence - identify what the email address is," Hunt says. "There's only enough information sent back to Mozilla or 1Password to kind of match the right address and give a response to the user, so they get full anonymity for their users."

Credential Stuffing Defense

Anything that helps alert individuals if their password has shown up in a data breach can help people to get better at not only dumping an at-risk password, but also picking strong passwords and using unique passwords for every different site on which they have an account. To help, many information security experts, including Hunt, recommend using some type of password management software.

Keeping an eye on breached passwords helps not only users but also websites. That's because if website A gets breached, if the user reused their credentials on websites B through Z, it's easy for attackers to take these stolen credentials and illegally log in - a practice known as credential stuffing (see Credential Stuffing Attacks: How to Combat Reused Passwords).

"This is where I'm a little bit sympathetic," Hunt tells Information Security Media Group. "This website B didn't necessarily do anything wrong, but now they've got to deal with the risk of ... an attacker logging in with a victim's credentials, and that's a really hard problem."

Executive Editor Mathew Schwartz also contributed to this article.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.