Jump to content

Greater Visibility for Passwords matching "Have I Been Pwned"


DavidRa
 Share

Recommended Posts

This feature suggestion is twofold - reports and immediate visibility of Pwned Passwords.

 

I'd like to see the possibility of running a report that lists passwords that are in the Have I Been Pwned dataset. I've got 151 passwords just in my own personal Web Passwords list, let alone the hundreds of other passwords to systems, customer environments and other personal lists etc. It's not feasible for me to check them all (even if I can get access via the backup administrator account) - going one by one in the Edit Password screen is too slow.

Ideally the report can be run (say) monthly and show the number of times the password has been found this month as well as last month - highlighting changes and new entries, which would be a good indicator of the passwords most at risk.

 

For example, if you had a table like this:

PWS-Sample-Report-Table.png.6d51da119c12e25be69782ddcd17753f.png

 

You could colour code rows, and allow the administrator to set specific thresholds, or even support different reports, for example:

  • Only include entries that have changed
  • Only include entries that have increased by more than X occurrences
  • Highlight entries with more than X occurrences
  • Send a report to each user with their own passwords that have been found

 

Since the API seems to be present (and I'm already checking new entries for matches to the list), it could even be added as a banner to the top of each password list or highlighted directly in the web UI - red lists have pwned passwords, for example, and red entries in lists are the pwned entries.

Link to comment
Share on other sites

Hi David,

 

Thanks for your request. We did think about a report like this ourselves, but as some of our customers have thousands of passwords, I'm not sure the owner of the Have I Been Pwend web site API would appreciate this many hits to his API - time thousands of customers :)

 

We might contact him and ask anyway.

 

Regards

Click Studios

Link to comment
Share on other sites

Thanks - do 1Password also have a report across all the thousands of passwords that can be stored?

 

We'd need to come up with an entire new code base for the local copy of the database, as no customer would want the Passwordstate SQL Database to be 40+ GB in size :) And then there is the constant refreshing of the DB as well, as more breaches continue to happen.

Regards

Click Studios

Link to comment
Share on other sites

Yes - 1Password includes something they call Watchtower:

 

Quote

Built into 1Password, Watchtower looks out for your data so you don’t have to. With Have I Been Pwned integration, you’ll know as soon as any of your logins are compromised. It also lets you know about any old, weak and duplicate passwords you’ve used.

 

I don't necessarily have useful suggestions about storage and searching, though, or at least likely none you wouldn't already have considered.

Link to comment
Share on other sites

Nah most of those were already in the list, the current 10GB->40GB dataset only gained 20M new password hashes in 550M total.
 

Quote

As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.

 

That page you linked also includes a screenshot from 1Password I expect, showing the Pwned status of passwords against the list (right under that quote).

Link to comment
Share on other sites

I'd second this request, if you read Troy's block he get millions of requests through the APO and has developed a very slick serverless platform to manage it : https://www.troyhunt.com/serverless-to-the-max-doing-big-things-for-small-dollars-with-cloudflare-workers-and-azure-functions/

 

He is also partnering with Cloudflare to help with the massive load , he designed the API for this very reason!

 

Password state would only need to query this once then every list update

Link to comment
Share on other sites

Hi Paris,

 

Thanks, and we can look into this as soon as we've manage to find the time. We think this feature request is a report which can be run at any time, so could you please clarify for us what you mean by "once then every list update" - we're not exactly sure what you mean by this?

Thanks

Click Studios

Link to comment
Share on other sites

Support - you're right. There's definitely a "report" request here, as that means the security admin can report on all passwords, not just those in shared lists.

 

But the other side of the coin is to able to show end-users that a password that might previously have been "ok" has now been compromised. For example, I create a secure unique password for a site, let's say, "correct horse battery staple". Months after the password is created and stored successfully, Randall releases his comic, and thirty million people use it in various places. That password then is compromised somehow and added to HIBP. The user views their password list and now knows their password was potentially compromised and can take action as appropriate.

 

I can also see a use case to expand that notification into the browser extension - perhaps the icon can flash, or the extension can turn the password fields red, or show an alert that the password (not necessarily the site) is no longer secure.

 

I interpret the "once every update" to mean that passwords need only be re-evaluated across the board when Troy updates the downloadable lists and, simultaneously, the API results and versioning.

Link to comment
Share on other sites

Hi Guys,

 

We'll look into this a bit more as soon as we find some time. Also David, for Private Password List, only owners of the private lists would be able to run this themselves, as we cannot reveal any information stored in private lists.

I think we would also work on a point in time report, because the historic example you've given would be quite a bit of work to achieve, as records can be added and deleted from the system all the time.

 

Regards

Click Studios

Link to comment
Share on other sites

  • 2 weeks later...

Hi All,

 

Today we have released build 8600 of Passwordstate, which includes a few new haveIbeenpwned features:)  Here's a list:

 

1. New report which queries all shared Passwords in your system against the haveIbeenpwned database, and advises which ones to change

2019-02-04_14-02-37.png

 

2. A new tool to check passwords against the online haveibeenpwned repository

2019-02-04_13-56-32.png

 

3. Also a new icon on Password Lists to quickly check the current password against the online repository:

2019-02-04_13-45-47.png

 

4. If you have this option unchecked on your Password List, and are using the haveibeenpwned online repository under Administration -> Bad Passwords, then the user will get a warning about the password being compromised before they click Save.  It's up to the user if they want to Save or not:

2019-02-04_14-00-09.png

 

2019-02-04_14-00-44.png

 

5. You can run a Report at a Password List Level to show which Passwords in that list have been compromised.  This is handy for users who have Private Password Lists they want to check against.

2019-02-04_14-20-43.png

 

 

We hope this helps!

 

Regards,

Support

Link to comment
Share on other sites

 Share

×
×
  • Create New...