Have I Been Pwned has been helping users find out if their data was part of a data breach since 2013, and now the service will be integrated into new products from Mozilla and 1Password.
Troy Hunt, the security expert who created and runs the project, announced the new Have I Been Pwned integration and noted the partnership with Firefox will “significantly expand the audience that can be reached.”
“I’m really happy to see Firefox integrating with HIBP in this fashion, not just to get it in front of as many people as possible, but because I have a great deal of respect for their contributions to the technology community,” Hunt wrote in a blog post. “They’ve also been instrumental in helping define the model which HIBP uses to feed them data without Mozilla disclosing the email addresses being searched for.”
This is a key feature featured in both Mozilla’s new Firefox Monitor and 1Password Watchtower: using Have I Been Pwned integration to allow users to search without disclosing email addresses. Hunt said this privacy feature will work in a similar way to the k-anonymity model used by Have I Been Pwned when searching for passwords.
When searching for passwords, Have I Been Pwned matches the first five characters of a SHA-1 hash, which returns, on average, 477 results per search range in a data set of 500 million records, in order to avoid exposing too much information about the password being queried — the results could include the password being queried, or not, but an attacker would not be able to determine the password being queried on the basis of the results returned. With email addresses, Hunt searches on the first six characters of the hash against the database of over 3 billion email addresses, but he added that this shouldn’t result in less secure searches.
“This number [of breached passwords] will grow significantly over time; more data breaches means more new email addresses means larger results in the range search. More importantly though, email addresses are far less predictable than passwords; as I mentioned earlier, if I was to spy on searches for Pwned Passwords, the prevalence of passwords in the system beginning with that hash can indicate the likelihood of what was searched by,” Hunt wrote. “But when we’re talking about email addresses, there’s no such indicator, certainly the number of breaches each has been exposed in divulges nothing in terms of which one is likely being searched for.”
Have I Been Pwned integration
Mozilla has built Have I Been Pwned integration into its Firefox Monitor tool, which will begin as an invitation-only service. Mozilla plans to invite an initial group of 250,000 people to test the feature on the web beginning next week and do a wider release later on.
1Password will include Have I Been Pwned integration in its Watchtower tool as part of the Breach Report feature. The Breach Report will let users know where an account with a user’s email address may have been compromised; show a list of websites where an item saved in 1Password might have been compromised; and show a list of breaches where a 1Password item was found, but the user has already changed the compromised data.
Currently, 1Password Watchtower is only available on the web, but 1Password expects to eventually add the service to all of its apps.