Hacker News new | ask | show | jobs
by AdmiralAsshat 2709 days ago
The slightly annoying thing here is that I already use a password manager, so while the impact to me is minimal, I wish I knew which password specifically I have to rotate, instead of assuming that I need to rotate, like, all of them...
5 comments
andrewmackrodt 2709 days ago
I'm not sure if you're a 1Password user (or whether your alternative supports similar functionality) but the former has a feature called Watchtower which then groups your compromised logins.
link
jarfil 2709 days ago
What we may need is the next step: a standardized way of changing passwords that would allow us to rotate them in bulk directly from the password manager.
link
Rychard 2709 days ago
You might be interested in this, from just over a month ago:

https://news.ycombinator.com/item?id=18618193

link
Groxx 2709 days ago
(Not affiliated with, just a happy user of) 1Password does a pretty good job at this, you can find all HIBP-passwords in a single location: https://support.1password.com/watchtower/
link
shkkmo 2709 days ago
Why not use Pwned Passwords to check your passwords to see if any of them need to be rotated due to this breach or any other?
link
sliken 2709 days ago
Seems really weird to advocate people reveal their passwords to a random untrusted 3rd party.

They do have an API that allows you to search for your password based on a truncated checksum, so you can find out if your password was leaked, without revealing the password.

link
bbernoulli 2709 days ago
The password itself is not sent. You can read about it here:

https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

link
sliken 2709 days ago
He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Which does upload your password, which I think is an unacceptable risk.

link
sliken 2709 days ago
Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.

link
brennebeck 2708 days ago
Not trying to be a pedant, but wouldn’t “[...]it’s far from clear[...]” be (more?) correct?

If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.

link
rincebrain 2709 days ago
You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.

If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

link
sliken 2709 days ago
So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.

There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

Note the lack of https.

You are going to trust a page with that code with your important passwords?

Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.

Much like trusting curl https://whatever.com | sudo /bin/bash

Crazy.

link
clort 2709 days ago
How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?

Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.

Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..

link
shkkmo 2708 days ago
> He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Please don't make false assertions about what I was suggesting without any evidence.

Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.

I would certainly not put any live passwords into the webform.

link
shkkmo 2708 days ago
You replies in general have be combative and seeked to push people into positions that you could argue against for internet points.

You could have made your points in a much more constructive and concise manner:

Pwned Passwords is a great data set, I would recommend against using the webform to check your password, instead download the hash file or utilize the extremely simple api. The webform is insecure because...

link
garaetjjte 2708 days ago
I just use diffirent email for each service, so I could identify leaks.
link