Firefox will check for compromised passwords using k-anonymization

On Habré, we repeatedly mentioned the useful service Have I Been Pwned (HIBP), where you can safely check your password for leakage. People often use one password, so one small leak from any of these sites compromises everyone else, and at the same time the “digital identity” center - the mailbox of a person through which you can change passwords on almost all services.

Unfortunately, the HIBP service is little known to the general public. It is therefore very pleasant that the Mozilla developers decided to include it directly into the browser as a security tool for Firefox Monitor.

The Firefox Monitor service converts the user's email address using k-anonymization technology - and sends it to HIBP for verification.



In this case, k-anonymization means that they are hashed (SHA-1) and the first six characters of the email are sent, and HIBP returns the hashes of all full addresses that match that mask. Firefox Monitor verifies these hashes with a full address hash that does not leave the limits of the Firefox service. For more on the mathematical basis of k-anonymity, see the article Clouflare , which in February 2018 implemented a similar function for the anonymous exchange of personal data.

Developers note that the average user has hundreds of accounts.on different sites on the Internet. Each of them requires a password. At the same time, the number of hacks with the leakage of password bases is increasing dramatically. Often passwords are stored in a hashed form, but attackers find new creative ways to decrypt them.

To reduce leakage damage, a person must quickly change passwords on all other sites that use the same combination of characters. Especially on your mailbox, which becomes the main target of hackers, since the email address is usually listed directly in the password dump, along with the account and password. But in order to have to take such actions, the person must first be notified of the leak. That's why Firefox is introducing a new security tool into the browser, which from next week will begin testing on a limited sample of about 250 thousand people. After a successful result, the service will be made available to all.

The first rumors that Mozilla is going to integrate HIBP into Firefox appeared last November., and the creator of this service, security specialist Troy Hunt, was quite surprised . And for good reason. It turned out that we are talking only about Breach Alerts notifications : simple notifications that the browser shows if it comes to a compromised site. It is a completely different matter. Although there Firefox received information about the addresses of compromised sites through the publicly available API-HIBP .

But in this case, the hype raised in an empty place in the press played a positive role. The Mozilla organization realized that the function of real verification of cracked passwords would indeed be useful if everyone around them shouted about it. And now it happened.

So far, HIBP is integrated into Firefox in the simplest form. There, you can simply register for a password leak notification. If this happens, the user will be notified immediately, as soon as the password base goes to underground hacker forums and falls into the hands of Troy Hunt. Immediately after this, the user will receive a message of the following form:



In the case of the recent hacking of Ticketfly (in the screenshot), the HIBP service sent notifications to about 105,000 users from a common base of 2 million people who generally subscribed to receive notifications. Two million is a drop in the ocean, because the HIBP password bases now have 5.1 billion records and 3.1 billion unique email addresses. That is, Troy Hunt can notify only 0.06% of potential victims.

But when Firefox enters the game, the number of users will dramatically increase. We are talking about increasing the number of subscribers by an order of magnitude or two orders of magnitude.

In addition to Firefox, the HIMP service is now integrated into the web version of 1Password and is available through the Watchtower function.