I think maybe you've mis-read me. I'm well aware of how HIBP does this.
But it doesn't matter what you or I can prove the site does or doesn't do with our passwords; my dad or aunt shouldn't type their passwords into random forms on the internet. Whether it tells them it's using k-anonymization or not.
You still wouldn't pop your dev tools open but then type your real password into a random form on the internet before you'd kicked the API-tires with some fakes.
Anyone who isn't prepared to kick the tires and hasn't established a trust relationship has no business doing it.
And a knowledgeable developer would do that automatically. It's not a user's job to know to do this, and it's not a developer's job to train users to know this. You need security turned on by default, end of discussion.
Is HN a site with sensitive information? Not particularly, unless you put way too much faith in your karma. That doesn't make a default behavior of sending passwords over plaintext excusable. And despite most HN users knowing better, I guarantee there's plenty of password re-use here (hopefully re-use of the throw-away password that most people have, but that does't make the situation any more acceptable).
He has the "Pwned Password" search to allow you to narrow it down and he has a really good article that he links to explaining why despite its inconvenience.
If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.
At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.
Totally agree. I'm actually surprised at how many people assume this was done with malicious intent.
There are still plenty of sites storing plaintext passwords. I doubt there's a data mining conspiracy there (although I bet you could make some interesting guesses about people based on their password choice). It's just a poor design that accomplishes its task in the simplest way possible.
You should definitely not be encouraging your users to give their private keys to js on other sites, that’s just as bad (or maybe worse) as encouraging them to reuse passwords.
It sounds they’re not using a service like HIBP to monitor compromised passwords and that they don’t have good controls for logins from unusual locations, both of which are table stakes for a service like this.
The note about MFA being optional as well is concerning since that’s similarly a sign that they’re years behind even the banking industry, as an ostensible security vendor selling a password manager.
The most concerning part is that they “cannot rule out that the intruders also accessed customers’ saved passwords” — since the attacker didn’t breach their application, this suggests that they don’t have adequate logging. Every access to a saved password should be logged.
No you don't need to do that. Just stop asking for a user's password. This way you're doing the exact opposite of what you should be doing: this is filtering the smart people out. Only naive users enter their password on a website that has just been created, exists for like five minutes, has a handful of jobs on it, and happened to make it to the HN homepage claiming to be a job site. I'd almost create a similar site, then post all password in a heavily hashed form so that users can check and confirm it's valid while not actually revealing their password.
Typing your passwords into a third-party's site is not a smart thing to do. At the very least it will be added to a rainbow table, instantly becoming less secure.
"It goes without saying (although I say it anyway on that page), but don't enter a password you currently use into any third-party service like this! I don't explicitly log them and I'm a trustworthy guy but yeah, don't."
"Now, one fine day somecrappysite.com gets hacked. The next time you visit, the web page has malicious code that sends your password in plaintext to someone. There go your Paypal funds, your Facebook account, your online life."
What an optimist! somecrappysite.com was probably storing your password in plaintext to begin with and it probably got pulled from the database long before you logged in again.
Having said that, this is an absolutely terrible solution for real-world usage because it inhibits people who are already security savvy from using better solutions like Stanford pwdhash or similar methods.
The vast majority of people who share passwords between sites experience no repercussions from their choice.
More accurately, they have no awareness of the reprecussions from their choice. Yet endlessly on HN we hear stories of mysterious iTunes access, Steam takeovers, even Amazon AWS account compromises. It is no big mystery when this happens given this common, grossly insecure behavior.
But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
I absolutely agree, absolutely and completely, but think that the risk portion is hugely underestimated. Among people who should know better there is a tendency to under-estimate what is an enormous, worst-possible-exploit problem. No one ever talks about education. No one wastes time trying to help users enjoy better behavior.
Instead we argue about whether some site operated by an unknown number of people of unknown trustworthiness, on a platform that might have been exploited and owned by hacker groups for years, properly hashed our password after we passed the keys to all services through plaintext. It is insanity.
This is like giving someone a book you wrote to proofread, with your password unintentionally in the text. They use it to login and then tell you about it. Sure, they shouldn't have logged in, but it doesn't feel like it deserves criminal charges.
But it doesn't matter what you or I can prove the site does or doesn't do with our passwords; my dad or aunt shouldn't type their passwords into random forms on the internet. Whether it tells them it's using k-anonymization or not.
You still wouldn't pop your dev tools open but then type your real password into a random form on the internet before you'd kicked the API-tires with some fakes.
Anyone who isn't prepared to kick the tires and hasn't established a trust relationship has no business doing it.
reply