HaveIBeenPwned integration #2073

rugk · 2018-06-26T16:51:05Z

Firefox and another password manager are integrating HaveIBeenPwned (HIBP) https://haveibeenpwned.com/ into their products.

As such, I guess this would also be nice for KeePassXC. Actually, see how 1Password there does it, so just

For the privacy-side of things:

of course, optional (not sure whether enabled by default though, maybe just ask users with an obvious banner or so when they have not decided yet)
see the blog post on how the query is done in a private way; in short it works like this:

when searching HIBP for a password, the client SHA-1 hashes it then takes the first 5 characters and sends this to the API. In response, a collection of hashes is returned that match that prefix (477 on average).
I guess, one may only query a few passwords at the same time, not all of them together

The problem I see, which is described there is:

for some reasons, they "proxy" the official API there, but I guess this may not be an issue, because this is just to avoid the rate-limit, you can use the API from the client directly, but have 1.5s delay for each request

droidmonkey · 2018-06-26T19:40:50Z

This has been discussed AT LENGTH already in another issue. We are not going to integrate any of these services for reasons discussed.

rugk · 2018-06-26T19:57:00Z

Ah dupe of #551, sorry.

rugk · 2018-06-26T19:58:49Z

Oh well… no #551 is not really the same. It's rather a dupe of #1083.

droidmonkey closed this as completed Jun 26, 2018

rugk mentioned this issue Jun 26, 2018

Check passwords against hacked password databases [$300] #1083

Closed

droidmonkey mentioned this issue Jan 18, 2019

Add ability to show hashed password #2614

Closed

Comments