Have I Been Pwned Integration?

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Re: Have I Been Pwned Integration?

Postby dbrilessem » Fri Jan 18, 2019 7:05 pm

jpenny84 Wrote:LastPass already uses a similar service that in integrated into their security challenge.

https://blog.lastpass.com/2018/11/prote ... pass.html/



It would be foolish to not integrate with pwned passwords too - the API is free and open and having access to more known "burned" credentials is never bad. Also I know for a fact that we have some passwords in our vault that are in pwned passwords (yes we're changing them) but I have yet to receive a notification from LastPass or anything related to PasswordPing and our passwords.

Plus PasswordPing doesn't seem to be using k-anonymity
dbrilessem
 
Posts: 2
Joined: Fri Jan 18, 2019 6:57 pm

Re: Have I Been Pwned Integration?

Postby chrisf » Fri Jan 18, 2019 8:59 pm

jpenny84 Wrote:LastPass already uses a similar service that in integrated into their security challenge.

https://blog.lastpass.com/2018/11/prote ... pass.html/


I just went and tried it - took me a while to find it, it's hidden at the bottom of the Security Challenge.

It doesn't show you the breaches you're listed in, it sends an email to the email address. Not super useful when you have credentials across the bunch of emails in your vault. Oh, and it didn't list all the breaches my main email has been in.

Also, this isn't actually the feature we are asking for. We want Lastpass integrated with the Pwned Passwords feature. Please tell me which passwords are breached not which emails. The latter doesn't help me when I have 200+ sets of credentials against one email address.
chrisf
 
Posts: 1
Joined: Fri Jan 18, 2019 8:47 pm

Re: Have I Been Pwned Integration?

Postby kungfujoe » Fri Jan 18, 2019 9:09 pm

Symo85 Wrote:absolutely!...read the blog post as well, 1Password has the integration, and I'll be moving there if LastPass doesn't get the feature...security is the only reason we use LastPass, and knowing what's been breached is a key to security.


I'd love to see LastPass incorporate results from HIBP, too, but consider a few things before you jump ship.

- LastPass has a similar service that it pulls data from. I don't have any details on that service, but I do know that it has identified compromised accounts of mine that HIBP has not. LastPass isn't telling me anything about this new "Collection #1," though, which is concerning. The additional findings are a point in LastPass' favor, though, along with the point against LastPass for not having this new data (hopefully LastPass' source will incorporate "Collection #1" data soon, whether or not they add support for HIBP's API!)

- The reason HIBP points out 1Password's integration is because HIBP has partnered with 1Password. HIBP's owner makes it very clear that he was a fan of 1Password before this partnership, and that he was a paying subscriber before this partnership. However, that doesn't change the fact that HIBP is a paid advertiser for 1Password. So in essence, however "pure" the motivation for the partnership, Troy's encouragement to use 1Password is a paid advertisement.

Having said that, I'm going to be submitting a LastPass support ticket for this, too. If LastPass pulls from multiple sources, it'll be that much better.
kungfujoe
 
Posts: 11
Joined: Sun Apr 05, 2015 10:25 pm

Re: Have I Been Pwned Integration?

Postby dbrilessem » Fri Jan 18, 2019 9:34 pm

kungfujoe Wrote:
Symo85 Wrote:absolutely!...read the blog post as well, 1Password has the integration, and I'll be moving there if LastPass doesn't get the feature...security is the only reason we use LastPass, and knowing what's been breached is a key to security.


I'd love to see LastPass incorporate results from HIBP, too, but consider a few things before you jump ship.

- LastPass has a similar service that it pulls data from. I don't have any details on that service, but I do know that it has identified compromised accounts of mine that HIBP has not. LastPass isn't telling me anything about this new "Collection #1," though, which is concerning. The additional findings are a point in LastPass' favor, though, along with the point against LastPass for not having this new data (hopefully LastPass' source will incorporate "Collection #1" data soon, whether or not they add support for HIBP's API!)

- The reason HIBP points out 1Password's integration is because HIBP has partnered with 1Password. HIBP's owner makes it very clear that he was a fan of 1Password before this partnership, and that he was a paying subscriber before this partnership. However, that doesn't change the fact that HIBP is a paid advertiser for 1Password. So in essence, however "pure" the motivation for the partnership, Troy's encouragement to use 1Password is a paid advertisement.

Having said that, I'm going to be submitting a LastPass support ticket for this, too. If LastPass pulls from multiple sources, it'll be that much better.


Your last point is where I'm at. There is NO reason LastPass can't also pull from Pwned Passwords (1Password was doing it before they partnered with HIBP too). I'm not ready to jump from LastPass - for one, 1Password only supports TOTP 2FA, no U2F - but LastPass NOT utilizing an honest and free service that is also high quality is just silly
dbrilessem
 
Posts: 2
Joined: Fri Jan 18, 2019 6:57 pm

Re: Have I Been Pwned Integration?

Postby FlyingHawk » Fri Jan 18, 2019 11:02 pm

kungfujoe Wrote:it has identified compromised accounts of mine that HIBP has not.

kungfujoe Wrote:The additional findings are a point in LastPass' favor

Not necessarily. I've noticed many false positives among sites LastPass marks as "compromised" and even among LastPass Sentry's results.

kungfujoe Wrote:hopefully LastPass' source will incorporate "Collection #1" data soon

That's not enough.
"Collection #1" is a combo list dump, meaning many entries there have unknown origins, just email/password pairs.
In this case, checking emails is useless, because an email may be associated with a hundred sites.
Checking passwords is what's needed, and LastPass doesn't provide any way to do that.
BTW, HIBP uses k-anonymity to check passwords, so it's quite secure.

kungfujoe Wrote:Troy's encouragement to use 1Password is a paid advertisement

Doesn't change the fact 1Password has integration with PwnedPasswords, allowing users to check against Collection #1 easily and securely.
But LastPass doesn't have anything similar, and support's reply indicates that they don't want to change their existing method.
I presume *this* is the main reason people are thinking of jumping ship, not Troy Hunt's recommendation.
FlyingHawk
 
Posts: 763
Joined: Wed Mar 18, 2015 12:04 pm

Re: Have I Been Pwned Integration?

Postby ben2015 » Sat Jan 19, 2019 8:13 am

I was also a victim of the Collection #1 dump.

It's hard to know which passwords have been compromised in dumps of this type. However Troy Hunt mentioned that 1Password has integration with HaveIBeenPwned making it easy to tell.

I've been a faithful user of LastPass for a couple years now but HIBP integration is a massive advantage that 1Password has over LastPass.

I'd rather not switch from LastPass to 1Password (though they make it easy to) but if LastPass does not implement this feature soon I will feel forced to.
ben2015
 
Posts: 1
Joined: Sat Jan 19, 2019 8:01 am

Re: Have I Been Pwned Integration?

Postby kungfujoe » Sat Jan 19, 2019 10:02 am

FlyingHawk Wrote:1Password has integration with PwnedPasswords, allowing users to check against Collection #1 easily and securely.
But LastPass doesn't have anything similar,


LastPass uses data from PasswordPing, a similar service from a different provider.

I want to see LastPass incorporate *both* to add redundancy to our protection, and I've got a (Premium) ticket open to request that, but it's simply false to say that LastPass "doesn't have anything similar." I'm sure both HIBP and PasswordPing have advantages and disadvantages with respect to one another, and HIBP's advantages might make it an overall better service today (and that advantage might flip back to PP in a month), but to say they're not similar, when they both serve the exact same purpose, is not correct.
kungfujoe
 
Posts: 11
Joined: Sun Apr 05, 2015 10:25 pm

Re: Have I Been Pwned Integration?

Postby FlyingHawk » Sat Jan 19, 2019 1:01 pm

kungfujoe Wrote:
FlyingHawk Wrote:1Password has integration with PwnedPasswords, allowing users to check against Collection #1 easily and securely.
But LastPass doesn't have anything similar,


LastPass uses data from PasswordPing, a similar service from a different provider.

I want to see LastPass incorporate *both* to add redundancy to our protection, and I've got a (Premium) ticket open to request that, but it's simply false to say that LastPass "doesn't have anything similar." I'm sure both HIBP and PasswordPing have advantages and disadvantages with respect to one another, and HIBP's advantages might make it an overall better service today (and that advantage might flip back to PP in a month), but to say they're not similar, when they both serve the exact same purpose, is not correct.

Please understand exactly what these different services do and exactly what I said.
It is correct to say LastPass doesn't have anything similar to PwnedPasswords.
I did not say LastPass doesn't have anything similar to HIBP's email checking service.

Again, the key problem is that LastPass doesn't check your actual passwords. This is what PwnedPasswords does, and what 1Password has integrated.

LastPass has services to
    Check whether your emails appeared in a breach. This is what LastPass Sentry does.
    Check whether websites you use were implicated in a data breach. This is what they do to auto flag "compromised passwords" in the Security Challenge. It has a very high false positive rate, because it only checks the site URL, but not whether your data is actually in the breach.
LastPass does not have
    Anything similar to PwnedPasswords that can securely check if your passwords are in a breach or dump. But this is the only reliable method to know if you're in a combo list.
FlyingHawk
 
Posts: 763
Joined: Wed Mar 18, 2015 12:04 pm

Re: Have I Been Pwned Integration?

Postby kungfujoe » Sun Jan 20, 2019 1:19 pm

FlyingHawk Wrote:Again, the key problem is that LastPass doesn't check your actual passwords. This is what PwnedPasswords does, and what 1Password has integrated.


Are you certain about this? LastPass uses PasswordPing to check for compromised credentials (which can include any combination of passwords, user IDs, and websites), and PasswordPing does offer a service to check passwords against their list of compromised passwords. I'm not seeing anything in LastPass' explanation of their partnership that explicitly says whether they do or do not check passwords against PasswordPing's database. Can you point to something definitive that tells us that LastPass doesn't support this aspect of PasswordPing's service? It seems unlikely that they'd omit that, but it's certainly possible.
kungfujoe
 
Posts: 11
Joined: Sun Apr 05, 2015 10:25 pm

Re: Have I Been Pwned Integration?

Postby eschulma » Sun Jan 20, 2019 5:07 pm

I submitted a premium support ticket, and the response indicated I could check my email. Not the passwords.

Password Ping does not use K-anonymity. This it would be somewhat irresponsible of LP to use them without explicit permission.
eschulma
 
Posts: 8
Joined: Wed Aug 31, 2016 10:22 pm

PreviousNext

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 20 guests