Have I Been Pwned Integration?

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Re: Have I Been Pwned Integration?

Postby DoTHERIGHTTHING » Tue Jun 11, 2019 4:00 pm

Add my vote.

This is worth swapping password managers over. I expected my search for integration to lead to a developer announcement about integration, not actual, ignorant responses from support about how it doesn't do what it does. Their database grows daily. The security challenge surely didn't pop up last time I got an email from HIBP about a breach, to a web site I had forgotten about. Nevermind the major ones. Billions of records, searched by hash (not just Collection #1, but half a decade of breaches). He's hoping to notify partners of customer data in the future, so we would know, immediately, without a search, if we'd been breached. LastPass doesn't do that, either.

Looks like the competitor that has it integrated offers a family plan for less than half the cost of one of my LastPass subscriptions. Don't leave it worth the effort to swap for a feature that should already exist or be in the works.
DoTHERIGHTTHING
 
Posts: 1
Joined: Tue Jun 11, 2019 3:24 pm

Re: Have I Been Pwned Integration?

Postby volksinger » Wed Jun 12, 2019 2:50 am

I support this. I do it manually and integration would be great - at least as part of the Security Challenge.
volksinger
 
Posts: 2
Joined: Wed Jun 12, 2019 2:41 am

Re: Have I Been Pwned Integration?

Postby daveb63 » Mon Jul 08, 2019 12:28 am

Not a good idea to integrate with HIBP. HIBP APIs can't compare email and password, but only the password. If only the password is used, there will be a lot of false positives. There are other services such as 4iQ and VeriClouds that can do that.
daveb63
 
Posts: 2
Joined: Mon Jul 08, 2019 12:24 am

Re: Have I Been Pwned Integration?

Postby daveb63 » Mon Jul 08, 2019 12:49 am

One more time, integration with HIBP is not an optimal solution. HIBPs APIs can compare emails only, not emails and passwords. This will lead to many false positives. Better solution is to compare emails AND passwords. 4iQ and VeriClouds have APIs that can do that. We used VeriClouds as they had a more robust method for comparison of email and password - k-anonimity for email and no password needed to be submitted to their service, however their service still tells if it is compromised. (!?)
daveb63
 
Posts: 2
Joined: Mon Jul 08, 2019 12:24 am

Previous

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 22 guests