add alert that site is on pwned list

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

add alert that site is on pwned list

Postby cjphillips162 » Thu Nov 30, 2017 10:45 am

It would be great to have lastpass alert and signal that a given site is on a known 'have I been pwned' list of some nature with a timestamp. This could then be assessed if our password at the moment is at risk and then trigger us the users to decide to update/change the password.
cjphillips162
 
Posts: 2
Joined: Thu Nov 30, 2017 10:43 am

Re: add alert that site is on pwned list

Postby jonat » Thu Nov 30, 2017 5:33 pm

This is already available when you run the Security Challenge. The LastPass server doesn't know what logins you have. You could also sign up with https://haveibeenpwned.com/ , which I have done.
jonat
 
Posts: 2063
Joined: Thu Dec 09, 2010 8:42 pm

Re: add alert that site is on pwned list

Postby cjphillips162 » Fri Dec 01, 2017 9:17 am

Thanks! Will check that out!
cjphillips162
 
Posts: 2
Joined: Thu Nov 30, 2017 10:43 am

Re: add alert that site is on pwned list

Postby ingod » Sun Feb 25, 2018 11:05 pm

Does this include the password lit which has been released on 22 Feb? 1Password just announced that their users can check passwords against the new Pwned Passwords list. How about LastPass?
ingod
 
Posts: 1
Joined: Sun Feb 25, 2018 11:02 pm

Re: add alert that site is on pwned list

Postby jonat » Mon Feb 26, 2018 2:44 pm

At the moment, no, but it would not surprise me if LastPass added something similar. The current feature compares login usernames, not passwords.

I view the 1Password feature as a bit of a gimmick at the moment. You can check only one password at a time, and if you're following best practices, you have a different random password for each site so checking usernames is effective. I might see this as useful if you supply your own passwords rather than using generated ones.
jonat
 
Posts: 2063
Joined: Thu Dec 09, 2010 8:42 pm

Re: add alert that site is on pwned list

Postby rwzeitgeist » Thu Mar 01, 2018 5:32 pm

jonat Wrote:At the moment, no, but it would not surprise me if LastPass added something similar. The current feature compares login usernames, not passwords.

I view the 1Password feature as a bit of a gimmick at the moment.


The 1Password description of the pwned list lookup feature clearly describes the current version as "a proof of concept" implementation, created in a day. That's why they require a user to manually enable the feature using a magic key sequence. They also state, "In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day." (quoted from https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-with-1password/)

Yes, I hope LastPass adds password checking to the existing email search of the list of pwned credentials. I also hope LastPass provides support to ensure long term availability of Troy Hunt's work to provide these important services.
rwzeitgeist
 
Posts: 1
Joined: Thu Mar 01, 2018 5:17 pm

1password and their endorsment of troy hunt

Postby boistordu » Sat Apr 07, 2018 10:40 am

Hi,

As you've maybe seen, the security expert troy hunt, the author of haveIbeenpowned.com, have endorsed 1password. And 1password have developped a partnership with him to be notified if your password have been breached, and all your password are being verified for that through his website.

You can do the same for lastpass and it would be great that we could have a feature when we create a password to see if it has been breached already, the same thing for all of our already registered password.
You can freely develop something to access his API of its website and others have done it already....
So what are you waiting for? OR maybe logmein is not giving you enough financial ressources to develop yourself?
boistordu
 
Posts: 4
Joined: Sat Apr 07, 2018 8:06 am

Re: add alert that site is on pwned list

Postby tehfcae » Wed Apr 18, 2018 1:04 pm

Troy Hunt also maintains a list of pwned passwords (https://haveibeenpwned.com/Passwords), it would be nice for the LastPass app to check the passwords against that list. This in would have to be done in app on clients to ensure passwords are not in cleartext at any point on LastPass infrastructure. There is an API which can query passwords which would make the development of the feature much quicker (https://haveibeenpwned.com/API/v2#Searc ... ByPassword). After a quick read some concerns would be:

The security issues with sending a password over the internet for a query - this is addressed by using HTTPS in the API as well as using only the SHA-1 hash of the password instead of sending the cleartext password across. (Passwords sent across the line would be hashed, then encrypted making MITM attackers, even with full SSL inspection, unable to see cleartext passwords) This still generates a risk of pass the hash, however it would require full SSL inspection and the password would still need to be brute forced. That being said, if an attacker had full SSL inspection running and could see the SHA-1 hash, and the response that it is in the list, they would then have the hash and a dictionary which is known to contain the password making it trivial to break. This can be mostly mitigated by only including that during password creation/changing this would give the user the chance to choose a different password before the password is set. Keep in mind this assuming an attacker who is in a postiion to do much, much, much greater damage, so this query should be the least of the worries, but this implementation would be good defense-in-depth practices.

The other concern is the rate limiting of one request every 1500 miliseconds (1.5 seconds) from a single IP address. This would be addresses again by doing it client side so each request would come from a unique IP. It would just need to set the a timer on the request to ensure it isn't made too quickly. As people tend to take more 1.5 seconds to think up and type a new password, I would not expect this to be a major issue. Additionally, to help ensure requests aren't made with every keystroke, the strengh could be calculated only when a button is clicked. Doing this would also give the user the opprotunity to choose to send the hash over the network.
tehfcae
 
Posts: 2
Joined: Wed Apr 18, 2018 12:31 pm

Re: add alert that site is on pwned list

Postby steve341 » Sat May 19, 2018 9:27 am

I think Troy has addressed your concerns, tehfcae:

1. The API method you are talking about has been deprecated. The replacement (https://haveibeenpwned.com/API/v2#Searc ... rdsByRange) is only sent the first 5 characters of the hash and returns all hashes that match relying on the client to find the right hash. This means that the password couldn't be obtained by either Troy or a MITM attack.

2. The password API isn't rate limited like other parts of the API (last line here: https://haveibeenpwned.com/API/v2#RateLimiting).
steve341
 
Posts: 1
Joined: Thu Mar 15, 2018 10:55 pm

Re: add alert that site is on pwned list

Postby alangant » Mon Jun 25, 2018 7:34 pm

Add me to the list requesting automatic checking of the haveibeenpwned list when creating passwords in lastpass. I am a longtime lastpass customer, and haveibeenpwned has real value.
Thanks,
Alan Gant
alangant
 
Posts: 15
Joined: Wed Oct 14, 2009 12:51 pm

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 14 guests