I have a common name Gmail account. The password is rather complex and I would be surprised if it leaks as only I and Google know it. However, I would get reports that it’s on the dark web with blanked out password values. So I never knew if they actually compromised or just something else.
They would also report when some random site that used my Gmail address as user id was on the darknet that I don’t care about. I don’t care if my fidofido account is leaked. I never use it and if I did, then I would reset.
I think if the data were useful Google would have kept this up.
I bet they keep tracking though, just keep the reports internal.
Tangental, but I found 'Have I Been Pwned' useless too because you can't enter your email and find leaked passwords associated with the address, instead you have to enter each password (and repeat for every password you want to check).
I know there's an explanation that the raw password is not being sent and instead being hashed locally and only part of the hash is sent. But I don't know how to verify that and it feels wild to type passwords into a random website. (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)
Almost everyone interested in checking for password leaks knows how to generate SHA256 of a string. And those who don't shouldn't put their passwords on the internet.
Or even better, generate hash for all passwords in the database, package these hashes together with a simple search script and let people download it. That way, you are not sending any information anywhere, and noone can exploit the passwords, because hash is a one way function.
Then again, that download could be really large. I admit I have no idea how much storage would that take. But it's just text, so easily compressible. And with some smart indexing, it should be possible to keep most compressed and only unpack a relatively small portion to find a complete match.
Then again, I have virtually no background in cryptography, could be something horribly wrong with this.
Though perhaps there could be a service where you enter in an email address and it sends an email to that address containing the passwords. That would be a slightly more complicated server to set up though
I recall HIBP documents their hashing protocol so that it should be possible to have a non-web client you can trust more.
I don't know how to verify what the website does, but I think that in a few minutes I'll be able to put together a CURL call that does what we're hoping the website does.
The worst part is, it was an email address I hadn't used in about 10 years, and they wouldn't let me take it out of the report.
What are the common two-letter first or last names?
Alternatives: haveibeenpwned.com (free), 1Password Watchtower, Bitwarden breach reports.
The harder part isn't knowing about breaches—it's actually rotating passwords afterward. Most people know they should but don't because it's tedious.
Automated rotation tools are emerging but need careful security architecture (local-only, zero-knowledge) to avoid creating new attack vectors.
such a product must be crafted to mitigate its own abuse, as well as the original problem.
I remember email and phone being the major ones. A kind of improved haveibeenpwned
Translation: We don’t actually want to keep spending time, money, and resources on this.
This is one where I don't blame them for killing it because "it" wasn't really even a product -- it was just a very basic, not useful at all, report.
