Gravity Blog

Home / Blog / Passwords and Our Data

Passwords and Our Data

My preferred browser, Mozilla's Firefox, released a new product recently called Firefox Monitor. Usually I don't go for these branded value add things, but as I wasn't sure what this was, I did a bit of research.

It seems that Mozilla has partnered with Troy Hunt creator and curator of haveibeenpwnd and pwnd password to add their functionality into Firefox's realm. Which is a great thing for everyone.

In case you're in the 99% of people who don't know what HIBP does, it's simple. They collect all the leaked and published account breaches that would-be hackers use, and provide them as a searchable database for people like us. If you sign up with them, or now Firefox Monitor, they will actually alert you to tell you when this has occured as soon as they become aware. Meaning you can act as soon as possible and change that password.

Which of course then leads us more firmly into the topic of passwords.

The other part of the aforementioned is pwnd passwords. What this does, is gives you a safe way to check your password(s) against the collected list of passwords in the massive list of ones collected in these breaches.

If your first reaction is to say:

... Wait, you want me to type my awesome password into some random site?

... then I salute you. Complacency is the mother of breached...ness :)

That said, I have written two implementations of the pwnd passwords API, and can safely say that at least those two, presumably the original and probably the new Firefox implementation will as safe as one might hope. The passwords never leaves the browser page you're on. It's all done within the page, and doesn't send the whole password to the foreign server. (Technically, it hashes/encrypts it, then sends the first few encrypted chars off, and gets back a list of possible matches for the local browser to check against.)

TL;DR - It gives you the number of times and entered password has been seen in the breaches collected. If you enter the text password, you'll see it comes up millions of times.

1Password (a cloud/browser password manager) has also got in on the action, and will be offering the same accout/password checking service in real time.