LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 02-13-2019, 07:51 AM   #1
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: macOS, Slackware
Posts: 807

Rep: Reputation: 282Reputation: 282Reputation: 282
Google Password Checkup and Firefox Monitor


In line with Have I Been Pwned well-known service, the browsers themselves want to be in.
So what do you think about recent Google Password Checkup and Firefox Monitor?
Have you installed the Google extension and/or subscribed to the Mozilla service?
Do you worry about your credentials privacy when analyzed by Google/Firefox despite what both companies claim about their service security?
 
Old 02-13-2019, 09:41 AM   #2
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 868

Rep: Reputation: Disabled
Personally, I would never install any addon that has anything to do with credentials, or subscribe with a service that validates them, simply because they are transmitted to the service so it can "check" them.

My password reside in a local database and only leave the database to be copied and pasted into a site I am logging into. I don't need a service to tell me whether my passwords are secure or whether they have been compromised because all my credentials are long, random values and I don't even know what they are.

Up to you, but keep in mind that all browser addons can read all data that is transmitted through the browser.
 
Old 02-13-2019, 10:29 AM   #3
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: macOS, Slackware
Posts: 807

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by sevendogsbsd View Post
I don't need a service to tell me whether my passwords are secure or whether they have been compromised because all my credentials are long, random values and I don't even know what they are.
Thanks for your feedback
However, this is not because your passwords are all "long and random values" that they cannot be compromised. They can hardly be guessed, right, but they can still be compromised.
So unlike you, I like to know when my passwords are compromised and someone can access my account, pretend to be me and so on...

Last edited by l0f4r0; 02-13-2019 at 11:12 AM.
 
Old 02-13-2019, 10:38 AM   #4
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 868

Rep: Reputation: Disabled
Understood and correct, anything can be compromised. I just don't like passing my creds to a service to check. I think 'I have been p0wned" just checks your email address, which is fine. I am uber paranoid though and never use any addons or plugins in the browser. That's what I get for being a paranoid security guy...
 
Old 02-13-2019, 05:09 PM   #5
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,443

Rep: Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703
Quote:
Originally Posted by sevendogsbsd View Post
I just don't like passing my creds to a service to check. I think 'I have been p0wned" just checks your email address, which is fine.
It allows checking passwords as well: https://haveibeenpwned.com/Passwords

There is a clever scheme to keep your password secret: https://www.troyhunt.com/ive-just-la...yandkanonymity

Quote:
imagine if you wanted to check whether the password "P@ssw0rd" exists in the data set. [...] The SHA-1 hash of that string is "21BD12DC183F740EE76F27B78EB39C8AD972A757" so what we're going to do is take just the first 5 characters, in this case that means "21BD1". That gets sent to the Pwned Passwords API and it responds with 475 hash suffixes
Google's password checker has a similar explanation. The Firefox Monitor service queries haveipeenpwned database, again using the same anonymizing technique. Although it seems they use it for emails only, I see no mention of passwords.

Quote:
Originally Posted by sevendogsbsd View Post
keep in mind that all browser addons can read all data that is transmitted through the browser.
The browser can already read all data it transmits, so if you trust Google enough to use Chrome, or Mozilla enough to use Firefox, it seems to me that you may as well trust these additional services.
 
Old 02-24-2019, 05:19 AM   #6
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: macOS, Slackware
Posts: 807

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by ntubski View Post
It allows checking passwords as well: https://haveibeenpwned.com/Passwords
Thanks, I was unaware of this password checking service

Quote:
Originally Posted by ntubski View Post
There is a clever scheme to keep your password secret: https://www.troyhunt.com/ive-just-la...yandkanonymity
Google's password checker has a similar explanation.
Yes, but I don't know why, I stay sceptic about using an add-on that deals with every piece of credentials I use even if it's supposed to be secure enough...
It's one thing to query or subscribe to Have I Been Pwned (HIBP) but that's another kettle of fish to deal with passwords directly and to do it systematically during each login, especially if Google is behind the scenes... Maybe I'm paranoid like sevendogsbsd regarding this aspect ^^

Quote:
Originally Posted by ntubski View Post
The Firefox Monitor service queries haveipeenpwned database, again using the same anonymizing technique. Although it seems they use it for emails only, I see no mention of passwords.
Yes you're right. Actually Google Password Checkup and Firefox Monitor are quite different. It seems that Firefox Monitor is just an HIBP clone. For the time being, I'm not sure to see why I would use this service as is considering I'm already an HIBP subscriber.
 
Old 02-24-2019, 08:58 PM   #7
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,443

Rep: Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703Reputation: 1703
Quote:
Originally Posted by l0f4r0 View Post
Actually Google Password Checkup and Firefox Monitor are quite different. It seems that Firefox Monitor is just an HIBP clone. For the time being, I'm not sure to see why I would use this service as is considering I'm already an HIBP subscriber.
Yeah, from what I can tell, Google has their own database, whereas the Firefox thing is just an alternate interface to HIBP. At least for now, it looks like Firefox Monitor doesn't give any benefit over subscribing to HIPB directly.
 
  


Reply

Tags
compromission, password, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Ubuntu 8.04 checkup, Part 2 LXer Syndicated Linux News 0 05-02-2009 09:00 AM
LXer: Ubuntu 8.04 checkup, Part 1 LXer Syndicated Linux News 0 05-02-2009 05:10 AM
message queues - please some checkup from the pros kirmet Programming 4 09-20-2005 08:40 AM
Health Checkup for Linux. AmitC Linux - General 6 10-14-2004 10:57 AM
Kopete-SMS and a Millenium Checkup God Linux - Software 0 06-08-2003 03:36 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 06:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration