undefined | Better HN

0 pointssliken7y ago0 comments

He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Which does upload your password, which I think is an unacceptable risk.

0 comments

Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.

brennebeck7y ago

Not trying to be a pedant, but wouldn’t “[...]it’s far from clear[...]” be (more?) correct?

If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.

npongratz7y ago

I completely agree. Maybe this was the mental model:

    far from unclear           unclear      clear   far from unclear
          ^                                               ^
          |                                               |
          -------------------------------------------------

slikenOP7y ago

Heh, sure, "far from clear" is what I meant to say.

It would take substantial time, expertise, and effort to audit that single web page. Even then any of the numerous pieces could change at any time.

So the risk is high, especially for something you are putting trusted passwords into.

rincebrain7y ago

You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.

If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

slikenOP7y ago

So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.

There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

Note the lack of https.

You are going to trust a page with that code with your important passwords?

Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.

Much like trusting curl https://whatever.com | sudo /bin/bash

Crazy.

romellem7y ago

If you are that distrusting, then do the SHA1 conversion yourself. It isn't that complicated:

  sha1=$(echo -n 'happy123' | tr -d '\n' | openssl sha1)
  result=$(curl https://api.pwnedpasswords.com/range/${sha1:0:5} 
    2>/dev/null | grep $(echo ${sha1:5:35} | tr '[:lower:]' '[:upper:]'))
  echo "Count: ${result#*:}"

With that, I can see that the password 'happy123' has been "pwn'd" 70,617 times.

rincebrain7y ago

So your claim has gone from "it uploads the password to the server" to "you trust unverified Javascript".

No, I don't have any particular reason to trust it.

I was just pointing out that the claim you made was inaccurate.

1 more reply

clort7y ago

How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?

Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.

Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..

shkkmo7y ago

> He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Please don't make false assertions about what I was suggesting without any evidence.

Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.

I would certainly not put any live passwords into the webform.

j / k navigate · click thread line to collapse

0 comments

slikenOP7y ago

Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

brennebeck7y ago

Not trying to be a pedant, but wouldn’t “[...]it’s far from clear[...]” be (more?) correct?

If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.

npongratz7y ago

I completely agree. Maybe this was the mental model:

    far from unclear           unclear      clear   far from unclear
          ^                                               ^
          |                                               |
          -------------------------------------------------

slikenOP7y ago

Heh, sure, "far from clear" is what I meant to say.

It would take substantial time, expertise, and effort to audit that single web page. Even then any of the numerous pieces could change at any time.

So the risk is high, especially for something you are putting trusted passwords into.

rincebrain7y ago

You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

slikenOP7y ago

So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.

There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

Note the lack of https.

You are going to trust a page with that code with your important passwords?

Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.

Much like trusting curl https://whatever.com | sudo /bin/bash

Crazy.

romellem7y ago

If you are that distrusting, then do the SHA1 conversion yourself. It isn't that complicated:

  sha1=$(echo -n 'happy123' | tr -d '\n' | openssl sha1)
  result=$(curl https://api.pwnedpasswords.com/range/${sha1:0:5} 
    2>/dev/null | grep $(echo ${sha1:5:35} | tr '[:lower:]' '[:upper:]'))
  echo "Count: ${result#*:}"

With that, I can see that the password 'happy123' has been "pwn'd" 70,617 times.

rincebrain7y ago

So your claim has gone from "it uploads the password to the server" to "you trust unverified Javascript".

No, I don't have any particular reason to trust it.

I was just pointing out that the claim you made was inaccurate.

1 more reply

clort7y ago

Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..

shkkmo7y ago

> He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Please don't make false assertions about what I was suggesting without any evidence.

I would certainly not put any live passwords into the webform.

j / k navigate · click thread line to collapse