Data breach checks on individual logins

Today many websites get hacked and passwords get stolen.
1Password and LastPass offer a breach check.
They check for each entry in the database if the website of the entry was had a breach.
If yes, they check if the modification date of the password (not the modification date of the entry) is newer than the breach date of the website.
If the user did not change the password since the breach happened, the password managers alert the user.

I suggested the breach check last year to the KeePass forums and an other user implemented such a plugin.
It is called “HaveIBeenPwned” and the GitHub page (containing the source code) can be found here:

The plugin downloads the list of breaches from “Have I Been Pwned” https://haveibeenpwned.com/
KeePass has no timestamp when the password was changed, but the programmer managed to find the password modification date via comparing the history of the passwords (he can see when the password was changed).
All passwords that are not changed after a breach are shown in a list.

You should also implement sich a breach check.
If a website was hacked and the user did not change the password after the breach, you should actively ask the user to change his password.

This requires that you store the date when the password was last changed:
https://community.bitwarden.com/t/vault-item-modification-history/179

We have a breach report from HIBP available in the web vault

1 Like

I know that feature, but it just checks if my email address is affected (at least I think so).
I think this feature does not check if I have changed the password after the breach.
Or does it?

So when a website gets hacked 1 year ago and I changed the password 2 years ago, I get an alert.
But when I changed the password last months, then everything is OK.

Many HIBP records come without estimated ‘breach date’. I haven’t played with API too much, but a date when it was uploaded to HIBP is not a date of the breach (stating the obvious) and for certain breaches more accurate date is known.

I would not trust a date, from HIBP or any other date. Anyone can lie about date, companies to avoid embarassment, hackers can lie to trick users. Bulk-breaches have a lot of various sources, so it would be impossible to reliably alert users.

I think this date is better than no breach check.
And it is better to change the password than to risk a data loss.

Troy (author of HIBP) has a new API for checking if a specific password has been compromised. There is a way to hash a portion of the pass and send it to the service without giving up the password that you are testing. Not completely clear on the details, but this blog post by Troy lays it all out. Something to look into.

1 Like

@cywest This is available in the next version of our apps.

7 Likes

Maybe I am missing something obvious, but I am not seeing this in either the Web Vault or the Mac Desktop app.

Seems like it could be a useful check.

The browser plugin has a button next to each password to check if it’s known to be compromised.
Edit:
It’s also in the Win and MacOS desktop apps and the web vault.
Only place I don’t see it is IOS app.

2 Likes

Recently, Mozilla also started its new free service Firefox Monitor allowing users to check if their email or other details are being breached by third parties. this service seems really helpful and also offers to generate notifications to selected users who enroll with the service by signing it up. for more details, check the news here.
Firefox Monitor Data Breach Service Launched

2 Likes

Will this feature be implemented?

If I check my email address in the Data Breach Report the I get 8 results.
All of them have a Breach Occurred date like this:


But how is this information helpful for users?
I have to open every entry (8 entries) manually in Bitwarden and check if I have changed the password after the breach date.
And if I run this report again, I still get the 8 results.

What If I get 9 results?
Then I have to check each entry manually again?
Or write down what entries are OK (also manual action required).

Make it more user friendly
I KeePass I use the “Have I Been Pwned” plugin.
This plugin compares the modification date of the password of each entry and compares this password change date with the information provided by “Have I Been Pwned”.

In KeePass I get zero results (because I changed the passwords after the breach dates).
If I deactivate the checkbox “Only check entries that have not changed since the brach” then I get 10 results.

image

The reason for this is that I have checked “By Site/Service” and here all entries are listed (also with other email addresses, like my work email or my old email address).
Bitwarden does not report any matches for these alternate email addresses (because Bitwarden checks by “Username/Email Address”.

Here you see the results of the breach check “By Site/Service” in KeePass:

You see that there are multiple values in the field “Username” (at some services I have the email address, at some I have just a shot username).
And you see the columns “Password Changed” and “Breach Date”

@kspearrin Please tell me if I should send you additional data/information.

2 Likes

Chrome password manager has a feature that alerts you every time you login using a potentially compromised password/account. While Bitwarden has a feature like this its buried in the menu and not as effective. Some sort of notification would be better at alerting people that there password might be compromised from a known breach & they should change their password.

Please consider adding a notification to the browser extensions that alerts/notifies users with a popup/etc to change their password when they login using that password.

3 Likes

Now (2 1/2 years later) I come back to this suggestion.
Here I have a question.

I receive newsletters from HIBP (Have I Been PWND) when there is a new breach.
I receive them via Microsoft PowerApps and Flow (not from HIBP directly).
These newsletters inform me when a specific service gets hacked (data breach).

Here an example:

Most of these websites I don’t have, but I decided to receive the newsletters to get informed about a breach for any service that I am using.

In my first posting I suggested that Bitwarden checks for breached services too.
So when for example StarTribune has a data breach, then I get informed by the KeePass plugin because I have the URL in my entries.
This plugin warns me no matter what email address I am using.

Meantime much happened in Bitwarden and many new features were implemented.
I am not a security expert, but IMHO I think that this report (Check by Breached Accounts) would be still very useful.
Or am I completely wrong?

Edit:
The benefit of this solution is that this report also considers the password change date.
When a breach happened 2 years ago and I already changed the password, then everything is OK.
When a breach happened 2 years ago and I did not yet change the password, then I am in real trouble.

4 Likes