Hi All,
So Bitwarden currently relies on HaveIBeenPwned for breach alerts, while other password managers use additional dark-web intelligence sources to catch more leaks.
Is HIBP alone is sufficient (I guess that is the crux of the question), or should Bitwarden go beyond it and add more advanced (but still privacy-preserving) dark-web monitoring—maybe as a premium feature?
@ZeroDayWarden Welcome to the forum!
Sources please.
Hi @grb
So, I have tried to collect some of the sources listed below:
Dashlane
LastPass
Proton Pass
Keeper Security
NordPass
Thanks for collecting this info. I would imagine that implementing something like this would require a price increase for the paid subscriptions (and be unavailable for free subscriptions). For example, Enzoic might charge Bitwarden $1 per report for a single vault that has 200 passwords. It seems that HIBP does not cap the total number of searches, but instead sets a rate limit (searches per minute) depending on the subscription price.
If I were running a business that was contemplating using one of these services, I would want to see convincing quantitative data proving that the “dark-web intelligence” service actually finds a significantly greater number of breached passwords than does HIBP.
Based on people’s descriptions before, it seems that some dark web monitoring services, like Google’s, tend to be more sensitive than HIPB. Google’s may not report details of the leak, including the source, making it difficult to determine what the source/extent of the breach is, possibly raising anxiety and provoking unnecessary responses.
Although I don’t know the worth of dark web monitoring services, I note that:
Website breaches and data scraping/collation are inevitable, so you can mitigate by using unique passwords and email aliases everywhere. For infostealers, you can use every measure you can to resist getting compromised in the first place.
Out of curiosity, i just briefly “researched” on this one… And am a bit confused about the validity of that: first, as they only seem to offer that for “business accounts” (see here)… – and there, you get directed to the dedicated NordStellar site always. I’m not quite sure, but it seems to me that isn’t integrated into NordPass, but a dedicated service for “business users”…
I didn’t check the other services on that list…
(and if anyone knows more on NordPass/NordStellar, please correct me if my short “research” is erroneous)
That actually makes a lot of sense from a business-model standpoint. If the gain in detection is only marginal compared to the cost, it’s not really worth it—especially when HIBP already handles bulk checking.
@Neuron5569 also makes a great point here:” it can be hard to determine the exact source or scope of a breach, which can raise anxiety and trigger unnecessary responses.”
@Nail1684 That is correct for NordStellar! As referenced in their white pages, it is for the business users..
This seems like a “98% is better than 95%” discussion. Although true, the more significant question if is if the cost is worth the marginal gain.