Data Breach Sources

abcyb · February 1, 2023, 11:46am

Hey,
how does the “This password is part of an exposed data breach” functionality work?
I read about an API Call from the client extension to https://haveibeenpwned.com, however, when i check the flagged password against the website, it comes back clean.

Are there other sources?

regards

garrett · February 1, 2023, 12:46pm

Hi @abcyb Welcome to the forum!

Which browser are you using? Browsers also have these warnings - possibly it is from the browser and not the extension?

It’s a little hard to find in the code because it’s named powned but here is a link to the trusted function which calls the api passbolt_browser_extension/pownedService.js at 22a0bb9992303676a17d4c3c6bb1929d27d76ce1 · passbolt/passbolt_browser_extension · GitHub

A simple call is being made with the string of the password which was entered.

antony · February 1, 2023, 1:03pm

Hello!

Indeed as mentionned by @garrett we are using the API https://api.pwnedpasswords.com/, is it the same you are using to check on your side when it comes back clean?

Thanks in advance.

abcyb · February 1, 2023, 1:13pm

I am using Chrome, but i am not using the integrated Google Password Manager (which has this functionality afaik). I deactivated all extensions in chrome except passbolt and can still see the warning.

@antony
I checked with Have I Been Pwned: Pwned Passwords
The password that is flagged in passbolt comes back clean on the website.

remy · February 1, 2023, 1:27pm

@abcyb is the password length short? Passbolt may assume it’s part of a breach if it’s short, even though it is not listed as breached by pwnedpasswords.

garrett · February 1, 2023, 1:30pm

Here’s what it looks like on a fresh Chrome install if it’s coming from Chrome:

abcyb · February 1, 2023, 1:41pm

@remy
It looks like this could be the case, i just tested with some random passwords. We usually do 25+ Characters so i never enocuntered this issue before

ghdlakd → “Data Breach” Very weak (entropy: 32.9 bits)
ghdlakd1 → “safe” Very weak (entropy: 41.4 bits)
same for whatever randomize character i use instead of the “1”.
So, everything above 8 characters seems to be “okay”, everything below is a “data breach”.

I really appreaciate this feature, but it should just say “your password is sh$t” instead of telling me that it is part of a data breach, cause that is a bit of another level of “sh$t”

Well, our customer has to change their passwords anyway, so not much loss. But it does lead to false assumptions.

garrett · February 1, 2023, 1:58pm

This is good feedback thank you @abcyb

remy · February 1, 2023, 2:03pm

If I remember correctly it was designed like this to avoid hammering the pwnd API. We could change the message, like “your password is part of dictionary” instead.

garrett · February 1, 2023, 2:24pm

Though that may not be the case.

Maybe: “too short for testing against data breaches”