Have i been pwned?

[Ashymashy]

Is your feature request related to a problem? Please describe. No

Hello I would like to suggest that having "have i been pwned" integration or a plugin for it, like "bitwarden vault health report" would be so useful than having to try every single email or password on the site to find out if they have been in a breach or not, so i would be so thankful if devs consider it as an option ( i know the app doesn't have internet permission that's why i said maybe have it as a plugin ).

Thanks

[kraoli]

I'm happy to be convinced by good arguments. But "have i been pwned" does mainly help if you do not use a password manager, doesn't it? With a password manager you have a different pw for every service.

And if you like, there is already a subscribe function on the web site.

I'm also not sure if I want to check all of my accounts and passwords against an online database. Meta data generation? What happens when "have i been pwned" is hacked at some point or sold? I can see some benefit when watching your email account. But for passwords, it's possible that it's a collisions with other users. How to know that it's not a false positive for you? Isn't it partly https://en.wikipedia.org/wiki/Security_theater to rely on such services?

Not having a internet permissions adds a lot more benefits than enabling these checks in my opinion.

[Ashymashy]

But “have i been pwned” does mainly help if you do not use a password manager, doesn't it?

Well the service is for security and privacy conscious people whether they use a password manager or not, But so many of the big password managers like bitwarden with "the bitwarden vault health report" and even email aliasing services like simplelogin do it to ensure that emails, passwords aren't just exposed out there for someone to use.

With a password manager you have a different pw for every service.

And that's why it's hard to check every single email and password let alone credit cards, identity theft...  So something like a password manager can become super time saving and convenient to check these values automatically or manually.

And if you like, there is already a subscribe function on the web site.

it's super limited it only notifies you, if the email that you entered to get notified is breached, let alone passwords...

I'm also not sure if I want to check all of my accounts and passwords against an online database. Meta data generation? What happens when "have i been pwned" is hacked at some point or sold? I can see some benefit when watching your email account. But for passwords, it's possible that it's a collisions with other users. How to know that it's not a false positive for you? Isn't it partly https://en.wikipedia.org/wiki/Security_theater to rely on such services?

firstly "haveibeenpwned.com" Is open-source, and I'm sure it hashes everything you enter so it can't be traced back to you or exposed, also the database of breached content is already there, so it doesn't matter if you use it or not if it gets hacked, also i think a false positive that make you change a password that might be compromised or be in a dictionary for an attacker to use, is so much better than getting your account hacked just because the site you were using didn't notify you about your data getting exposed in a breach, also if someone password is exactly like your password and your account haven't been breached but that person account has, then your password is already in the hacker dictionary so even if your password is a collision with other users you're still in danger of getting your account hacked.

Not having a internet permissions adds a lot more benefits than enabling these checks in my opinion.

I understand this and that's why I'm suggesting for it to be a plugin, add-on or whatever you like, so people that want to keep keepassdx offline can still have it that way.

Also, I don't think implementing it is going to be too hard cause haveibeenpwned.com has their API and open-source password managers like Bitwarden already have the code open to the public, so I would be thankful if people working on keepassdx think about this a little bit.

Also, i would like to suggest you to checkout this video from computerphile on how "have i been pwned?" Processes passwords: https://youtu.be/hhUb5iknVJs

Thanks

[J-Jamet]

Also, I don't think implementing it is going to be too hard cause haveibeenpwned.com has their API and open-source password managers like Bitwarden already have the code open to the public, so I would be thankful if people working on keepassdx think about this a little bit.

I haven't thought about it more than that, I just see your messages. It can be a good addition but we have to do it right. The facts:

• I'm not going to integrate any API that requires internet connectivity into the application.
• It's more or less related to an input monitoring system (duplication of password, same address used etc...), the code has to be refactored for that so it won't be before version 4.0.0. The best would be to aggregate these features.
• Technical study of the functionality is necessary (maybe a call to an intent with parameters is enough but I don't know), without it I'm not going to say anything

It's good that it's not difficult to your eyes, personally I never commit to the difficulty of an implementation without even studying it. Feel free to put technical information to advance the subject.

[Ashymashy]

It's good that it's not difficult to your eyes, personally I never commit to the difficulty of an implementation without even studying it. Feel free to put technical information to advance the subject.

Excuse my audacity, I didn't mean that I'm some kind of overlord code master that sees this as easy, I just meant that from what I have seen from you this shouldn't be as cumbersome as it looks, but still excuse my bad wording on this.

Regards

[J-Jamet]

No problem, but I prefer to put things in context, just because a project is open source doesn't mean it's easy to implement. That's why I encourage everyone to get technically involved in the things they want to see emerge. This helps foster the notion of building in the collective mind, rather than fostering the spirit of consumption.

[strider72]

Two thoughts:

1. On Internet access alone this warrants a separate side app. Open data format allows for this.

2. Maybe better to simply track web sites that are known to have been hacked. Is there a database of known breaches that could be compared against URL and last modification date of password? If it's been hacked since you last changed your password, flag that