search

andrew-schofield / keepass2-haveibeenpwned

Simple Have I Been Pwned checker for KeePass
MIT License
425 stars 25 forks source link

Would like a little extra information #13

Closed jeff9315 closed 7 years ago

jeff9315 commented 7 years ago

I was wondering if you could provide a little more information / documentation.

For example, I assume you're checking the URL field against the known breaches. However, I don't know whether you're checking the notes field and custom string fields to identify other URLs. In my case, I use the keepasshttp plugin which uses a custom string field to store urls in which would be very useful. I also sometimes add other urls in the notes field.

Also, when checking if a particular account has been hacked, how do you construct the account name. Is it just the userid or userid@domain name (and again where would that domain name come from). Do you look for email addresses within the Notes field and custom string fields?

All of that would be REALLY helpful to know.

Thanks ... Jeff

jeff9315 commented 7 years ago

Actually, it doesn't appear that any of my specific accounts are being checked. I have a KeePass entry for docusign.com that has a username something like myusername@gmail.com. myusername@gmail.com shows up on the I've Been Pwned website as having been pwned in the River City Media Spam list, but it's not reported in this plugin. So, maybe i't only looking to see if the domain names have been hacked which is a disappointment.

What would be REALLY useful is to identify ALL the ACCOUNTS that have been pwned and which entries those usernames show up in.

Thanks ... Jeff

andrew-schofield commented 7 years ago

At the moment all the plugin does is check the domain of the URL field for each entry and assumes that if you have an account on that site then you have been pwned (with some additional checks to see if the password was last changed before or after the breach date). It does not check the username field for breaches as per the assumption above (you have an account that was created or modified before the breach therefore it is likely it was pwned).

My initial use case didn't include checking usernames independently of domains as I only cared about which entries needed password changes, not which entries had usernames that had been pwned elsewhere. If this would be useful I can probably add some functionality to provide this.

I'm not sure I understand your point about URLs stored in different fields of the entry. Surely they all have the same base domain (even the keepasshttp data), unless you are recording additional URLs which share the same username/password combo?

jeff9315 commented 7 years ago

I get your point about all of them having the same base URL. I was thinking that some have one base for the main pages and a different company does their account maintenance. For example, http://www.neighborhoodstorage.com contains the pages for "information" while account login and maintenance is at https://www.smdservers.net. But this type of edge case is probably not worth the effort.

My rationale for checking usernames is that once a a domain is pwned, we need to check to see if that username was used at any other websites/domains that were NOT pwned. Then, we could change the info at those other websites.

andrew-schofield commented 7 years ago

My rationale for checking usernames is that once a a domain is pwned, we need to check to see if that username was used at any other websites/domains that were NOT pwned. Then, we could change the info at those other websites.

This is surely only an issue if you are sharing credentials between sites, otherwise what would you be changing of any consequence on the other sites?

jeff9315 commented 7 years ago

Email addresses are often shared. Which leads to more spamming. Questions and answers may be shared. It's just another way to make sure that if something gets pwned I look at any other sites that may end up compromised.

On Mon, Apr 3, 2017 at 6:56 AM Andrew Schofield notifications@github.com wrote:

My rationale for checking usernames is that once a a domain is pwned, we need to check to see if that username was used at any other websites/domains that were NOT pwned. Then, we could change the info at those other websites.

This is surely only an issue if you are sharing credentials between sites, otherwise what would you be changing of any consequence on the other sites?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/andrew-schofield/keepass2-haveibeenpwned/issues/13#issuecomment-291110776, or mute the thread https://github.com/notifications/unsubscribe-auth/ATTwXwTAf48kJ5LTT6-wi55wnB4HyQmKks5rsNBPgaJpZM4Ms2Ch .

andrew-schofield commented 7 years ago

I would hazard a guess that the majority of users use the same email address for all their keepass entries, so this kind of check would result in every entry being flagged when in reality only a small subset have actually been compromised. Question and answer sharing is a valid point, although it does depend on what data was released in the breach (I'm not sure I can get hold of that information anyway).

andrew-schofield commented 7 years ago

Added username checking functionality in version 1.1.0 (c9af2bb275ae902958dd9f8f91da7d336eb1fb9b)