HIBP - Check User Names against Breaches and Pastes

[OLLI-S]

Summary

Check if usernames in the KeePassXC database are affected by breaches and pastes.

Details

This issue is a follow up of Check passwords against hacked password databases #1083

In the past (before I switched to KeePassXC and became a huge fan of it) I used KeePass and also the HaveIBeenPwned Plugin for KeePass (https://github.com/andrew-schofield/keepass2-haveibeenpwned).

The HaveIBeenPwned Plugin for KeePass allows to Check for breaches based on username:

If I run this report in the HaveIBeenPwned Plugin for KeePass then I get the following message:

It seems like the HaveIBeenPwned Plugin has no API key and that the check for usernames is not possible without an API key.

In Bitwarden I have the "Data Breach Report" where I enter an username/email address and get the results shown:

The problem is, that I have to enter all my usernames manually. It would be more comfortable if KeePassXC gathers all unique usernames in my database and checks them against the HIBP database. One click for the user instead of many clicks and having to enter all usernames manually.

What the results mean

The user might be confused about the results and not know what they mean. Assuming the results window is similar to the health reports window you should show in the column "Recommendations" (the column "Reason" that has been renamed) what the user should do next. Like "Username name@domain.de is breached / made public". And there should be a column showing the breached service (like Adobe, Dropox, etc.).

[wolframroesler]

To use this feature, KeePassXC users would have to purchase an API key from HIBP (which is currently at US$ 3.50 per month, according to https://haveibeenpwned.com/API/Key). Even then, queries to the API are restricted to one every 1.5 seconds (according to https://haveibeenpwned.com/API/v3#RateLimiting).

Given these restrictions, how big is the expected user base for this feature? IOW, how many users of KeePassXC do we expect to buy an API key?

[OLLI-S]

Alternatively you could gather a list of all unique usernames and show them in a list where users can copy them (one by one) and check them manually on the HIBP website. But on the HIBP website you can only search for email addresses, not for usernames.

Maybe you ask the HIBP guys if they support this project and they offer an universal license where you pay a certain one-time-fee and get the API-key forever. Maybe you get it cheaper if they see that you are open-source and not commercial.

[droidmonkey]

My guess would be near zero people will actually use this once they hit the paywall. There is no way HIBP is going to give out "special" API keys to any random person using KeePassXC.

[OLLI-S]

I think we have to think about the following question: What benefits does the check of usernames bring in comparison to the results of the other checks? But I must admit, that I am not a security expert, so my thought might be completely wrong.

When I check by site/service, then I get a list of sites that are hacked and where I have to change my password (because the hack is after the password change).

When I check by password, then I get a list of passwords that are breached and that I should change immediately (because they are known).

When I check by username (like you see above in the screenshot of Bitwarden) I get nearly the same results (8 results) that I get with the check by site/service in KeePass (10 results if I deactivate "Only check entries that have not changed since the breach"). The reason is that I searched for my old email address, but for some sites I have used my current email address and for at some sites I have used an alias like "OLLI-S" and in KeePassXC I have not stored any email address. So the check by site/service is in my eyes much better because it is independent from the username and I think it will give me the same results than a check by username when I check all my usernames in KeePassXC. So in my eyes the check by site/service covers the check by username.

The check by username shows me just two entries, that are not found in the check by site/service:

• Dungeons & Dragons Online (https://www.ddo.com/) In my KeePassXC database I have no entry called "Dungeons & Dragons" or for this URL, but I have an entry called "Turbine" (http://www.turbine.com) with the note "Dungeons & Dragons Online". At https://www.ddo.com/ I don't find any way to log in and change my password. Very confusing...

• QuinStreet (https://www.quinstreet.com/) but here I really find no entry in KeePassXC and I also don't know this service/website (yes, I can search for it and read what it is, but I never used it

So, does the check by username really bring me more or better results, than the other two checks? Is the check by username really needed?

[wolframroesler]

Maybe you ask the HIBP guys if they support this project and they offer an universal license where you pay a certain one-time-fee and get the API-key forever.

That question is already answered on https://haveibeenpwned.com/FAQs:

Can I please have an API key for free because [reasons]? No.

I assume that applies to one-time payment also.

[droidmonkey]

We won't be integrating this feature, thank you

[aetonsi]

Hi @droidmonkey , may i ask then, what can we do to check user names for breaches (aside the original keepass with said extension)?

[droidmonkey]

I guess? It won't be in KeePassXC unless someone air drops a fantastic pr.

[rugk]

So you are not opposed to the feature, but just have no resources to implement it, fair enough. Maybe mark this issue with "help wanted" then?