Based on the online service of haveibeenpwned.com, the PassProtect extension automatically checks to see if your passwords are not in past data leaks. And this while ensuring the confidentiality of the password checked.
Are the passwords you use really secure? Do not they already circulate among the pirates? The question arises because, in recent years, the identifiers of billions of user accounts have been siphoned into unsecure databases to be resold under the mantle, including the darknet.
For the past few months, security researcher Troy Hunt has been offering an online service on his website at www.ibibitpwned.com to find out if your password has been compromised, based on a list of 500 million passwords. from past data leaks. It's nice, but not very practical everyday. The Okta editor has now developed PassProtect, an open source Chrome extension that allows you to do the same verification, but in an automated way. Whenever you enter a password, it checks that it is not in Troy Hunt's database. If so, it will display an alert.
Regarding the verification procedure, there is no need to worry. Your passwords are never sent as is, nor to Okta or Troy Hunt. The extension calculates a SHA-1 password fingerprint and then sends to the server of haveibeenpwned.com only the first five characters of that fingerprint. The underlying API responds with a list of matching fingerprints. The final check is then done on the client side. This principle, called "k-anonymity", preserves the confidentiality of this highly sensitive data.
Those who do not have confidence, and who have a hacker soul, can also download the 500 million hashed passwords directly from the website and have them checked locally and by hand.
Okta is not the only one to use this verification service. As Troy Hunt points out in a blog note, it has also been implemented in the 1Password password manager, the EVE gaming platform or the Kogan online reseller website. Now you will not have any excuse to use a bad password.
Download : PassProtect for Chrome
