How does Lockwise know same password I use website breached?
Where does Firefox store this encrypted list of breached passwords? I get nervous when I read this paragraph below. I stay away of storing anything on the cloud, only on my computer do I want passwords stored. Actually, I have Lockwise disabled for now, only because I have to enter master password everytime I want to view a sites password. I like the old way where I enter master password once and can view all site passwords and better manage. Other than that Lockwise looks fine, thought about reverting to it, but this breached password checking raised a red flag. I know I can turn it off.
Starting in Firefox version 76, Firefox will also check to see if you’ve reused any of these potentially vulnerable passwords with other logins you’ve saved to Lockwise. The browser does this by creating an encrypted list of your breached passwords, then checking it against all saved passwords. Firefox does not keep logs of your plaintext passwords or know them.
Wot Jer
Wšě wotmołwy (3)
To clarify, Firefox doesn't actually know your password, nor does it send it anywhere in a way that people will be able to read it.
The Firefox Monitor service uses information gathered and shared by a service called Have I Been Pwned (HIBP). That service monitors lists of breached websites and lists that become publicly shared among hackers and other malicious actors. The HIBP service allows Firefox to search a list of hashed information (emails, passwords, etc).
When a computer hashes something, it converts the regular text into a unique collection of characters. Every time you hash the same text, it will produce the same collection of characters. This can be used to compare information without actually seeing what the information is.
For example, when you create an account on a website, that website doesn't store your actual password in their system. Instead, the password is hashed and the hash is what gets saved on the website's server. Then, when you try to log in, the password you enter gets hashed and then that hash is compared to what's stored on the website's server. If the two hashes match, then the password is correct. If not, it means the password is incorrect.
The Firefox Monitor does something similar. It will hash your email address or your password. But for extra security, it doesn't send that entire hash to the HIBP service. Instead it does something called an anonymized range query. That means that Firefox sends only the first 6 characters of the hash to the HIBP service and the service gives Firefox a list of all the hashes that start with the same 6 characters. Firefox then takes that list and compares your hash to see if it matches one on the list.
The technique is described in more detail in the Scanning for breached accounts with k-Anonymity post on the Mozilla Blog from June 2018 when the Firefox Monitor service was introduced.
The Mozilla Monitor - Frequently asked questions document also has some additional information about the Firefox Monitor service.
Getting the notification that your password or email address has been breached or matches a piece of information in a breach poses little security risk because you should change your password if you get this notification anyway. Since the breaches on the HIBP service are already known breaches, that information has already fallen into the wrong hands, so it's not safe to use anymore.
Hopefully I've answered your question and clarified the service for you.
Thanks, that sounds pretty secure. Wonder what hash function they use, some say say MD5 and SHA-1can be reversed- but who really knows. Besides they only use first 6 characters as you stated.
It appears that the HIBP service does indeed use SHA-1. While that is not as secure as other hashing algorithms, you are correct in your assumption that it's not as much of a risk since only the first <strike>6 characters</strike> 5 characters are actually sent. (Apparently it's changed since that blog post was first written. It's only the first 5 characters that are used now)