Breached passwords alert about server HOT 11 CLOSED

Could we potentially have a button inside each login details page, allowing to check that login (both email & password) against HIBP? This should be within their terms

EDIT: I see that it's included in the windows desktop program by clicking the checkmark next to the obfuscated password. This would be useful for the web vault as well, and also for the username (if username is an email)

from server.

Seconded for checking individual username/emails, as I often use the '+string' feature of gmail (and some others) to filter my email logins and protect against spam/breaches.

from server.

@Kesmy We comments back here: https://twitter.com/bitwarden_app/status/1085883055682666496

from server.

We could likely introduce some similar features using the HIBP API. https://haveibeenpwned.com/API/v2

from server.

Breach report added to web vault.

from server.

@kspearrin Unless I am misunderstanding the "Good News, Nothing Found!" mssage, the current implementation seems to only check the bitwarden login email against HIBO. Thats just saving you from going to the HIBO site. Why don't you sweep all the stored sites in the vault, find emails and then provide a checkbox based interface where you ask which of those emails you would like to check and then check each one?

from server.

@gkrawiec That's correct. The report is really just there to make people aware of HIBP.

Automatically checking every unique email in your vault against HIBP database would be a violation of their API terms since that would result in an excessive amount API calls to their system.

from server.

thanks for the info. Didnt know that.

from server.

Yea, their API only allows to check 1 email at a time, so we'd have to spam them.

from server.

@kspearrin OBO the people in this Twitter thread, including Troy Hunt himself, HIBP has no issue with this usage.

from server.

Excellent, I caught the wrong thread end in that conversation, so missed the official account's reply.

from server.