Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate password checkup into Brave #12001

Open
diracdeltas opened this issue Oct 5, 2020 · 5 comments
Open

Integrate password checkup into Brave #12001

diracdeltas opened this issue Oct 5, 2020 · 5 comments
Labels
enhancement OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. security

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Oct 5, 2020

chrome://settings/security has a feature (on by default IIRC) that warns if your credentials have been exposed in a breach:

Screen Shot 2020-10-05 at 10 50 00 AM

we should look into enabling this in Brave. the Chrome implementation sends a hash of your username and password to Google every time you login, which we probably want to avoid. https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html

@diracdeltas
Copy link
Member Author

here is one option that doesn't require any calls to google:

  1. host the breached passwords database from https://haveibeenpwned.com/Passwords on https://passwords.brave.com (or a similar domain owned by brave)
  2. implement the partial-hash search feature from https://haveibeenpwned.com/API/v3#PwnedPasswords on passwords.brave.com
  3. when a user enables the Password Checkup feature, Brave downloads the hash prefix list
  4. when a user logs in, their password is hashed, and the first 5 characters are checked against the local hash prefix list.
  5. if there is a match in the local hash prefix list, send a request to passwords.brave.com for the full list of hashes which matches the hash prefix
  6. check the full password hash against the list of full hashes matching the prefix
  7. if there is a match, warn them

this is conceptually very similar to safebrowsing

@fmarier
Copy link
Member

fmarier commented Oct 5, 2020

I agree that we should implement that in Brave. The Chrome feature requires connecting the browser to a Google Account.

  1. if there is a match in the local hash prefix list, send a request to passwords.brave.com for the full list of hashes which matches the hash prefix

That step could use Cloudflare Spectrum for extra IP-address privacy.

@fmarier
Copy link
Member

fmarier commented Jan 19, 2021

Here's the code we'd likely have to replace in Chromium to switch to a different password check service: https://source.chromium.org/chromium/chromium/src/+/master:components/password_manager/core/browser/leak_detection/;bpv=1;bpt=0

@fmarier fmarier added the priority/P3 The next thing for us to work on. It'll ride the trains. label Jan 19, 2021
@fmarier
Copy link
Member

fmarier commented Jan 25, 2021

Edge also uses homomorphic encryption to talk to the equivalent Microsoft service: https://www.microsoft.com/en-us/research/blog/password-monitor-safeguarding-passwords-in-microsoft-edge/

@fmarier
Copy link
Member

fmarier commented May 20, 2021

Chrome now also makes it easy for users to automatically update compromised passwords: https://blog.google/products/chrome/automated-password-changes

It uses this new API: https://w3c.github.io/webappsec-change-password-url/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. security
Projects
None yet
Development

No branches or pull requests

2 participants