Email or username:

Password:

Forgot your password?
All posts Eugen's posts Post Back to profile
Eugen Rochko

Okay, anyone have ideas how you could practically scan the Mastodon database for accounts using breached e-mail/password combinations, to send warnings?

The haveibeenpwned.com API requires buying an API key for $3.50 per month, plus since Mastodon (of course) irreversibly hashes passwords with bcrypt that sort of task becomes non-trivial.

22 Dec 2019 at 19:11 | Open on mastodon.social
No comments | Expand all CWs
marius

@Gargron checking hashes for current users is a lost cause in my opinion. Warn them about emails maximum.

You should check the passwords at creation time only for future users. ;)

22 Dec 2019 at 19:13 | Reply | Open on metalhead.club
[DATA EXPUNGED]
Ben Zanin

@Gargron have you asked the Mozilla folks about the work they're doing in that space? They may have some ideas for you.

22 Dec 2019 at 19:20 | Reply | Open on mastodon.social
Chris [list of seasonal emoji]

@Gargron

Maybe keep the timestamp of the last login and if more than (e.g.) two months send a warning email the next time someone logs in?

Or suspend the account and require the user click a link on an email to reactivate.

22 Dec 2019 at 19:21 | Reply | Open on mastodon.technology

@Gargron Including passwords seems overkill. Mozilla has a similar service to alert for email addresses in breached services. Maybe they have an API.

22 Dec 2019 at 19:24 | Reply | Open on mastodon.social
Tykayn

@Gargron a simple way to do this, could be to check for old popular domains, like caramail.com , aol.com, hotmail.com, yahoo.com, msn.com and so on. at these jurassic times, people never had incentives to build strong passwords, and from now on they have not be warned about how insecure it is to use the same 6 alphanums on all their accounts.

so for some domains, a warn is always welcome :D

22 Dec 2019 at 19:26 | Reply | Open on mastodon.cipherbliss.com
Alex

@Gargron
What can happen if you do not do such a scan?

22 Dec 2019 at 19:28 | Reply | Open on mastodon.social
jal

@Gargron I don't think it's necessary. You could send a direct message to all users 1 time a week warning them to check their emails in monitor.firefox.com or haveibeenpwned.com

22 Dec 2019 at 19:42 | Reply | Open on mastodon.social
santa clause of non-disclosure
Karen C

@Gargron Bypass their database altogether: When someone signs up, before hashing the password simply go the email/username/password combination on all the sites haveibeenpwned covers. It's the perfect plan, and there is no way it could possibly go wrong.

22 Dec 2019 at 20:21 | Reply | Open on mastodon.social
Niles Corder
Niles Corder
Niles Corder
Jack Allnutt

@Gargron I think the best you can do is to check when a user changes their password. Or maybe after X logins the password is checked against HIBP.

That's the only time you have the plaintext password.

22 Dec 2019 at 20:49 | Reply | Open on mastodon.allnutt.net
Ruffy

@Gargron 1) Find Passwordlists in web (e.g. https://github.com/danielmiessler/SecLists)
2) hash those with bCrypt
3) compare them to the hashes in your db
4) ???
5) profit

22 Dec 2019 at 21:18 | Reply | Open on mastodon.social
Jon Knapp 🐻🏴‍☠️🄯

@Gargron Unfortunately I think most of these strats won't work, because Devise salts passwords by default and you'd have to hash every password for every user =\

Can someone confirm this?

22 Dec 2019 at 22:57 | Reply | Open on mastodon.social
Wo

@Gargron ideally it's impossible w/o the full dataset. Also even if you trust such services, not every user may want you to send password related data to 3rd party APIs.

23 Dec 2019 at 0:27 | Reply | Open on wizzards.club
Go Up