1

People are naturally skeptical when they hear about the HaveIBeenPwned pwned passwords search, because who would in their right mind enter their password into a random website? And sure, HIBP uses k-anonymity to make sure they don't know your password, but if you're not familiar with how hashing algorithms work and how the k-anonymity model works, that just sounds like a bunch of technobabble from Doctor Who that you probably can't trust.

How can I best explain "the k-anonymity model as used by HIBP doesn't expose your passwords, so it is safe to enter your password on this site" to a layman?

Nzall
  • 7,373
  • 6
  • 30
  • 45
  • 4
    What does skepticism about *"... enter their password into a random website ..."* has to do with k-anonymity? No matter if k-anonymity is used or not the user is still providing the password to a potentially untrusted site. The k-anonymity is only relevant if the API is used and the user is not providing the actual password - in which case it is actually reasonable easy to understand what is happening based on how the API is constructed. – Steffen Ullrich Sep 10 '20 at 10:40
  • @SteffenUllrich Because the HIBP website uses a version of the k-anonymity model where they hash your password with SHA1 and only send through the first 5 bytes. It's that model that I'm hoping to explain. – Nzall Sep 10 '20 at 11:16
  • 2
    So you are expecting a "layman" to analyze the source code of the site in order to understand that they are not providing the actual password to the site? Because only if the user can be sure about this it makes sense to talk about the k-anonymity part. – Steffen Ullrich Sep 10 '20 at 11:18
  • @SteffenUllrich No, I want to explain the concept of hashing a password, taking the first 5 bytes, sending those to the API and then getting an answer back consisting of a couple hundred entries, and how this helps keep your passwords secret from everyone except you, and I want to explain this to someone who has no idea what any of the terms like hashing etc means. – Nzall Sep 10 '20 at 11:21
  • 1
    I understand what you want to explain but I don't see the value of the explanation to the user regarding *"who would in their right mind enter their password into a random website"* - and thus essentially question the value of what you want to provide and the usefulness of your question. The user still sees that they have to enter their plain and full password to an untrusted site and all the explanation about k-anonymity will not change this. And again, if the user uses the API instead instead of entering their plain password the concept of k-anonymity is much more obvious already. – Steffen Ullrich Sep 10 '20 at 11:42
  • @SteffenUllrich The entire idea behind this question is being able to explain to a user "why is it safe to enter your password into this website as opposed to all the other websites"? I'll update the question to clarify that. – Nzall Sep 10 '20 at 11:53
  • If what you want to explain is the "first part of the password hash" bit, then you can simply focus on that. You need to explain hashing to a layperson. You can ignore the "k-anonymity" stuff. – schroeder Sep 10 '20 at 12:03
  • 4
    @Nzall: *"The entire idea behind this question is being able to explain to a user "why is it safe to enter your password into this website as opposed to all the other websites"?"* - exactly. But explaining k-anonymity will only help once the "layman" can be confident that k-anonymity is used in the first place. But this is not visible without analyzing the source code of the site which one cannot expect from a layman. Even if you manage to explain k-anonymity it remains *"enter their password into a random website"* for the layman. – Steffen Ullrich Sep 10 '20 at 12:12
  • 3
    @Nzall: Or in other words: at worst you train users to enter their password into random sites because these claim to use k-anonymity. – Steffen Ullrich Sep 10 '20 at 12:16
  • Does this answer your question? [Is it safe to give my email address to a service like haveibeenpwned in light of the publication of "Collection #1"?](https://security.stackexchange.com/questions/201654/is-it-safe-to-give-my-email-address-to-a-service-like-haveibeenpwned-in-light-of) – Conor Mancone Sep 10 '20 at 12:51
  • 3
    Granted, my suggested duplicate doesn't answer "how to explain k-anonymity". However that isn't really your question. Your question is, "How do I convince laymen that HIBP is safe?", and the answers in the linked duplicate give accurate answers to that question. – Conor Mancone Sep 10 '20 at 12:52

1 Answers1

4

You should not try to convince anyone that they should enter their password on haveibeenpwned.com, because the explanation would just be "Troy Hunt can be trusted!", and that's very hard to justify. Then somebody might start wondering: "Ok, since Troy Hunt can be trusted, who else can be trusted? Microsoft? Google? Zuckerberg? My bank? Wallmart? The guy from the repair shop, oh he's always so nice to me?". Also, even if Troy Hunt was the most honest person on earth, can't he make mistakes? Can't he be attacked, and his systems be compromised?

So I would suggest using the API, which doesn't require sending your password.

https://api.pwnedpasswords.com/range/{first 5 hash chars}

Then you need to explain to your layman friends that hash functions (or more precisely, secure hash functions) are not invertible unless you use brute force. So the point they have to understand is that secureHash('password') produces a random string, and by knowing one character of the string it isn't possible to predict the next one (or the previous one). They can compute the hash using tools present on their machines by default, like sha1sum or the equivalent for Microsoft (certUtil, maybe?). So by sending the first 5 characters of your hash to that API, they are not giving out much information about their password.

As for the email addresses, giving them to Troy Hunt or anybody else is not a big problem. A good spam filter will protect them from most threats anyway (and if they use Gmail or Hotmail/Microsoft they are already protected by a good spam filter). Their email address is probably already in some database of leaked data anyway, or it might end up there soon, unexpectedly, and there's no way for them to avoid it (because it depends on somebody else's security practices).

That said, if you want to convince a "layman", your mileage may vary. Most people only believe what they want to believe. Some might believe you, but that doesn't mean they truly have understood what you explained. Security is a complex subject.

reed
  • 15,538
  • 6
  • 44
  • 65