Ask HN: Chrome says I have 83 compromised passwords. How do I fix this?

29 points by gtm1260 ↗ HN
I know, use a password manager, etc. which is great advice moving forward. But how do I clear this backlog of accounts for absolutely random websites I haven't accessed in years!

Is there any software or automation tool that can do this?

69 comments

[ 2.9 ms ] story [ 139 ms ] thread
As far as I know, this will have to be a manual process of enumerating all your accounts, and changing the password for each one using their own reset password mechanism.

I did this when I first started using a password manager and the couple of hours that I put in years ago have paid off over and over again with peace of mind and better security practices.

Does anyone have a recommendation for a good and secure and preferably free password manager?
(comment deleted)
KeePassXC
Bitwarden if you want a cloud service

KeePass or KeePassXC if you want to control your own data and use something like Syncthing to sync

There is vaultwarden which is self hosted version of bitwarden.
Yep! I run it myself and it works fantastic.

And my contingency plan if I can no longer self host, is export from one of my devices and import into the cloud version of Bitwarden. I don't see myself needing to do that, but you never know.

I keep it simple too. Just keep the json export on an offline encrypted USB stick.

If something happens I’ll use my eyeballs until I figure something else out.

KeePassXC and combine it with cloud storage and you have a semi-self-hosted or host it on a storage attached to a network you can VPN in to and you have fully self-hosted password manager accessible from anywhere.
This - and combine it with key+paraphrase, keep the key local to your devices and your keepass file in the cloud. I've used this setup for years backed by a webdav share on multiple platforms. It's incredibly robust especially synchronizing changes
KeepassXC + syncthing if you don't use iOS.

Nextcloud works well if you do use iOS.

No need for a VPN with either.

Depending on the ecosystem you live in, your browser’s or your OS’ password managers are the most straightforward to use. I switched to Safari on Mac because I was tired of subpar experience with all the password managers and now my phone is able to store and recall all of my passwords. Super simple to use.
for a team who have shared password folders, I've not found a better solution than LastPass
The built in Mac/Safari one works great and works with Windows too via the iCloud app and browser extension.
Password safe on windows and android. I like better than keepass. In theory you can transfer between them but i always lost datawhen doing that.
1password. Not free but absolutely worth the money.
You have better alternatives: bitwarden for those looking for a cloud solution, keepassXC who prefer to keep the data under their own control. Plus, they are both free/libre.
I always had issues with KeepassXC. mostly as a concept, I'm not sure if it made sense, but since we're talking about it, how do you cope with the concept that if you lose your phone with the database on it, an attacker can just keep a perpetual copy of your passwords free to brute force and do whatever they wanted? I can revoke access to things with cloud services or self-hosted services, but with all the database in the hand of an attacker he can try to break it indefinitely and undisturbed.. I think KeepassXC for this reason is the worst among cloud hosted and self-hosted solutions
AFAIK, the filesystem is encrypted on any modern device. An attacker would have to first break into the device and then break into the password database. And if they can break into the device it is game over already.

Also, the attacker would have to be really motivated to brute force into it, and if it happened that my phone got stolen and I was worried about your scenario, I'd be just rotating all the high-value passwords I have, which is something that I think can be done quickly.

I've tried Bitwarden, pass, and KeepassXC in the past. 1password is by far the most polished. If you consider how big the problem space is (interoperating with every possible broken website out there), support for TouchID/Apple Watch unlock, etc I think I'll take it over having access to the source I will never read.
It's not about what you reading it, it's about ensuring that someone else can do it.

Anyway, I hate to be Cassandra, I just lost count of how many stories I heard of people regretting taking "convenience over freedom" with critical software.

> It's not about what you reading it, it's about ensuring that someone else can do it.

I fully agree with you on this one. However being free/libre doesn't mean that that "someone" will actually fix your problem. I've been a software developer/hacker/OSS enthusiast for close to two decades, but I'm mighty tired of 1. software that's impossible for me to fix myself, 2. its authors who don't care enough about my problem.

I've had one minor issue with 1password and I was blown away with how good their support was. They followed very good OpSec while not appearing intimidating to what they didn't know wasn't a non-technical user, they solved the problem on the spot, and they gave me a few months free to compensate for the inconvenience. At the same time, I've currently lost track of how many random Github issues I'm subscribed to, with some going on unsolved for years.

Being free/libre is just one dimension, orthogonal to other qualities software might have. These other qualities include simplicity/hackability, cost, usability, convenience, support, security, accessibility, respect for your time, ethical/mindful design, and many others. It's OK to choose your own trade-offs.

> I just lost count of how many stories I heard of people regretting taking "convenience over freedom" with critical software.

All online vaults remain available offline; the client allows a full export, including in plain old CSV. Bitwarden has builtin import functionality; or I can write a few lines of code and put it in pass. Worst case scenario, 1password going fully evil and pushing a silent client update to lock me out? I go offline, restore the app+vault from a backup, and export. It very firmly fits into the category of "problems I can fix myself".

> 2. its authors who don't care enough about my problem.

Have you offered to pay them anything? At least a good fraction of what you pay to the proprietary alternative?

Fair point. I feel like adequately funding free software development is a larger unsolved problem, that's a bit beyond the scope of a forum thread.

Anecdotally, I like what the developer of Blink Shell[0] has done. The app is 100% free software[1] under GPL3, so you can easily build it yourself with XCode, upload to your phone, and use as usual from there, which isn't a big hurdle for the target audience. But I bought it. At the time IIRC it costed 20 bucks on the App Store. I bought it because it was incredibly frictionless to pay the money (Apple is good at that), and it felt good to support the developer of a tool I liked and used.

So it leaves me wondering, where are the big obstacles. All other things being equal, I will choose a free/libre solution, but we know things are far from equal.

[0]: https://blink.sh [1]: https://github.com/blinksh/blink

Surprised this one hasn't been pointed out yet; "Passman" which is part of nextcloud and has plugins for all major browsers.

open source, encrypted-while-at-rest and a cloud service allowing you to use it from all your machines and even while traveling on public machines.

1pass is my choice because I pay for it. I also like KeePassXC, but the problem I have with the free things is there aren’t quite as many features and development can just stop at any time. KeePassXC for example got started because KeePass devs just abandoned the project effectively. By fewer features I mean like iOS and android apps (though I know KeePassXC has unofficial apps not managed by them).

I just have used 1Pass for a while, maybe 5-6 years, it’s seamless with apps across everything and lots of support and because I pay for it I know there’s a business behind it which for me feels more stable with respect to longer term support.

I might be an heretic but I use the one from Microsoft!

My password are available everywhere on Android via the Authenticator app and on any browser that have the Microsoft autofill extension on whatever OS I happen to be currently using.

I have a 1Password account provided by my employer but I don't want to tie access to my password to my employment. Also I don't like that 1Passowrd required to enter a really long key to enroll a new device. And I figured that I might use the MS account I created for Windows 10 for something usefull.

As far ass I know there are no equivalent way of using the Chrome password manager outside of Chrome and Android.

1Password for me. Not free, but worth every cent. Very robust, super polished interface, cloud sync, native client for all platforms (including Linux), robust for use across family members (and you can specify which vaults you want to share with whom), well integrated with iOS/Android.
I did this last year. It wasn't so much "a couple hours" so much as it was "all free time for three months then dealing with the mental equivalent of getting off a treadmill after an hour".

It's worth it, but it isn't for the faint of heart.

(comment deleted)
Quite a lot are probably services you don't use anymore, and that don't have up-to-date payment methods. In which case you can just write them off.
You probably don't want your identity taken on them either - that might open up some attack surfaces. Best advice is just take the hit and change the passwords for everything.
In addition to changing passwords (one unique and complex password per site), now is a great time to simply delete accounts that you no longer use.
Not all sites offer that, especially smaller ones. I've had to deal with this before, and even emailing every contact email I could find doesn't help. I ended up changing the passphrases of all the other services instead.
When I started using a password manager I did this: change repeating passwords, and delete info on sites I don't use any more. JustDeleteMe [0] has a good list of account deletion methods and links for different pages.

[0] https://justdeleteme.xyz/index.html

Sadly that's either obscure or unavailable for majority of sites.

(similarly and a major peeve - vast majority of signup verification emails do not have a "no this is NOT me that signed up, delete this email" option! My email gets misused a lot in some countries where my name is common and I have no easy recourse to deny it)

I include them as a task in my weekly "digital chores" and I'm left with 63 Compromised website as of today. But I'm down to "zero" on Weak, and Vulnerable Passwords. Btw, most of them can just be deleted -- old websites, changed business, etc.
You could just not care if the password for some random forum is known.
Consider yourself lucky. Mine says 357. Every once in a while I go in and update a few of them at a time.
83 _different_ passwords?.. that seems high. You may want to more closely inspect extensions or plugins you may have installed on your browser and see if you aren't running some form of key logger or cred stealer..
Separately, it's possible that they've duplicated multiple passwords across (sub-)domains or URLs -- I believe both Chrome and Firefox match on a URL prefix or glob-style pattern, so it's easy to end up with duplicates across `login.bank.com` and `www.login.bank.com`.
Yeah, I'd be throwing out all of my shit.
My guess as to the root cause of this is self chosen / non random passwords that appear in hibp password lists. ‘Password1234%’ etc
Not 83 different passwords, 83 sites with the same, compromised password. I know, I know, horrible security, but I do believe its what the majority of people do!
If you mean to clear the backlog inside the browser, you can manage your passwords in chrome://settings/passwords. Or you can clear them, all at once, via chrome://settings/clearBrowserData
Prioritize the ones that can do the most harm / cause the most loss and get off of HN and change them now.
Absolutely this - pick out the top 5 or something. Don't be overwhelmed by 83, just identify the highest impacts.
For most random websites, it would probably be better to close your account.

As you are using Chrome, you already have a password manager.

Also, since chrome is warning you about these passwords, it obviously knows your passwords - so you are already using its password manager.

Moving forward, utilise the "generate password" functionality.

How did HN end up to be a Stack Overflow for the computer illiterate?
For the same reason people have been posting ads offering hacking services here.

Misunderstandings and hopium, mostly.

Do all of these commercial products that flag compromised passwords get their data from the same source of truth (HaveIBeenPwned)?
Don’t. Worry about the ones that matter. If some random forums have a crappy password, whatever. If your credit card, bank, Amazon, or sometime other website with financial info has a leaked password, fix those.

You can fix the others lazily, when/if you access them next.

> I know, use a password manager

If chrome knows about your passwords being pwned, you are using a password manager. Just let it pick the passwords in the future. Look at the list, and change / close a couple accounts a day/week and you'll be done eventually. Prioritize to change important accounts first.

I don't really care about passwords for forum websites.

You want strong passwords for any website that retains credit card information.

And super strong passwords for Google, email, bank and credit cards. These are all in my head and looong.

If your phone gets simjacked, you most definitely do not want to allow Google password recovery by text to "your" phone number.

(comment deleted)