Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If the passwords are leaked after the user creates their account with your service, you can't go back and re-check their password against HIBP (unless you're inexplicably storing your passwords as plain text or SHA-1). Using HIBP is a partial solution, but not sufficient to prevent a leak like this.

Mandatory 2FA is sufficient, but not very user-friendly.



You can check against HIBP on login the same as you check on password reset. If password is compromised on HIBP, force a 2FA and a password reset

Ideally MFA should be based on the accounts / sessions risk and not mandatory


That's another step in the right direction, but 23andMe is the kind of service that people create an account for and then don't use for years at a time. Still not a complete solution.

And I agree that mandatory 2FA isn't a good answer either. As someone who uses long, random passwords on all websites, I like to be able to choose whether to add 2FA on top.


It's a mitigation. If 23andme can't show that they at least mitigated the problem then they're going to find themselves in hot water.


> Using HIBP is a partial solution, but not sufficient to prevent a leak like this.

I didn't say it was sufficient to prevent this. I said it was another tool that would have mitigated some of this (and which presumably 23&Me did not implement).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: