1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online

Friday February 23, 2018 5:23 AM PST by Mitchel Broussard
Password management app 1Password this week got a new feature on the web, and developer AgileBits described it as a way for users to check and make sure that their passwords aren't "pwned passwords," or passwords that have been leaked online. While the launch is web-only right now, AgileBits said it will be coming to 1Password apps in the future.

1Password's new feature integrates with a newly updated service by Troy Hunt -- who previously created a breach notification service called Have I Been Pwned -- and securely and privately checks your passwords against more than 500 million passwords collected from various breaches.

This way, users can further ensure that their passwords saved within 1Password are as secure as possible, and if Hunt's new service surfaces a warning about compromised data, they can change to a new one without leaving 1Password.


Pwned Passwords originally launched as a feature within Have I Been Pwned last August, but Hunt has now updated it to version two and greatly expanded the amount of passwords indexed, originally starting with 320 million. For 1Password's integration, which is still just a proof of concept as of now, AgileBits said the feature is available today to everyone with a 1Password membership, and shared the following steps:
- Sign in to your account on 1Password.com.

- Click Open Vault to view the items in a vault, then click an item to see its details.

- Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.

- Click the Check Password button that appears next to your password.
Once you click "Check Password," 1Password will communicate with Hunt's service of indexed passwords, letting you know if yours exists in his database. As AgileBits pointed out, "If your password is found, it doesn't necessarily mean that your account was breached. Someone else could have been using the same password." Still, the company encouraged immediate action for any user who sees a confirmation of a password matching to Hunt's service.


In the announcement, AgileBits ensured that this communication with Pwned Passwords keeps user passwords "private and secure" because they are "never sent to us or his service." Hunt's service never receives the full password, and only requires the first five characters of each password hash. The developer stated, "we would never add it to 1Password unless it was private and secure."
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
Hunt goes into more detail about Pwned Passwords in his own announcement post about the update to the service. AgileBits confirmed that it will be adding Pwned Passwords to its own security breach warning feature, called Watchtower, within 1Password apps "in future releases."

Tags: 1Password, AgileBits
77 comments


Top Rated Comments

(View all)
Avatar
Christoffee
11 months ago
Sometimes an idea is so obvious and fabulous I’m at a loss as to why it’s not been done before. I guess it’s only obvious once it’s obvious.
Rating: 10 Votes
Avatar
wfrancis
11 months ago

It's a great program. I recommend it to everyone.


WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.
Rating: 9 Votes
Avatar
AGKyle
11 months ago

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.


We never removed the option to purchase a standalone license. As linked by others in this thread. It's also available via the Mac App Store app, feel free to check the available in-app purchases for proof of that.

Is it being kept up to date along with the subscription version?
Same question stands for the windows version


There is no difference between our standalone version of the app and the subscription version in terms of downloads. They're the same identical app. Bug fixes, improvements, and new features are added all the time. Some of those features may only be available for our subscription customers as they piggy back on features that are only possible due to our servers on the subscription side. But where possible we add features for both standalone customers and subscription customers.

SHA-1 is a worthless hash. There are rainbow tables for every possible entry. This service seems like it's a breach waiting to happen.


You missed the important bit. Your password is hashed.

Then we take the first 5 characters of the hash and send that over.

The Have I Been Pwned server takes these first 5 characters, compares to the database, finds all hashed passwords that match the first 5 characters and send those back to the client (1Password) which then checks the returned hashes to see if a match is made.

Your fully hashed password is never sent to the server, only the first 5 characters. Troy Hunt, the creator of Have I Been Pwned has stated that pretty much every 5 character prefix hash has ~500 results, and it's entirely possible that password isn't even in the results and is safe. So it really doesn't help much at all, combined with the fact no username or URL is sent.
Rating: 8 Votes
Avatar
Eidorian
11 months ago
It's a great program. I recommend it to everyone.
Rating: 7 Votes
Avatar
BigMcGuire
11 months ago
I had the grandfathered? app purchase from years and years ago and I never felt forced or even coerced by Agilebits to upgrade. I got the 1Password Family Teams plan recently - because I wanted to. Never once was I forced or more than a few times encouraged to get the Teams / subscription plan - this is something VERY FEW companies do. Most companies blast in your face: "UPGRADE NOW" every time you open the app. Because Agile bits didn't do this was a huge factor in my decision to upgrade. I will go out of my way to not upgrade when companies "force" or overly coerce.

So up until recently I was using the iCloud standalone app and want to voice my opinion that I was never forced or even slightly encouraged to upgrade via the application.
Rating: 7 Votes
Avatar
unsaltedrhino
11 months ago

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.


I use it very happily without subscription. Am considering subscription for features such as this.
Rating: 6 Votes
Avatar
justiny
11 months ago

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.


I disagree. When a developer continues to improve and enhance a high-quality application (specifically in the field of information security where threats evolve daily), I don’t mind them getting paid along the way.
Rating: 6 Votes
Avatar
horsebattery
11 months ago

Uh oh. Now you’ve undoubtedly summoned the Kyle guy from AgileBits to come and AstroTurf the f out of the thread by telling us how much value there is in buying a 1Password subscription, and that it was needed because their customers were too dumb to know whether to buy the Mac or Windows version and how that was the bane of their tech support’s existence.

That's quite an exaggeration - why make this claim when one can easily look up the old threads? I've seen many of his comments and most have been quite helpful in clearing up misconceptions/FUD. There's already one in this thread falsely claiming that users are forced into the subscription model and having to repurchase this "over and over again"
Rating: 5 Votes
Avatar
BasicGreatGuy
11 months ago

I really hate 1Password, they're too political.


They are a software company not part of any government agency. I have never seen Agilebits make any political statements much less try and force others to believe the same.

In my opinion, they make an excellent program and I like the new feature. If anyone is too political right now, it’s you for injecting politics into a non political story. Save it for the PSRI forum.
Rating: 5 Votes
Avatar
AGKyle
11 months ago

Oops. I actually just went through his profile and didn’t immediately see him commenting about the customers having no idea which to buy. (Sorry Kyle). Apparently I was thinking of Ben? I just know the tone of their employees comments on MR and Reddit ('https://www.reddit.com/r/apple/comments/5wikvk/agilebits_blog_introducing_1password_66_for_mac/deaop94/') have completely jaded me towards a company I used to love.


https://forums.macrumors.com/threads/1password-introduces-2-99-month-plan-for-individuals-with-6-months-free-at-sign-up-updated.1986181/page-2#post-23198372

https://forums.macrumors.com/threads/1password-introduces-2-99-month-plan-for-individuals-with-6-months-free-at-sign-up-updated.1986181/page-7#post-23199525


To be clear here. Every one of my responses is meant to inform. I fully stand behind you making your own decision. But the least I can do is explain our reasoning when possible so you understand why we did something. You don't have to agree with it, but at least you'll understand our thought process. I'm aware that some people will never agree with our decisions and I won't pretend that anything I can say will actually change that. But when presented with the option of providing someone with actual information vs blowing smoke, I'll choose the giving you actual information. For better or worse I'm not going to lie to someone to make them happy or earn their purchase.
Rating: 5 Votes
[ Read All Comments ]