Finding compromised passwords with 1Password

Finding compromised passwords with 1Password

Jeff Shiner by Jeff Shiner on

1Password integrates with Pwned Passwords, a feature of Have I Been Pwned that allows you to check if your passwords have been leaked on the Internet.

Contents

In early 2018, Troy Hunt launched Pwned Passwords, a service that lets you see if your passwords have been leaked online. His database now has more than 500 million passwords that have been collected from various website breaches. Many of these credentials will have also been published or sold by attackers on the dark web.

Checking your passwords against this list helps keep you protected, and integration with Watchtower means you can automatically and securely check for compromised passwords and logins with 1Password.

Watchtower protects against security breaches

Watchtower alerts you to any password breaches or other security problems on the websites you have saved in 1Password. It’s included with every 1Password subscription. It’s updated whenever any security breaches are reported, so you are alerted immediately and can change your passwords right away.

“Greater vault flexibility and a more robust Watchtower are more about managing your passwords and other information. Both features make it easier than ever to organize your sensitive data and evaluate the safety of the passwords you create. It’s a combination that makes auditing the security of your passwords and managing things like shared passwords easier than ever and worth another look if you haven’t tried that aspect of 1Password in a while.”

A Redesigned 1Password 7 for Mac Enhances Watchtower and Adds Flexibility to Vaults, App Login Support, and More, John Voorhees, MacStories.

Avoid password breaches, stay safe and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent out into the vast reaches of the internet, it’s known, and I can’t use it anymore. It’s the same reason that correct horse battery staple was a strong password until this comic came out.

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password. I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as I am. It’s what got me the most excited when I saw Troy’s announcement!

How Pwned Password works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure: all Watchtower checks happen on your local device.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match, then we know this password is known and should be changed.

Troy offers a detailed write-up of how this works in his Pwned Password v2 announcement. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this stuff as fascinating as I do.

A thank you to Troy Hunt

Image of Troy Hunt

Troy Hunt is a respected member of the security community. He’s best known for Have I Been Pwned? – a service that lets you see if your email address has been caught in a data breach. He spends a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database.

The internet is a safer place thanks to Troy, which is why we are so proud to have partnered with him and Have I Been Pwned to protect you against these breaches. I’ll close with some words from Troy’s post about the announcement: “Working with 1Password was the obvious choice for a number of reasons, the most obvious being my long-standing history with them. This is a product I already endorsed, and from the perspective of my own authenticity, that was very important.”

Jeff Shiner

Give 1Password a spin

Sign up to see how 1Password helps you find compromised accounts so you can change affected passwords and stay safe online. It’s completely free for 14 days.
Try 1Password free

Jeff Shiner

CEO

Jeff Shiner - CEO Jeff Shiner - CEO

Tweet about this post