Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

79 replies
Newer Comments »
    • Dave Teare
      Dave Teare says:

      Thanks for the feedback, J.R!

      You’re right, this would make a great addition to Watchtower. Being able to see all your pwned passwords at a glance would be awesome and it’s exactly where we’re headed.

      Our current implementation is performing the checks one by one at the moment simply because of time. Troy announced this new service just 27 hours ago and we had no prior knowledge about it. We loved what we saw and we’ve been scrambling ever since to add it to 1Password.

      As Jeff mentions in the post this is a proof of concept and we’ll be building on it over time. Keep an eye out for upcoming announcements on this – I think you’ll enjoy what you see. 🙂

      Thanks again for letting us know this is something you’re looking forward to. Knowing that adds fuel to our fire! 🔥

      Take care,


    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Let me add to what Dave said and point out that we want to develop a better understanding of how we should best present matches to people. The meaning of a match can be subtle, and not what people expect. See my other comment for gory details about that.

    • Carl Walsh
      Carl Walsh says:

      Agreed, this feature is a really great idea, but you should definitely let me scan the 200 items in my vault. I already found that one of my older gmail account passwords was compromised — time to change it!

    • Kate Sebald
      Kate Sebald says:

      Hey Carl! I’m glad you are enjoying it and already fixing up pwned passwords too boot! Way to go! 😊 As a few of us have mentioned before, we do want to flesh this out into a full-fledged feature. Since we wanted to get this proof of concept ready quickly and keep its impact on Troy’s service to a minimum, sticking with one-by-one was the best way to accomplish both of these tasks, but making checking everything much less tedious is certainly on the wish list for The Real Deal.

      Still, if you’re up for a few clicks now and again, I’d definitely encourage you to keep at it now. Even fixing up one or two pwned passwords is a huge improvement and you’ll get through them all before you know it fixing upa
      few a day. There’s no rule saying you have to fix all of them at once, after all. Personally, I’ve been trying to check a few each time I sign on to This way I can gradually make my way through them without wearing out my mouse button (and my sanity) in a single go. 👍

    • Temptin
      Temptin says:

      Hey Dave Teare, etc – keep this in mind: Troy released all of the SHA1 password hashes as a ~9 GB torrent (see his blog post). It would be trivial to put that in a database and do a query for all entries LIKE "1BD3F%" to get all matches yourselves. You could download that and host the password quality checker service on That way you don’t hammer Troy’s “free server”, and you can ensure the privacy is truly maximal. ;-)

    • Kate Sebald
      Kate Sebald says:

      Hey Temptin! First off, thanks for sharing your ideas! This is definitely a challenge we’ll need to overcome before we can bring this feature to the apps, so thoughts are always welcome. 😊 I’ll leave the technical details to those better qualified, but one concern with this method comes with updates to the database. We’d need to update on our end every time Troy adds anything on his end. We’d need to make sure we’d be able to make those updates while keeping any downtime to a minimum and preferably with as little delay between Troy’s update and ours as possible. Pitfalls aside, this would be a lovely way to deal with potential hammering of Troy’s server, if it’s feasible with how the system is set up right now (and it may be – I just don’t know enough to say for sure whether that’s the case). It’s definitely something where we want to get creative, so thanks again for sharing and keep the ideas coming if you’ve got ’em.💕

    • Temptin
      Temptin says:

      Oh and to speed up the database, instead of a stupid LIKE-query (I am stupid), you could just put the first 5 digits in a separate database column, and create a MySQL INDEX on that column. That way lookups for all rows that have the given 5-character prefix is gonna be ultra fast via some binary tree search magic in the SQL engine. :-)

  1. Larry Nolan
    Larry Nolan says:

    I agree with J.R. But I also want to give a cheer to Tony for the service and AgileBits for working to embed into 1Password !

    • Dave Teare
      Dave Teare says:

      I agree! With both you and J.R. on how great this would be in Watchtower and about how great Troy is! 🙂

      Take care, 😘


  2. Mikel Manitius
    Mikel Manitius says:

    This is cool and the implementation is indeed impressive.

    However, I’ve been following best practices for years and auto generating unique (to me) random passwords for each account using 1Password. Just knowing that somewhere out there exists another instance of my randomly generated password does not seem all that useful without additional context.

    Since the checking method is currently manual, it would be more helpful if I could just select my top accounts (perhaps the ones tagged “financial”) and just have Watchtower check those in the future.

    Perhaps a discussion on entropy and the likelihood that my 16 character randomly generated password could also be randomly generated by someone else could help put this in perspective.

    • Dave Teare
      Dave Teare says:

      Thank you, Mikel! I’m happy to hear you enjoyed what we’ve been working on for the last 24 hours. 🙂

      It’s also great to hear that you’ve been following best practices for years and using generated passwords. Given that you’re using 16 character random passwords the chance of someone else using the same password is incredibly low.

      What the actual chance of that happening is such an incredibly interesting question I couldn’t resit taking a stab at the math. Assuming you’re using 16 character passwords for all your sites and using a mix of uppercase and lowercase letters your available universe of generated passwords would be 62^16 ~= 4.7 x 10^28.

      If we assume every person on earth generated 100 passwords using the exact same attributes that you used, there would be 7 x 10^11 passwords created that you could potentially collide with. If I’m doing my math right, that gives a (7 x 10^11) / (4.7 x 10^28) chance of a collision, or 1.4 x 10^-15 percent chance. That feels like pretty good odds to me! You’re more likely the win the lottery a few hundred times. 🙂

      I’m going to ask Jeff Goldberg to jump in here and check my math but given how amazing exponential grown is, I don’t think you have anything to be worried about.

      With all that said, you’re right, Watchtower needs to learn this new trick and make it easier for you to find passwords that appear in Troy’s database.

      Take care and have yourself a wonderful night! Hopefully I’ve given you some good things to dream about. 🙂🛌💤


    • Dave Teare
      Dave Teare says:

      As I think about this more, the chance is higher than a simple division between the two universe sizes. You’re actually choosing one from the universe of generated passwords (62^16 ~= 4.7 x 10^28), which gives a 1/(4.7 x 10^28) chance of a collision for that one password. Then you repeat this 700 billion times (one hundred passwords for every one of the seven billion people on earth), and you need to sum that up. I believe that works out to be substantially higher than the number I proposed above, but I don’t remember enough about my university probability course to calculate it. Even so, given the massive universe size we’re dealing with, I still think you’re more likely to win the lottery multiple times, even without taking into consideration that not everyone in the world is using 1Password. At least not yet anyway. 🙂

      I have my 🍿ready for when Goldberg comes in and finishes the math for us. He’s a wizard at this stuff. Stay tuned and be sure to have some popcorn ready! 👀🙂


    • Rob Yoder
      Rob Yoder says:

      Hi, Mikel.

      You’re right about Watchtower. We definitely have ideas about how to make this a more useful addition to 1Password in the future. But since Troy announced this yesterday, we mostly just wanted to try it out and share it with everyone before it got too bogged down with future goals and ideal design considerations.

      Jeff partially addresses your unique password scenario in his comment below. As to a discussion of how likely it is for someone else to have generated the random password as you at different levels of entropy, that’s a bit harder to quantify.

      Of course if you know the entropy value then you know the probability of someone generating the same password as you at any given point in time. For example, a 16-character alphanumeric random password has about 95 bits of entropy, which means there’s about a 1 in 47,700,000,000,000,000,000,000,000,000 (62^16) chance that I would randomly generate that password in one shot if I start with the same parameters.

      But let’s say that there are 7,000,000,000 people in the world and each of them has 1000 online accounts and uses a different 16-character alphanumeric passwords for each one. Now the odds are up to about 1 in 6,810,000,000,000,000 that someone in the world has the same password as you. Obviously, that’s a horrible estimate for many reasons, and the odds are much lower than that, but you can see how unlikely it is.

      So if you have a randomly generated alphanumeric password over 10 characters that shows up as pwned, it is almost certain that it was your account. It also most likely indicates that the password was stolen without repeatedly guessing. Perhaps it was stored in an online database in plain text or it was intercepted in some other way, so it would be interesting to note what the password was used for and determine how the theft might have happened.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I consider this question a birthday present, although paradoxically it is no where near my birthday.

      The short answer is that the chances of a collision are astronomically small. (Does “astronomically small” makes sense? “Atomically small”?). Dave’s answer is (pretty much) correct. Given the assumptions he makes, the chance that one of your 16 character generated passwords would collide with someone else’s is on the order of 10⁻¹⁷. (My calculation came up differently than Dave’s, but what’s a few hundred billion among friends.)

      But now suppose that we asked a different question. The question we did ask was (correctly) about the chances that a give one of your passwords would collide with some other password generated that way. But suppose we were to ask about the chances that among all of the the 700 billion passwords generated that way, what are the chances that somewhere among there is some pair that collide.

      In this revised question (which really isn’t relevant to the situation) we are not looking at a particular password and seeing if there is another match, we are looking for any matches at all with any password. This is like taking a room full of, say 25 people, and asking what the chances are that there is some pair of people in the room with the same birthday. Most people (who haven’t encountered this before) will suspect that the chances of a birthday collision is pretty small, but it turns out to be greater than 1/2.

      The chances that among the 700 billion passwords generated as 16 letters and digits, there is about a 1 in 200,000 chance of there being a collision. Somewhere among those 700 billion there is a small, but not astronomically small, chance that there is a collision. But, of course, the chances that your particular password will be involved in a collision remains astronomically small.

    • Temptin
      Temptin says:

      There’s a much easier way to check your math:

      I entered a random 16-character pass (aA123457gd343432) with upper, lower and digits.

      It gives me:

      There are 62 possible glyphs per character. (a-z A-Z 0-9)
      Counting all passwords from 1 to 16 characters long with those glyphs, there are a total possibility of 48,453,916,488,
      902,607,769,120,106,730 different passwords (thats 4.85 x 10^28).

      So no, I don’t think someone is going to get the same password as you. ;-)

      Bonus: Assuming someone is able to run a cracker that tries one hundred trillion guesses per second, it would take 1.54 hundred thousand centuries to find your 16-character password. (Most fast “enthusiastic hacker” level cracking software these days runs at perhaps 1600 million guesses per second assuming a couple of GPUs or FPGAs cracking all at once).

      You’re. Safe.

  3. Jeffrey Goldberg
    Jeffrey Goldberg says:

    I’d like to follow up by trying to answer a remarkably tricky question that some people will be asking (and everyone else should be asking): What does it mean if my, P, for service S is on the list?

    Quick overview

    1. P is not on the list. Yay! That is good news.
    2. P is on the list, and P isn’t very strong. No need to panic. It is probably not your account that has been compromised, but you should change P along with other weak passwords because they are weak.
    3. P is on the list and P is very strong. Change the password immediately. It is likely that your account credentials have been compromised.

    Now for the longer explanation

    Case 1: P is not in HIBP dataset

    First, let’s take the simple case. If your password, P, is not in the HIBP data, that is a good news. It is both “good” and “news”. Finding that P is not on the list tells you good things about P. You can be more confident in P than you were before checking.

    Case 2: P is in HIBP dataset and P isn’t strong

    If you find that P is on the list, it definitely isn’t good, but may not be news. If P is weak (or created by a human) it is likely that lots of other people use the same password. People are not very good at being random, especially when they are trying to be random. And so P might be on the list because it appeared in a password breach that didn’t involve your account on service S.

    This odd case comes about because the HIBP list is so large. Any password that is likely to have ever been used by more than a tiny handful of people on the planet can easily end up on such a large list. So there is a fair chance that the instance of the password that ended up on the list isn’t from your use of it.

    But you should change P because it is weak. Use our Strong Password Generator to create a strong and unique password for that Service. You should be doing this for weak passwords anyway, and so P’s appearance on the list doesn’t really give you much new information. But if it helps you notice some of your weaker passwords and encourages you to change them to strong, randomly generated ones that is definitely a good thing.

    You should be changing your weaker passwords as a matter of course, but if you are like most people, you will have plenty of them left over from the days before you started to use 1Password’s Strong Password Generator. Spend some time each week improving on these. It may be too daunting of a task to do all at once, but even fixing one or two weak passwords at a time will improve your security.

    Case 3: P is in HIBP and P is very strong

    Change your password for the service on which you use P immediately!

    This is bad news. It is both bad and news. And you should change your password for the service, S, you use it for immediately. A strong randomly generated password is very unlikely to be used by anyone else. So if P is strong and random and found in HIBP, then it almost certainly comes from a breach involving your account on S (assuming you only use it on S).

    Now because P is strong, it is unlikely to have been cracked, but it could have been captured in other ways (transmission over HTTP instead of HTTPS, stored as plaintext by S, or something else). But it does indicate bad news.

    Matters of degree.

    I’ve been using words like “strong” and “weak” and “unlikely” and “likely” without specifying what counts as what. And I’m going to continue to remain vague. There are no easy measures of these and there are no magical cut offs separating those categories, and so understanding what it means to find a password you use on the HIBP list is also a matter of degree. Life (and security) doesn’t give us absolutes.

    Chief Defender Against the Dark Arts @ AgileBits

    • Shiner
      Shiner says:

      I am sorry to hear that it is not working for you. I must admit that I’ve not had a chance to give the latest macOS High Sierra beta at try, so I can’t be sure if it is something specific to that version. I’ll see if anyone on my team is using that version and find out if they run into the same problem. Does it flicker for you when you enter the magic keyboard sequence, or when trying to view the password menu options?

  4. Gerard Robert
    Gerard Robert says:

    I have 1P 6.8.6 on my iMac and my MB Pro, both running the latest version of High Sierra and I cannot get past step 2: Click Open Vault to view the items in a vault, then click an item to see its details. Feel like a bit of an ass asking how to do this, but there it is.

    • Shiner
      Shiner says:

      For now the Check Password feature is limited to the 1Password web client, and is not yet in the 1Password apps. When I saw Troy’s post, I wanted to make this feature available as soon as possible and this was simply the quickest way to do so.

      We plan on adding this feature to Watchtower in the 1Password client apps, like 1Password for Mac as we move forward. In fact, once this is in the client apps we should be able to take it further than we do today, showing all of your pwned passwords in a single view. That will make it even more convenient, and I can’t wait until we get there.

      If you have a membership and want to give it a try today, you can start by Signing in to your account on using your favourite browser. Once there, you should see your vaults on the Home page and be able to click on one to open and view your items.

      Keep an eye on our blog for upcoming announcements as we roll this out further.

  5. Tim O
    Tim O says:

    AgileGents/Ladies – This is absolutely fantastic work. Thanks for rolling it out when/how you did. You continue to impress with your dedication to security. The service you are providing is now that much more useful than when I started just a couple of months ago. Makes it an even easier sell with friends/family. Thanks again!

    • Shiner
      Shiner says:

      Thank you Tim!

      I have to admit that the last 24 hours was a bit of a whirlwind, but it was as fun to build as it was exciting to see it working.

      We are always looking for ways to keep you more secure and make 1Password better. Troy’s new service was a great example of a way to do so, and one we couldn’t pass up. Hopefully in a few months you’ll be able to look back again and see that we’ve made 1Password even more useful than it is today. 😀

    • Shiner
      Shiner says:


      I am tempted to leave it at just that as I thought it would be fun to match yours.😆

      But, you’ve been such an amazing supporter of ours over the years that I can’t bring myself to answer with just 7 characters. Thank you for all your help and support over all these years. 🧡

    • Shiner
      Shiner says:

      Thanks Ricky,

      Watchtower has a number of useful security tools to help keep your passwords safe. Checking for duplicate passwords is perhaps the most important of those tools. If each account has a different password, it means that a breach of one account can’t put your other accounts at risk.

      While the Check Password feature is limited to the 1Password web client for now, we are planning on adding it to Watchtower and our 1Password apps in the future. I hope you’ll give both Watchtower and our new Check Password feature a try!

  6. David
    David says:

    Love your work – very impressive. However, I’m a little bit wary of attempting to calculate the probability of password collisions purely on the math associated with the password itself. The thing is that the two colliding passwords in this case are generated by (possibly the same) software, so it seems to me that it’s at least as much about the quality of the randomness in the generator as it is about the eventual result. If the generator is deterministic enough, we’ll have collisions with a much higher frequency than for those generated with a truly random generator. So: how good is the randomness of the 1Password generator?

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Well spotted, David! All of what we’ve said depends on the quality of the random number generator.

      All of the math assumes that the generated passwords are uniformly distributed among the set of all possible generated passwords (of same length and constraints). That is why we use a cryptographically appropriate RNG for these and take care (such as addressing the modulo bias) to get a uniform distribution.

      All modern operating systems provide good means for applications to get random bytes that are suitable for cryptographic purposes. This wasn’t always the case, but now it is fairly easy to do things right. It is still possible to accidentally use the wrong random number generator, but we have a development policy of using cryptographically secure random number generators everywhere, even where they aren’t necessary. This reduces the opportunity to make a programming error of picking the wrong one as we only ever use the right one. In fact this was a “quiz” question for our developers during some recent training.

      What RNG should our developers use?

  7. Judith Wilson-Pates
    Judith Wilson-Pates says:

    I seem to be having the same problem as Diane Ross. I logged into my 1P account from Safari 11.03 on my iMac, which is running OS X 10.13.3. At step 3, when I enter the magic keyboard combo the concealed password becomes revealed. But “Check Password” and the other options don’t appear. I’d really like to use this feature, as I just got a warning yesterday about a compromised username and password from a publication to which I subscribe.

    • Shiner
      Shiner says:

      Hi Judith,

      How odd. I am also on 10.13.3, using Safari 11.0.3 and am not running into any trouble. You may want to check that the magic keyboard sequence Shift-Control-Option-C is being entered correctly. We might have made that sequence a bit too difficult in our attempts to find one that wouldn’t be entered randomly, or overwrite common shortcuts. I had trouble entering it myself the first few tries. 😬

      I’d love to figure out what is happening and am going to send you an email directly to request more detailed information and see if we can figure out why it is not working.

      However, given that you already received a warning about a compromised account, I would recommend changing the password to that account straight away.

  8. Peter
    Peter says:

    I appreciate that you wouldn’t implement anything unless it was private and secure.

    But given the quick deployment of this feature, can you speak to your QA process to ensure that it is not introducing any unexpected vulnerablities?

    Thank you.

    • Shiner
      Shiner says:

      Hi Peter, excellent question!

      When I read through Troy’s post, and in particular the “Cloudflare, Privacy and k-Anonymity” section, I realized that we should be able to integrate this into 1Password while keeping your passwords secure. This led to a flurry of activity over the next 24 hours with the final result being the live POC you saw today. I’ll take you through some of the more important steps, that we took in those 24 hours.

      The first step was to have a POC of the POC.😁 Could we, in our local development environment, call out to Troy’s service passing only the first 5 characters of the hash and get the list of pwned hashes, and determine if your password was known or not. Our crack development team of Rob and Rick got this done in no time flat.

      Knowing that the POC was feasible, we set out to determine if it was something we should do. I reached out to Jeffrey Goldberg, our Defender Against the Dark Arts and security lead, to ensure the concept was safe. We submitted the code changes of our actual implementation so that it could be code reviewed and approved by our team, and we started testing the POC locally.

      In parallel, we started getting the blog post ready so we could share this with everyone when done. Getting a blog post ready is a surprisingly large amount of work. I created the first draft of the post myself, but then quickly involved others to turn my gobbledygook into readable english.😆 Our designers started to work on the artwork that helps tremendously in getting some of the tougher concepts across. (I am truly amazed at the skill of our design team.)

      One additional privacy concern we considered was how to release this feature. Because this feature integrates with Troy’s service, we wanted to make sure people using this knew that a non-1Password service was involved. We aren’t sending enough information to put any passwords at risk, but our approach has always erred on the side of over-communication. This led to our magic (and perhaps confusing) key sequence to unlock the POC. This character sequence makes sure that a person who is using 1Password doesn’t see the Check Password button without first reading the post and understanding it’s purpose, and how it works.

      With the concept approved, the code reviewed and the post underway, we released this POC to our formal test environment. We have well over 1000 automated tests, as well as our human testing that is performed there. We built a special release where the only change was this POC and that allowed us to test and release this quicker than we normally might.

      It was certainly a busy 24 hours to get this feature live, and most of the above happened in parallel to get this done, but we did so carefully and had a great time doing so. I have to admit, that I work with a great team of folks here, and am pretty proud of what they were able to accomplish.

      To be honest, there was never much risk from a security perspective, as all we were really sending was the first 5 characters of the hash of the password. That is not to say that all our testing efforts weren’t required, but rather that the risk itself was showing an incorrect result. Even so, this would have been pretty bad as a false positive could cause a lot of people to worry needlessly.

      Thanks again for your question. I love that you were curious about our process and never stop challenging us on security! :)

    • Kate Sebald
      Kate Sebald says:

      I’m glad to hear it, Thomas and thanks for your words of support! We’ve had a few suggestions in the past to integrate the previous iteration of haveibeenpwned into 1Password, so I was bouncing in my chair a bit when Jeff told us it was gong to happen. This is only a proof of concept for now, so I’m excited to see how it will evolve in the future. 😊

  9. Kent McPherson
    Kent McPherson says:

    I have the latest version on my iMac (6.8.7) but I cannot get the Check Password option to come up. I press Shift-Ctrl-Option-C but the Check Password option never shows up. What am I doing wrong?

    • Kate Sebald
      Kate Sebald says:

      Hey Kent! As Jeff mentioned in this comment this feature is only available on right now. We were just entirely too excited about the possibilities here to wait to share it with y’all until we were able to get it into the apps. Adding it to was a great way to make sure as many folks as possible could give it a try right away since it’s available across operating systems. Like Jeff said, though, we do want to bring this to client apps down the line, but adding a new feature to 4 different apps (5, including 1Password X), takes quite a bit longer than the just over 24 hours we had given ourselves to build this, so it will be something to look forward to down the road. 😊

  10. Shawn Starbird
    Shawn Starbird says:

    This is an amazing first step! Can’t wait to see what you do with this.

    Also, I’m sure your thinking of it, but would be great if we had a way that showed duplicate passwords highlighted. For instance, you use P@ssw0rd on and on Google. Highlights that, even if not part of a breach.

    Thanks again!

    • Kate Sebald
      Kate Sebald says:

      Hey Shawn! I’m glad you’re excited about this first step. Jeff and team were pretty sneaky about putting this together, so I was as amazed as you when we started working on this post and am really looking forward to seeing what’s next myself.

      As for duplicate passwords, that’s actually already part of Security Audit, which is available already in 1Password for Mac and will be coming to 1Password for Windows in a future update. If you’ve got a Mac in your 1Password ecosystem, expand Security Audit in the sidebar of the main app, then click Duplicate Passwords for a list of those pesky dupes. While you’re there, you can seize the opportunity to sign in to those sites and change those passwords to nice, unique, generated passwords, too. If you don’t see Security Audit right away, mouse over the empty space at the bottom of the sidebar and you should see it pop up with a Show button nearby to keep it visible. Give it a try, if you’d like, and let me know if you have any questions. 😊

  11. Renaud
    Renaud says:

    You’ve been incredibly quick on this one – congrats !!

    Just thinking that Troy would probably be most grateful if in the long run, you hosted your own copy of the list for your app to use. His API will be hit quite hard otherwise and in his blog post he mentioned how he was trying to keep costs down. On the other hand, it seems like Cloudflare is helping him out for free, but I guess it’s also better for you not to rely on external services too much !

    • Kate Sebald
      Kate Sebald says:

      Thank you so much, Renaud! It was quite a hectic day (and then some) for the team putting this together for sure. When I saw Troy’s announcement, I was considering how best to handle the requests to integrate his service I thought were likely to pop up, and before I knew it Jeff was talking about a blog post to announce it had already been done. I gave it a try in our test environment and was completely blown away. Jeff and team deserve a truly epic slow clap for putting this all together so quickly. 👏

      The team definitely had potential strain on Troy’s infrastructure in mind when they were building this out. It’s one reason this is done one-by-one right now. We didn’t want Troy to fall victim to the internet security equivalent of the Slashdot effect (or the “reddit hug of death” in the vernacular of my generation). As this feature evolves. we’ll definitely have to be mindful of how future changes will affect Troy and consider alternatives to the current implementation as needed. After all, Troy’s efforts are helping way more than just 1Password users and we definitely want him to continue thriving. 😊

  12. Jason Kratz
    Jason Kratz says:

    Think it needs to be made clear (because it wasn’t to me) that you only need to hit the magic key combo once (per session? i know i dont have to do it for every login i select while in a session). I read someone mentioning that the buttons were flickering which is what happened to me because I was holding down the keys while trying to click the buttons.

    • Kate Sebald
      Kate Sebald says:

      Hey Jason! I actually fell victim to the exact same thing. When I was first trying this out, I was running back like and forth between my Mac and my PC because I couldn’t get it to work. Turned out it was one of those problems that exists between keyboard and chair (y’know, me) and my repeated magic combo spamming was the problem. Definitely something to keep in mind as this proof of concept grows into a full-fledged feature. Thanks for the feedback! 😊

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hello Ed. You are right to be wary of online password strength or checking services. But we would not have introduced or used this service if it posed a risk.

      Through the magic of mathematics, all of this password checking happens

      1. without us learning anything about your password
      2. without HIBP learning your password
      3. without anyone listening into the connection learning your password.

      It’s not just that they don’t learn your password; they don’t learn anything that would allow them to figure out your password.

      We don’t know your password

      As for keeping things private from us (1), all of the encryption and decryption happens only on your machine with secrets derived from your Master Password. Although you can view your 1Password data in a web browser, it is actually running in a web-client on your machine. Our servers never see you decrypted data.

      A good place to start to learn more about 1Password’s security is at That will introduce things, and point you to more detail for whatever depth you would like to dig into this.

      So you are running 1Password on your computer (in your web browser). Your password is only decrypted on your computer and it is your computer that is talking to Have I Been Pwned (HIBP).

      HIBP can’t learn your password

      These leads us to point (2). How can your computer talk to HIBP to do this kind of look up without revealing your password to HIBP?

      The details are briefly discussed in our article, and there is more detail in Troy Hunt’s announcement, but it works something this. Suppose your password “2B||!2BTitQ”, the SHA1 hash of that is “3bcb4b9aa6842c658606b405eb1200551610557b”. One of the things about these cryptographic hash functions is that if your password were even slightly different, you would have a completely different hash.

      But sending the full hash to HIBP wouldn’t be secure, because people can use the hash to test guesses at your password. Instead what gets sent is just the very first part of the hash. It would be “3bcb4”. That just isn’t enough information to engage in for password cracking (testing guesses against hashes). So 1Password (operating on your machine in your web browser) only sends that short piece of the hash.

      That will probably match many full hashes stored by HIBP, and it is that list of hashes that HIBP sends back to you (to 1Password running on your machine). So now 1Password on your computer has a list of hashes that begin with “3bcb4” from HIBP. 1Password will then see if any of those are “3bcb4b9aa6842c658606b405eb1200551610557b”. If any of them are, 1Password can let you know that your password is in the HIBP dataset.

      One really clever thing about this is that HIBP doesn’t even learn whether there was a match. This is because the final computation and check is performed within 1Password on running on your machine.

      An eavesdropper can’t learn your password

      Finally, anyone able to break the TLS connection connection between your machine and HIBP, and so able to listen in to your network communication (point 3) gains no more information than HIBP learns. So such an eavesdropper doesn’t learn anything either.

      Anyway, I hope that this helps to reassure you that this service is safe.

  13. Ameno Osman
    Ameno Osman says:

    Hot damn! Now I never need to convince someone that their password is whack. This is a kick-ass feature and I can’t wait to see it make its way to all the other 1Password clients!!

    • Kate Sebald
      Kate Sebald says:

      Hey Ameno! Humans can be stubborn so some may still require a bit of convincing, but I’m glad this can serve as a handy tool to argue your point. I hope you’re able to use it to great effect to convince folks that their passwords need a little love. In the meantime, I’ll be right there with you impatiently waiting for this to put in an appearance in my Windows app. 😊

    • Kate Sebald
      Kate Sebald says:

      Hey Joshua! Just so you know off the bat, this is only available on right now, not in any of the desktop apps. We were so excited to share this, we couldn’t wait until we were able to update all of the apps. Sign in to your account in your browser and to give it a try. 👍

      Still, this keyboard combination shouldn’t be crashing your Windows app. I tried it myself, just to double check, and wasn’t able to get the app to crash. We’d like to take a look to see why you’re experiencing this. Could you generate a diagnostics report from the PC where you’re experiencing this crash and send it over to so we can investigate? This way we can figure out what’s causing it and get it fixed up for you. Thanks! 😊

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *