Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

88 replies
Newer Comments »
    • Dave Teare
      Dave Teare says:

      Thanks for the feedback, J.R!

      You’re right, this would make a great addition to Watchtower. Being able to see all your pwned passwords at a glance would be awesome and it’s exactly where we’re headed.

      Our current implementation is performing the checks one by one at the moment simply because of time. Troy announced this new service just 27 hours ago and we had no prior knowledge about it. We loved what we saw and we’ve been scrambling ever since to add it to 1Password.

      As Jeff mentions in the post this is a proof of concept and we’ll be building on it over time. Keep an eye out for upcoming announcements on this – I think you’ll enjoy what you see. 🙂

      Thanks again for letting us know this is something you’re looking forward to. Knowing that adds fuel to our fire! 🔥

      Take care,

      ++dave;

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Let me add to what Dave said and point out that we want to develop a better understanding of how we should best present matches to people. The meaning of a match can be subtle, and not what people expect. See my other comment for gory details about that.

    • Carl Walsh
      Carl Walsh says:

      Agreed, this feature is a really great idea, but you should definitely let me scan the 200 items in my vault. I already found that one of my older gmail account passwords was compromised — time to change it!

    • Kate Sebald
      Kate Sebald says:

      Hey Carl! I’m glad you are enjoying it and already fixing up pwned passwords too boot! Way to go! 😊 As a few of us have mentioned before, we do want to flesh this out into a full-fledged feature. Since we wanted to get this proof of concept ready quickly and keep its impact on Troy’s service to a minimum, sticking with one-by-one was the best way to accomplish both of these tasks, but making checking everything much less tedious is certainly on the wish list for The Real Deal.

      Still, if you’re up for a few clicks now and again, I’d definitely encourage you to keep at it now. Even fixing up one or two pwned passwords is a huge improvement and you’ll get through them all before you know it fixing upa
      few a day. There’s no rule saying you have to fix all of them at once, after all. Personally, I’ve been trying to check a few each time I sign on to 1Password.com. This way I can gradually make my way through them without wearing out my mouse button (and my sanity) in a single go. 👍

    • Temptin
      Temptin says:

      Hey Dave Teare, etc – keep this in mind: Troy released all of the SHA1 password hashes as a ~9 GB torrent (see his blog post). It would be trivial to put that in a database and do a query for all entries LIKE "1BD3F%" to get all matches yourselves. You could download that and host the password quality checker service on 1Password.com. That way you don’t hammer Troy’s “free server”, and you can ensure the privacy is truly maximal. ;-)

    • Kate Sebald
      Kate Sebald says:

      Hey Temptin! First off, thanks for sharing your ideas! This is definitely a challenge we’ll need to overcome before we can bring this feature to the apps, so thoughts are always welcome. 😊 I’ll leave the technical details to those better qualified, but one concern with this method comes with updates to the database. We’d need to update on our end every time Troy adds anything on his end. We’d need to make sure we’d be able to make those updates while keeping any downtime to a minimum and preferably with as little delay between Troy’s update and ours as possible. Pitfalls aside, this would be a lovely way to deal with potential hammering of Troy’s server, if it’s feasible with how the system is set up right now (and it may be – I just don’t know enough to say for sure whether that’s the case). It’s definitely something where we want to get creative, so thanks again for sharing and keep the ideas coming if you’ve got ’em.💕

    • Temptin
      Temptin says:

      Oh and to speed up the database, instead of a stupid LIKE-query (I am stupid), you could just put the first 5 digits in a separate database column, and create a MySQL INDEX on that column. That way lookups for all rows that have the given 5-character prefix is gonna be ultra fast via some binary tree search magic in the SQL engine. :-)

    • eric p
      eric p says:

      How do you check a password cause pretty sure that’s not how services I use are set up? If you check my password how do you keep it safe? Anyway I want the companies directly from the company as it’s own service to tell me if my site has been penned by device I.d that would be the only way your service was legitimate!! I find it Illegitimate your way!! Thanks for your explanation in advance!! Do I leave my email at the bottom? 💯

    • Kate Sebald
      Kate Sebald says:

      Hello Eric! Those are great questions! We keep your password safe by not sending it anywhere at all. Instead, what we do is hash your password. That means, we transform your password using math into a bunch of gibberish. On the other side, Tory Hunt’s service uses the same math to transform the compromised passwords. This math only works one way, so the formula can’t be used to transform the hash back into your password. Because we and Troy use the same formula to hash your passwords, we can compare the hashes, rather than the passwords themselves, and determine if there’s a match. This means no actual passwords are sent anywhere, but we can still tell if your password is part of the Pwned Passwords database.

      As for checking this against our own database, we didn’t see any reason to do that. Troy Hunt is a respected security researcher and has been running his free Pwned Passwords service for years. He has our utmost respect and admiration, and that of the security community at large, and we’d not be able to create a better database than what he’s already built. If anything, having his service as a part of this system increases the legitimacy of this feature and ensures it’s the absolute best it can be. 🙂

  1. Larry Nolan
    Larry Nolan says:

    I agree with J.R. But I also want to give a cheer to Tony for the service and AgileBits for working to embed into 1Password !

    Reply
    • Dave Teare
      Dave Teare says:

      I agree! With both you and J.R. on how great this would be in Watchtower and about how great Troy is! 🙂

      Take care, 😘

      ++dave;

  2. Mikel Manitius
    Mikel Manitius says:

    This is cool and the implementation is indeed impressive.

    However, I’ve been following best practices for years and auto generating unique (to me) random passwords for each account using 1Password. Just knowing that somewhere out there exists another instance of my randomly generated password does not seem all that useful without additional context.

    Since the checking method is currently manual, it would be more helpful if I could just select my top accounts (perhaps the ones tagged “financial”) and just have Watchtower check those in the future.

    Perhaps a discussion on entropy and the likelihood that my 16 character randomly generated password could also be randomly generated by someone else could help put this in perspective.

    Reply
    • Dave Teare
      Dave Teare says:

      Thank you, Mikel! I’m happy to hear you enjoyed what we’ve been working on for the last 24 hours. 🙂

      It’s also great to hear that you’ve been following best practices for years and using generated passwords. Given that you’re using 16 character random passwords the chance of someone else using the same password is incredibly low.

      What the actual chance of that happening is such an incredibly interesting question I couldn’t resit taking a stab at the math. Assuming you’re using 16 character passwords for all your sites and using a mix of uppercase and lowercase letters your available universe of generated passwords would be 62^16 ~= 4.7 x 10^28.

      If we assume every person on earth generated 100 passwords using the exact same attributes that you used, there would be 7 x 10^11 passwords created that you could potentially collide with. If I’m doing my math right, that gives a (7 x 10^11) / (4.7 x 10^28) chance of a collision, or 1.4 x 10^-15 percent chance. That feels like pretty good odds to me! You’re more likely the win the lottery a few hundred times. 🙂

      I’m going to ask Jeff Goldberg to jump in here and check my math but given how amazing exponential grown is, I don’t think you have anything to be worried about.

      With all that said, you’re right, Watchtower needs to learn this new trick and make it easier for you to find passwords that appear in Troy’s database.

      Take care and have yourself a wonderful night! Hopefully I’ve given you some good things to dream about. 🙂🛌💤

      ++dave;

    • Dave Teare
      Dave Teare says:

      As I think about this more, the chance is higher than a simple division between the two universe sizes. You’re actually choosing one from the universe of generated passwords (62^16 ~= 4.7 x 10^28), which gives a 1/(4.7 x 10^28) chance of a collision for that one password. Then you repeat this 700 billion times (one hundred passwords for every one of the seven billion people on earth), and you need to sum that up. I believe that works out to be substantially higher than the number I proposed above, but I don’t remember enough about my university probability course to calculate it. Even so, given the massive universe size we’re dealing with, I still think you’re more likely to win the lottery multiple times, even without taking into consideration that not everyone in the world is using 1Password. At least not yet anyway. 🙂

      I have my 🍿ready for when Goldberg comes in and finishes the math for us. He’s a wizard at this stuff. Stay tuned and be sure to have some popcorn ready! 👀🙂

      ++dave;

    • Rob Yoder
      Rob Yoder says:

      Hi, Mikel.

      You’re right about Watchtower. We definitely have ideas about how to make this a more useful addition to 1Password in the future. But since Troy announced this yesterday, we mostly just wanted to try it out and share it with everyone before it got too bogged down with future goals and ideal design considerations.

      Jeff partially addresses your unique password scenario in his comment below. As to a discussion of how likely it is for someone else to have generated the random password as you at different levels of entropy, that’s a bit harder to quantify.

      Of course if you know the entropy value then you know the probability of someone generating the same password as you at any given point in time. For example, a 16-character alphanumeric random password has about 95 bits of entropy, which means there’s about a 1 in 47,700,000,000,000,000,000,000,000,000 (62^16) chance that I would randomly generate that password in one shot if I start with the same parameters.

      But let’s say that there are 7,000,000,000 people in the world and each of them has 1000 online accounts and uses a different 16-character alphanumeric passwords for each one. Now the odds are up to about 1 in 6,810,000,000,000,000 that someone in the world has the same password as you. Obviously, that’s a horrible estimate for many reasons, and the odds are much lower than that, but you can see how unlikely it is.

      So if you have a randomly generated alphanumeric password over 10 characters that shows up as pwned, it is almost certain that it was your account. It also most likely indicates that the password was stolen without repeatedly guessing. Perhaps it was stored in an online database in plain text or it was intercepted in some other way, so it would be interesting to note what the password was used for and determine how the theft might have happened.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I consider this question a birthday present, although paradoxically it is no where near my birthday.

      The short answer is that the chances of a collision are astronomically small. (Does “astronomically small” makes sense? “Atomically small”?). Dave’s answer is (pretty much) correct. Given the assumptions he makes, the chance that one of your 16 character generated passwords would collide with someone else’s is on the order of 10⁻¹⁷. (My calculation came up differently than Dave’s, but what’s a few hundred billion among friends.)

      But now suppose that we asked a different question. The question we did ask was (correctly) about the chances that a give one of your passwords would collide with some other password generated that way. But suppose we were to ask about the chances that among all of the the 700 billion passwords generated that way, what are the chances that somewhere among there is some pair that collide.

      In this revised question (which really isn’t relevant to the situation) we are not looking at a particular password and seeing if there is another match, we are looking for any matches at all with any password. This is like taking a room full of, say 25 people, and asking what the chances are that there is some pair of people in the room with the same birthday. Most people (who haven’t encountered this before) will suspect that the chances of a birthday collision is pretty small, but it turns out to be greater than 1/2.

      The chances that among the 700 billion passwords generated as 16 letters and digits, there is about a 1 in 200,000 chance of there being a collision. Somewhere among those 700 billion there is a small, but not astronomically small, chance that there is a collision. But, of course, the chances that your particular password will be involved in a collision remains astronomically small.

    • Temptin
      Temptin says:

      There’s a much easier way to check your math: https://www.grc.com/haystack.htm

      I entered a random 16-character pass (aA123457gd343432) with upper, lower and digits.

      It gives me:

      There are 62 possible glyphs per character. (a-z A-Z 0-9)
      Counting all passwords from 1 to 16 characters long with those glyphs, there are a total possibility of 48,453,916,488,
      902,607,769,120,106,730 different passwords (thats 4.85 x 10^28).

      So no, I don’t think someone is going to get the same password as you. ;-)

      Bonus: Assuming someone is able to run a cracker that tries one hundred trillion guesses per second, it would take 1.54 hundred thousand centuries to find your 16-character password. (Most fast “enthusiastic hacker” level cracking software these days runs at perhaps 1600 million guesses per second assuming a couple of GPUs or FPGAs cracking all at once).

      You’re. Safe.

  3. Jeffrey Goldberg
    Jeffrey Goldberg says:

    I’d like to follow up by trying to answer a remarkably tricky question that some people will be asking (and everyone else should be asking): What does it mean if my, P, for service S is on the list?

    Quick overview

    1. P is not on the list. Yay! That is good news.
    2. P is on the list, and P isn’t very strong. No need to panic. It is probably not your account that has been compromised, but you should change P along with other weak passwords because they are weak.
    3. P is on the list and P is very strong. Change the password immediately. It is likely that your account credentials have been compromised.

    Now for the longer explanation

    Case 1: P is not in HIBP dataset

    First, let’s take the simple case. If your password, P, is not in the HIBP data, that is a good news. It is both “good” and “news”. Finding that P is not on the list tells you good things about P. You can be more confident in P than you were before checking.

    Case 2: P is in HIBP dataset and P isn’t strong

    If you find that P is on the list, it definitely isn’t good, but may not be news. If P is weak (or created by a human) it is likely that lots of other people use the same password. People are not very good at being random, especially when they are trying to be random. And so P might be on the list because it appeared in a password breach that didn’t involve your account on service S.

    This odd case comes about because the HIBP list is so large. Any password that is likely to have ever been used by more than a tiny handful of people on the planet can easily end up on such a large list. So there is a fair chance that the instance of the password that ended up on the list isn’t from your use of it.

    But you should change P because it is weak. Use our Strong Password Generator to create a strong and unique password for that Service. You should be doing this for weak passwords anyway, and so P’s appearance on the list doesn’t really give you much new information. But if it helps you notice some of your weaker passwords and encourages you to change them to strong, randomly generated ones that is definitely a good thing.

    You should be changing your weaker passwords as a matter of course, but if you are like most people, you will have plenty of them left over from the days before you started to use 1Password’s Strong Password Generator. Spend some time each week improving on these. It may be too daunting of a task to do all at once, but even fixing one or two weak passwords at a time will improve your security.

    Case 3: P is in HIBP and P is very strong

    Change your password for the service on which you use P immediately!

    This is bad news. It is both bad and news. And you should change your password for the service, S, you use it for immediately. A strong randomly generated password is very unlikely to be used by anyone else. So if P is strong and random and found in HIBP, then it almost certainly comes from a breach involving your account on S (assuming you only use it on S).

    Now because P is strong, it is unlikely to have been cracked, but it could have been captured in other ways (transmission over HTTP instead of HTTPS, stored as plaintext by S, or something else). But it does indicate bad news.

    Matters of degree.

    I’ve been using words like “strong” and “weak” and “unlikely” and “likely” without specifying what counts as what. And I’m going to continue to remain vague. There are no easy measures of these and there are no magical cut offs separating those categories, and so understanding what it means to find a password you use on the HIBP list is also a matter of degree. Life (and security) doesn’t give us absolutes.

    -j
    Chief Defender Against the Dark Arts @ AgileBits

    Reply
    • Shiner
      Shiner says:

      I am sorry to hear that it is not working for you. I must admit that I’ve not had a chance to give the latest macOS High Sierra beta at try, so I can’t be sure if it is something specific to that version. I’ll see if anyone on my team is using that version and find out if they run into the same problem. Does it flicker for you when you enter the magic keyboard sequence, or when trying to view the password menu options?

  4. Gerard Robert
    Gerard Robert says:

    I have 1P 6.8.6 on my iMac and my MB Pro, both running the latest version of High Sierra and I cannot get past step 2: Click Open Vault to view the items in a vault, then click an item to see its details. Feel like a bit of an ass asking how to do this, but there it is.

    Reply
    • Shiner
      Shiner says:

      For now the Check Password feature is limited to the 1Password web client, and is not yet in the 1Password apps. When I saw Troy’s post, I wanted to make this feature available as soon as possible and this was simply the quickest way to do so.

      We plan on adding this feature to Watchtower in the 1Password client apps, like 1Password for Mac as we move forward. In fact, once this is in the client apps we should be able to take it further than we do today, showing all of your pwned passwords in a single view. That will make it even more convenient, and I can’t wait until we get there.

      If you have a 1Password.com membership and want to give it a try today, you can start by Signing in to your account on 1Password.com using your favourite browser. Once there, you should see your vaults on the Home page and be able to click on one to open and view your items.

      Keep an eye on our blog for upcoming announcements as we roll this out further.

  5. Tim O
    Tim O says:

    AgileGents/Ladies – This is absolutely fantastic work. Thanks for rolling it out when/how you did. You continue to impress with your dedication to security. The service you are providing is now that much more useful than when I started just a couple of months ago. Makes it an even easier sell with friends/family. Thanks again!

    Reply
    • Shiner
      Shiner says:

      Thank you Tim!

      I have to admit that the last 24 hours was a bit of a whirlwind, but it was as fun to build as it was exciting to see it working.

      We are always looking for ways to keep you more secure and make 1Password better. Troy’s new service was a great example of a way to do so, and one we couldn’t pass up. Hopefully in a few months you’ll be able to look back again and see that we’ve made 1Password even more useful than it is today. 😀

    • Shiner
      Shiner says:

      Grazie!

      I am tempted to leave it at just that as I thought it would be fun to match yours.😆

      But, you’ve been such an amazing supporter of ours over the years that I can’t bring myself to answer with just 7 characters. Thank you for all your help and support over all these years. 🧡

    • Shiner
      Shiner says:

      Thanks Ricky,

      Watchtower has a number of useful security tools to help keep your passwords safe. Checking for duplicate passwords is perhaps the most important of those tools. If each account has a different password, it means that a breach of one account can’t put your other accounts at risk.

      While the Check Password feature is limited to the 1Password web client for now, we are planning on adding it to Watchtower and our 1Password apps in the future. I hope you’ll give both Watchtower and our new Check Password feature a try!

  6. David
    David says:

    Love your work – very impressive. However, I’m a little bit wary of attempting to calculate the probability of password collisions purely on the math associated with the password itself. The thing is that the two colliding passwords in this case are generated by (possibly the same) software, so it seems to me that it’s at least as much about the quality of the randomness in the generator as it is about the eventual result. If the generator is deterministic enough, we’ll have collisions with a much higher frequency than for those generated with a truly random generator. So: how good is the randomness of the 1Password generator?

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Well spotted, David! All of what we’ve said depends on the quality of the random number generator.

      All of the math assumes that the generated passwords are uniformly distributed among the set of all possible generated passwords (of same length and constraints). That is why we use a cryptographically appropriate RNG for these and take care (such as addressing the modulo bias) to get a uniform distribution.

      All modern operating systems provide good means for applications to get random bytes that are suitable for cryptographic purposes. This wasn’t always the case, but now it is fairly easy to do things right. It is still possible to accidentally use the wrong random number generator, but we have a development policy of using cryptographically secure random number generators everywhere, even where they aren’t necessary. This reduces the opportunity to make a programming error of picking the wrong one as we only ever use the right one. In fact this was a “quiz” question for our developers during some recent training.

      What RNG should our developers use?

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *