Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.
We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:
What’s even more fun than watching this video is giving it a try yourself. 🙂
Checking your passwords
This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:
- Sign in to your account on 1Password.com.
- Click Open Vault to view the items in a vault, then click an item to see its details.
- Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
- Click the Check Password button that appears next to your password.
Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.
In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.
As cool as this new feature is, we would never add it to 1Password unless it was private and secure.
Keep your passwords private and secure
Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂
Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.
I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.
Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!
How it works
Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.
Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎
A thank you to Troy Hunt
Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.
Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.
Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂