Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

92 replies
« Older CommentsNewer Comments »
  1. Judith Wilson-Pates
    Judith Wilson-Pates says:

    I seem to be having the same problem as Diane Ross. I logged into my 1P account from Safari 11.03 on my iMac, which is running OS X 10.13.3. At step 3, when I enter the magic keyboard combo the concealed password becomes revealed. But “Check Password” and the other options don’t appear. I’d really like to use this feature, as I just got a warning yesterday about a compromised username and password from a publication to which I subscribe.

    • Shiner
      Shiner says:

      Hi Judith,

      How odd. I am also on 10.13.3, using Safari 11.0.3 and am not running into any trouble. You may want to check that the magic keyboard sequence Shift-Control-Option-C is being entered correctly. We might have made that sequence a bit too difficult in our attempts to find one that wouldn’t be entered randomly, or overwrite common shortcuts. I had trouble entering it myself the first few tries. 😬

      I’d love to figure out what is happening and am going to send you an email directly to request more detailed information and see if we can figure out why it is not working.

      However, given that you already received a warning about a compromised account, I would recommend changing the password to that account straight away.

  2. Peter
    Peter says:

    I appreciate that you wouldn’t implement anything unless it was private and secure.

    But given the quick deployment of this feature, can you speak to your QA process to ensure that it is not introducing any unexpected vulnerablities?

    Thank you.

    • Shiner
      Shiner says:

      Hi Peter, excellent question!

      When I read through Troy’s post, and in particular the “Cloudflare, Privacy and k-Anonymity” section, I realized that we should be able to integrate this into 1Password while keeping your passwords secure. This led to a flurry of activity over the next 24 hours with the final result being the live POC you saw today. I’ll take you through some of the more important steps, that we took in those 24 hours.

      The first step was to have a POC of the POC.😁 Could we, in our local development environment, call out to Troy’s service passing only the first 5 characters of the hash and get the list of pwned hashes, and determine if your password was known or not. Our crack development team of Rob and Rick got this done in no time flat.

      Knowing that the POC was feasible, we set out to determine if it was something we should do. I reached out to Jeffrey Goldberg, our Defender Against the Dark Arts and security lead, to ensure the concept was safe. We submitted the code changes of our actual implementation so that it could be code reviewed and approved by our team, and we started testing the POC locally.

      In parallel, we started getting the blog post ready so we could share this with everyone when done. Getting a blog post ready is a surprisingly large amount of work. I created the first draft of the post myself, but then quickly involved others to turn my gobbledygook into readable english.😆 Our designers started to work on the artwork that helps tremendously in getting some of the tougher concepts across. (I am truly amazed at the skill of our design team.)

      One additional privacy concern we considered was how to release this feature. Because this feature integrates with Troy’s service, we wanted to make sure people using this knew that a non-1Password service was involved. We aren’t sending enough information to put any passwords at risk, but our approach has always erred on the side of over-communication. This led to our magic (and perhaps confusing) key sequence to unlock the POC. This character sequence makes sure that a person who is using 1Password doesn’t see the Check Password button without first reading the post and understanding it’s purpose, and how it works.

      With the concept approved, the code reviewed and the post underway, we released this POC to our formal test environment. We have well over 1000 automated tests, as well as our human testing that is performed there. We built a special release where the only change was this POC and that allowed us to test and release this quicker than we normally might.

      It was certainly a busy 24 hours to get this feature live, and most of the above happened in parallel to get this done, but we did so carefully and had a great time doing so. I have to admit, that I work with a great team of folks here, and am pretty proud of what they were able to accomplish.

      To be honest, there was never much risk from a security perspective, as all we were really sending was the first 5 characters of the hash of the password. That is not to say that all our testing efforts weren’t required, but rather that the risk itself was showing an incorrect result. Even so, this would have been pretty bad as a false positive could cause a lot of people to worry needlessly.

      Thanks again for your question. I love that you were curious about our process and never stop challenging us on security! :)

    • Kate Sebald
      Kate Sebald says:

      I’m glad to hear it, Thomas and thanks for your words of support! We’ve had a few suggestions in the past to integrate the previous iteration of haveibeenpwned into 1Password, so I was bouncing in my chair a bit when Jeff told us it was gong to happen. This is only a proof of concept for now, so I’m excited to see how it will evolve in the future. 😊

  3. Kent McPherson
    Kent McPherson says:

    I have the latest version on my iMac (6.8.7) but I cannot get the Check Password option to come up. I press Shift-Ctrl-Option-C but the Check Password option never shows up. What am I doing wrong?

    • Kate Sebald
      Kate Sebald says:

      Hey Kent! As Jeff mentioned in this comment this feature is only available on right now. We were just entirely too excited about the possibilities here to wait to share it with y’all until we were able to get it into the apps. Adding it to was a great way to make sure as many folks as possible could give it a try right away since it’s available across operating systems. Like Jeff said, though, we do want to bring this to client apps down the line, but adding a new feature to 4 different apps (5, including 1Password X), takes quite a bit longer than the just over 24 hours we had given ourselves to build this, so it will be something to look forward to down the road. 😊

  4. Shawn Starbird
    Shawn Starbird says:

    This is an amazing first step! Can’t wait to see what you do with this.

    Also, I’m sure your thinking of it, but would be great if we had a way that showed duplicate passwords highlighted. For instance, you use P@ssw0rd on and on Google. Highlights that, even if not part of a breach.

    Thanks again!

    • Kate Sebald
      Kate Sebald says:

      Hey Shawn! I’m glad you’re excited about this first step. Jeff and team were pretty sneaky about putting this together, so I was as amazed as you when we started working on this post and am really looking forward to seeing what’s next myself.

      As for duplicate passwords, that’s actually already part of Security Audit, which is available already in 1Password for Mac and will be coming to 1Password for Windows in a future update. If you’ve got a Mac in your 1Password ecosystem, expand Security Audit in the sidebar of the main app, then click Duplicate Passwords for a list of those pesky dupes. While you’re there, you can seize the opportunity to sign in to those sites and change those passwords to nice, unique, generated passwords, too. If you don’t see Security Audit right away, mouse over the empty space at the bottom of the sidebar and you should see it pop up with a Show button nearby to keep it visible. Give it a try, if you’d like, and let me know if you have any questions. 😊

  5. Renaud
    Renaud says:

    You’ve been incredibly quick on this one – congrats !!

    Just thinking that Troy would probably be most grateful if in the long run, you hosted your own copy of the list for your app to use. His API will be hit quite hard otherwise and in his blog post he mentioned how he was trying to keep costs down. On the other hand, it seems like Cloudflare is helping him out for free, but I guess it’s also better for you not to rely on external services too much !

    • Kate Sebald
      Kate Sebald says:

      Thank you so much, Renaud! It was quite a hectic day (and then some) for the team putting this together for sure. When I saw Troy’s announcement, I was considering how best to handle the requests to integrate his service I thought were likely to pop up, and before I knew it Jeff was talking about a blog post to announce it had already been done. I gave it a try in our test environment and was completely blown away. Jeff and team deserve a truly epic slow clap for putting this all together so quickly. 👏

      The team definitely had potential strain on Troy’s infrastructure in mind when they were building this out. It’s one reason this is done one-by-one right now. We didn’t want Troy to fall victim to the internet security equivalent of the Slashdot effect (or the “reddit hug of death” in the vernacular of my generation). As this feature evolves. we’ll definitely have to be mindful of how future changes will affect Troy and consider alternatives to the current implementation as needed. After all, Troy’s efforts are helping way more than just 1Password users and we definitely want him to continue thriving. 😊

  6. Jason Kratz
    Jason Kratz says:

    Think it needs to be made clear (because it wasn’t to me) that you only need to hit the magic key combo once (per session? i know i dont have to do it for every login i select while in a session). I read someone mentioning that the buttons were flickering which is what happened to me because I was holding down the keys while trying to click the buttons.

    • Kate Sebald
      Kate Sebald says:

      Hey Jason! I actually fell victim to the exact same thing. When I was first trying this out, I was running back like and forth between my Mac and my PC because I couldn’t get it to work. Turned out it was one of those problems that exists between keyboard and chair (y’know, me) and my repeated magic combo spamming was the problem. Definitely something to keep in mind as this proof of concept grows into a full-fledged feature. Thanks for the feedback! 😊

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hello Ed. You are right to be wary of online password strength or checking services. But we would not have introduced or used this service if it posed a risk.

      Through the magic of mathematics, all of this password checking happens

      1. without us learning anything about your password
      2. without HIBP learning your password
      3. without anyone listening into the connection learning your password.

      It’s not just that they don’t learn your password; they don’t learn anything that would allow them to figure out your password.

      We don’t know your password

      As for keeping things private from us (1), all of the encryption and decryption happens only on your machine with secrets derived from your Master Password. Although you can view your 1Password data in a web browser, it is actually running in a web-client on your machine. Our servers never see you decrypted data.

      A good place to start to learn more about 1Password’s security is at That will introduce things, and point you to more detail for whatever depth you would like to dig into this.

      So you are running 1Password on your computer (in your web browser). Your password is only decrypted on your computer and it is your computer that is talking to Have I Been Pwned (HIBP).

      HIBP can’t learn your password

      These leads us to point (2). How can your computer talk to HIBP to do this kind of look up without revealing your password to HIBP?

      The details are briefly discussed in our article, and there is more detail in Troy Hunt’s announcement, but it works something this. Suppose your password “2B||!2BTitQ”, the SHA1 hash of that is “3bcb4b9aa6842c658606b405eb1200551610557b”. One of the things about these cryptographic hash functions is that if your password were even slightly different, you would have a completely different hash.

      But sending the full hash to HIBP wouldn’t be secure, because people can use the hash to test guesses at your password. Instead what gets sent is just the very first part of the hash. It would be “3bcb4”. That just isn’t enough information to engage in for password cracking (testing guesses against hashes). So 1Password (operating on your machine in your web browser) only sends that short piece of the hash.

      That will probably match many full hashes stored by HIBP, and it is that list of hashes that HIBP sends back to you (to 1Password running on your machine). So now 1Password on your computer has a list of hashes that begin with “3bcb4” from HIBP. 1Password will then see if any of those are “3bcb4b9aa6842c658606b405eb1200551610557b”. If any of them are, 1Password can let you know that your password is in the HIBP dataset.

      One really clever thing about this is that HIBP doesn’t even learn whether there was a match. This is because the final computation and check is performed within 1Password on running on your machine.

      An eavesdropper can’t learn your password

      Finally, anyone able to break the TLS connection connection between your machine and HIBP, and so able to listen in to your network communication (point 3) gains no more information than HIBP learns. So such an eavesdropper doesn’t learn anything either.

      Anyway, I hope that this helps to reassure you that this service is safe.

  7. Ameno Osman
    Ameno Osman says:

    Hot damn! Now I never need to convince someone that their password is whack. This is a kick-ass feature and I can’t wait to see it make its way to all the other 1Password clients!!

    • Kate Sebald
      Kate Sebald says:

      Hey Ameno! Humans can be stubborn so some may still require a bit of convincing, but I’m glad this can serve as a handy tool to argue your point. I hope you’re able to use it to great effect to convince folks that their passwords need a little love. In the meantime, I’ll be right there with you impatiently waiting for this to put in an appearance in my Windows app. 😊

    • Kate Sebald
      Kate Sebald says:

      Hey Joshua! Just so you know off the bat, this is only available on right now, not in any of the desktop apps. We were so excited to share this, we couldn’t wait until we were able to update all of the apps. Sign in to your account in your browser and to give it a try. 👍

      Still, this keyboard combination shouldn’t be crashing your Windows app. I tried it myself, just to double check, and wasn’t able to get the app to crash. We’d like to take a look to see why you’re experiencing this. Could you generate a diagnostics report from the PC where you’re experiencing this crash and send it over to so we can investigate? This way we can figure out what’s causing it and get it fixed up for you. Thanks! 😊

« Older CommentsNewer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.