Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

79 replies
« Older Comments
  1. MM
    MM says:

    Pen and Paper, unhackable 2018 onwards forever.
    Never share – never lose, use only safe-side* of the internet and you are good to go even without anti-virus(on Windows10).

    • Kate Sebald
      Kate Sebald says:

      I was actually a (partial) pen and paper gal for a long time before I used 1Password. Stuff that didn’t matter to me was saved by my browser and the stuff I was worried about went on a piece of paper locked in my desk. It worked for a time, but for me, it’s a genuine miracle I never lost that paper. Plus, I never wanted to travel with it since the risk of my losing something only increases in an unfamiliar environment and the idea of hotel staff stumbling on it was just horrifying. I thankfully never needed to access those accounts while I was out of town, but I did worry it could happen every time I left that paper behind.

      With 1Password, my passwords are safely encrypted, accessible wherever I need them, and now I can check them against Troy’s awesome service to boot. I’m happy to have tossed out that piece of paper for good. Everyone has their own methods, though, and so long as you’re using strong, unique and random passwords for every site, I’d say you’re doing just fine. For folks like me who need something a little more, I’m glad 1Password is here to help. 😊

  2. Matthias Otto
    Matthias Otto says:

    This is fantastic! Can’t wait to use this!

    I am thinking this further an am wondering whether you would consider tying this into the Password Strength indicator itself. The idea behind this is: even a super long and complex PW is “Weak” if it’s known.

    • Kate Sebald
      Kate Sebald says:

      Hey Matthias! I’m glad you’re excited about trying it out! I was a bit over-excited myself and was mashing buttons a bit too quickly for the poor web app to keep up. 😳 This is only a proof of concept, so there are definitely a lot of different things we could do with it. You’re absolutely right that known password is a weak password and it would be neat if the password strength calculator could take that into account, but I can’t say for sure that would be doable. Still, we definitely want to expand on this proof of concept and there are numerous paths froward. Now that the flurry of building it is over, it’s time to sit back and consider where we want to take it next. Its destiny is a blank slate for now, so thanks for the ideas and keep ’em coming! 😊

  3. Ahmet
    Ahmet says:

    Thank you SO VERY MUCH for doing this! When I heard Troy has launched this list, my mind immediately went off to 1Password, to write some script or something to check which of my passwords are compromised (I have a lot due to reuse!)

    Could there be a way of asynchronously running this check in the background for ALL my saved passwords? I’m not at all worried about randomly-generated passwords, I trust the randomness. However, I have A LOT of non-random passwords I have from pre-1Password era that I want to know whether I should change or not.

    So I really appreciate if you can check it for all the saved password without requiring me to click 500 times (maybe even a nice warning icon next to it would be awesome!)

    • Kate Sebald
      Kate Sebald says:

      Hey Ahmet! Thank you for sharing your excitement! Seriously, it make us giddy to see all of the geeked out comments here. We love what we do and seeing y’all just as excited about this as we are is next-level awesome. I’ve been smiling the whole time I’ve been answering comments today.💖

      Since this was something we put together in just over 24 hours and we didn’t want to overwhelm Troy with the requests we’re sending to him, it’s one-by-one for the moment, but we do want to flesh this proof of concept out into a full-fledged feature. There will definitely be changes, improvements and evolutions in the future. Don’t wait on us, though! Random passwords are always better, even if your non-random password isn’t pwned. Next time you’re signing into one of those sites where your password isn’t random, go ahead and change it. Leveling up your security with extra randomness is always a good choice, whether your password is pwned or not.😊

  4. Eddie
    Eddie says:

    Thank you AgileBits team for showing such grace and patience in answering all questions and concerns. Dave you’ve really built a great team! I’ve been a long time user and promoter of 1Password because of your stance on privacy and security. Thank you!

    Q: Would it be possible at all to enable access to this POC for a mobile web browser (say, like Safari on an iPhone), if 1Password is installed on that device (obviously there’s no way of entering the key combo on a mobile device)?

    • Kate Sebald
      Kate Sebald says:

      Hey Eddie! Thank you so much for sharing the love! I can only speak for myself (but I’d bet others would agree) it’s been an absolute joy to answer y’all’s questions here. One of the coolest parts of my job is getting to geek out about a new feature like this with our customers. It’s awesome to build something we’re excited about, but when y’all are as excited as we are that’s when we truly know we nailed it. It really is just about the best feeling out there. 😁💖

      That’s a great question about mobile browsers. Given using this proof of concept does result in a part of a hash of your password being sent to a third-party, we wanted to make it really hard to turn on accidentally, and I think we’ve left mobile browsers out of the loop in the process of accomplishing that. Perhaps if you have a device with an external keyboard? Since you’ve been waiting over the weekend for a reply, I didn’t want to leave you hanging (especially since I was a bit of a late riser today, d’oh!), but I’ll ask around and see if anyone has given this a try and knows of a way to get things working on mobile. I suspect an external keyboard would be the only way, but I work with some fairly brilliant folks so it’s always a good idea to ask. 😊

  5. Craig
    Craig says:

    I read about Troy Hunt’s updates just yesterday and was wondering if 1Password would be using it, including the use of the ‘k-anonymity’ feature. Sadly to say, my pessimistic mind kicked in — I just expected that it’d never happen, or that it’d be 6 months away at the earliest.

    Then of all things, I find out 1Password is not only onto the ‘k-anonymity’ lookup facility, but it’s already implemented online as a proof of concept! Yay!

    I hope this will make it to the desktop/mobile apps rather soon!

    Keep up the good work guys!

    • Craig
      Craig says:

      …As a follow up.
      I don’t use Watchtower, I hope this feature can run independently to it. If it were part of Watchtower, I wouldn’t use it and would need to check my passwords manually against Troy’s api.
      (I have very limited bandwidth and can’t be randomly downloading lists of stuff).

    • Kate Sebald
      Kate Sebald says:

      Hey Craig! Glad we ended up defying the pessimism and thanks so much for your kind words! Really, this was just the right recipe to get us excited. It’s a way to help our customers identify and address potential holes in their online security and it came nicely pre-packaged with an interesting logistical problem in how to securely check passwords against the database. If there’s one thing we nerds love, it’s a good puzzle. Add in the fact that the puzzle had already been solved in such an ingenious fashion and it was quite obvious we needed to join the party here. 🎉🎈

      While we do want this to come to the desktop apps, it hasn’t been decided just yet whether it will be something that can be enabled independently of Watchtower or fully tied to the Watchtower service. Related to your concern about bandwidth, though, finding an exact match for your password securely depends on downloading a list of partial matches to your local device right now, so it’s likely expending some bandwidth will be needed. The list for a single password isn’t likely too taxing on your bandwidth, but if we do end up having all or batches of your passwords checked at once, that might be a bit more bandwidth-hungry, and perhaps costly depending on just how restricted you are on that front.

      That said, one thing we were already concerned about is that, no matter how clever Troy and Cloudflare were about ensuring your password can’t be discovered, we don’t want to be sending even part of your password anywhere without your explicit consent. This is why we didn’t make this an always-visible feature and instead designed it so you’d never use it unless you had read this post and knew what you were getting into. This is something we’ll still need to consider when this becomes a full-fledged feature, so I’d wager you’ll certainly have the option to disable it as needed. Plus, I’ll be sure to pass along your concerns to the team so they can keep them in mind when designing the final product. 😊

    • Kate Sebald
      Kate Sebald says:

      Hey Werner! This was our reaction exactly when we heard about Troy’s new update. That we were able to make it part of 1Password is just the icing on the cake. I’m glad you’re enjoying it and thank you so much for taking the time to share. 😊

  6. Jeff Laing
    Jeff Laing says:

    I know you said only on but I can’t seem to get it to work on my site?
    Does it work for Teams/Families yet?

    • Kate Sebald
      Kate Sebald says:

      It should work no matter your account type. I just tested using my Family account, just to be absolutely sure, and all was well. One thing I ran into when I first tested this was that I was a bit impatient and mashed the key combo a bit too quickly, which kept turning the button on then off again. You only need to press it once and you’ll be able to check the passwords for each of your items, so if you’re trying it again when you switch items or trying again before the button pops up, you may be turning it off again unsuspectingly. If neither of those potential snags it getting you, let me know what browser you’re using. There’s always a chance there’s one having trouble that we haven’t seen just yet. 😊

  7. Stephen
    Stephen says:

    It looks like this feature is only available if you use a account and let the service have access to the passwords in your vault. That does not fit my security comfort level. I use a vault I do not share with 1Password-the-service.

    Will you be pushing out a software update that includes this feature in 1Password-the-client? That would be very welcome!

    • Kate Sebald
      Kate Sebald says:

      As you mention in your second comment, we are planning to bring this feature to the client applications, but there’s still a lot of thinking and designing to do there and we can’t say at this point what form it will take for sure. For what it’s worth, though, we never have access to the passwords in your vault when you choose a 1Password membership. Everything is encrypted locally before being sent to our servers and only you have the keys to unlock that data (your Master Password and Secret Key). All that we ever have is a blob of meaningless gibberish that can only be transformed into useful data with those very keys stored only on your devices and in your head. Your passwords are yours and yours alone. 😊

  8. Rick
    Rick says:

    This idea seems promising, but ONLY if it is opt-in, moment in time and available on a pw by pw basis if desired. I still do not want it as an automatic initiated feature. Also, just what we now need, i.e. a SINGLE pw database that all hackers can now target saving them lots of effort. Does anyone remember what just happened with Equifax?

    • Kate Sebald
      Kate Sebald says:

      Hey Rick! Like Watchtower, this would be something that you can disable whatever form it takes. We’re not about to send even partial hashes of your passwords somewhere else without your explicit consent. That’s one reason we made it so hard to enable in the first place. We didn’t want to risk anyone turning it on accidentally without knowing exactly what that button does and how it does it. 👍

      As for the database itself, these are sadly common without any help from Troy. Troy didn’t create this list from scratch, he compiled them from existing lists already released as a result of breaches over the years. They were already out in the wild and accessible to the bad guys. What Troy has done is make these lists more easily accessible to us, rather than just the bad guys, so that we can be proactive about changing our passwords rather than waiting for the hackers to try to get at our accounts. I for one, am glad to have this tool at my disposal. 😊

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Rick, we never want to transmit even a tiny fraction of information about a hash of any of your passwords without your permission. We might provide tools to make this easy for people who want to, occasionally, check all of their passwords. But as you said, this is the kind of thing that should be opt-in.

      I also would like to clear up a potential misunderstanding. This is a database of already revealed passwords, culled from sources that have already been available to researches (and certainly criminals). The work that Troy Hunt has put into developing this has been to remove information from the breach data he collected. In particular there are no usernames in the database.

      I hope that this helps put your mind at ease about what we are (and aren’t) doing with this.

  9. Mike P.
    Mike P. says:

    Can’t wait for this to be incorporated into the Mac & iOS apps, so I can check my passwords in private vaults. Very nice work :)
    Also – thank you @Jeffrey Goldberg for the great explanations.

    • Kate Sebald
      Kate Sebald says:

      Glad to hear you’re excited, Mike! We’re definitely looking forward to doing more with Pwned Passwords down the road.

      I’m also thankful for Jeffrey every day. I swear he can explain the most difficult concepts even to those of us who may have a bit less (ok, usually a lot less) technical knowledge than he does and I’ve learned so much from every little chat I’ve had with him. I’d be lost without his sage insights and always love reading his replies to y’all so I can learn a thing or two along the way. I’ll be sure to pass along your kind words if he doesn’t pop in and see them first. 😊

    • Kate Sebald
      Kate Sebald says:

      Thanks, Cabexas! It is both awesome and still live. I just double-checked myself to be sure. In case you’re running into the same thing, I was just thrown off by forgetting I needed to mouse over the password in order to display the various actions associated with that password, so for a few minutes I thought it was down. Make sure you’re pressing the magic keyboard combo only once, mouse over the password for the item you’re viewing, and you should see the option to check it still there. Give it another quick try and if you’re still not seeing the option, let me know what browser you’re trying it out in and I’ll take a peek. 😊

  10. Robert
    Robert says:

    I like the sound of the feature. In a similar vein, have you ever considered creating a feature that would automatically go out and change one’s passwords anytime a vulnerability alert was triggered? To be honest, although I think Watchtower is a great idea, I never use it because I get so many red Vulnerability alerts that I can’t keep up with them all. It would be much more useful if 1PW could offer two options: Option 1: Go out and change them automatically and report back to me. Option 2: Show me a list with checkboxes of all the websites with alerts and I could check the ones to change and 1PW would just go out and change after I’ve directed it to. These options would be better than requiring me to do them all one-by-one as, in my case, that’s not working.

    • Kate Sebald
      Kate Sebald says:

      Hey Robert! We have considered automatic password changing at times, but we’ve continued to feel the security and privacy trade-offs are too great. I could give my own explanation here, but I think my teammate, Brenty, put it perfectly in his comment replying to just this sort of question on our support forum. The thread, as a whole, is a great discussion about this features and touches on many of the concerns we have with implementing it. I think you’ll find it enlightening. 🙂

      One point I’d like to touch on in more detail, though, is reliability. Password changes forms are not consistent between sites at all and they are constantly changing to boot. If we were to offer automatic password changes, we’d need to be very diligent about getting these forms right and keeping them up-to-date. Otherwise, folks using this feature could end up locked out of their accounts.

      To give some context, consider how many sites you have filled on just fine with 1Password for months, maybe even years, and one day you head to that website and press Command – \ expecting to be logged in like always. Lo and behold, nothing happens. This number may be higher or lower depending on how many online accounts you have, but I spend a good chunk of my time helping the extensions team with filling issues and I’d wager I pass on at least one new filling problem a day and frequently more. When your Login doesn’t fill properly, that’s frustrating, but not an emergency. You can copy and paste for a bit and we can take the time to fix things up.

      If the same were to happen with a change form, you’d be in much more trouble (and understandably furious with us for screwing it up). In all likelihood, you also wouldn’t be the only person with a password to change on this site. The longer it took us to resolve the problem and push an update, the more people would find themselves locked out of an account. 😱

      Related to the topic of reliability, I’d wager many of those Watchtower alerts you have are for smaller sites. If we were to offer this feature, it wouldn’t be feasible for us to keep up with every single password change form that exists. The internet is just too darned big, and unless every single form were fully standardized or our computing power reaches a point where it’s sufficient to automate checking each and every site on a daily basis, it’s just impossible for us to offer this feature both universally and reliably. At best, we’d manage a handful of popular sites and even doing that reliably and efficiently comes with concerns of its own.

      To be honest, although I think Watchtower is a great idea, I never use it because I get so many red Vulnerability alerts that I can’t keep up with them all.

      Although you’re going to give me a heart attack by saying this and I desperately want to give you an easy path to securing these accounts, it’s just not feasible for us right now. It’s something we’ll continue to consider as technology advances, but definitely not something in the foreseeable future for 1Password. Instead, though, I’ll offer my own advice for password changes, developed as part of my experience changing HUNDREDS of my easy to guess and remember passwords to strong ones when I first started using 1Password.

      First, set some goals. Pick a number of passwords you want to change per day. Next, pick a time during your day when you will grit your teeth and change those passwords. Finally, go out sit down and do it. You don’t need to get through all of them in one sitting, but commit to changing 2 or 3 passwords with Watchtower alerts per day and before you know it, those alerts will all be gone. Plus, each time you change even one of those passwords, you’re doing a world of good for your online security overall. 🎉

      Changing all of my passwords was super tedious, so I also devised a reward for myself. I had my eye on a video game (Diablo 3, for the curious) and told myself that once I had no passwords left in the weak passwords category of Security Audit, I got to go out and buy it, no matter the cost. Normally, I’d have (not so) patiently waited for it to go on sale for no more than $20. $60 for a game I’m going to play for a few months at best, then lose interest in, has always struck me as ridiculous and I’ve made efforts to exercise a degree of self-control. But! I changed hundreds of passwords and it was the worst ever, so I deserved a treat. Hopefully you can find one to motivate you as well. 😊

« Older Comments

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *