HaveIBeenPwned

Watchtower: we shall fight on the breaches

1Password’s Watchtower service has been helping users identify accounts that have been affected by breaches for years. Today we’re proud to announce an enhancement to how 1Password finds and identifies breached accounts.

1Password can now use Have I Been Pwned to find accounts that have been compromised based on the email address associated with the account. It can even do this without needing to share your email address with anybody.

Before we dive in to learn about the details, take a look at the awesome work Matt and Jasper did to bring this to life.

Breach Report

There’s actually a fair amount to unpack here, and it’s difficult to see detail on a video, so let’s break down the breach report in screenshot form.

Breach Report

The Breach Report is split into three sections.

The top most section is a list of websites where an account with your email address has been identified as having been compromised, but you don’t have any information about this website in 1Password.

That’s amazingly powerful as 1Password can help you identify breaches that impact you without you having actually added information to 1Password. In this case, you’re going to want to generate a unique strong password for that website, and while you’re at it you should consider adding it to 1Password.

If it’s a website for which you have no interest in having an account, you should delete the account as opposed to ignore it. Accounts often have additional data, such as a mailing address or maybe a phone number. You should be protecting that private information, and thanks to excellent pieces of legislation like the GDPR most websites have a way to request permanent deletion of your data.

The second section lists breached websites for which you’ve got an item in 1Password, but 1Password suspects that password to be compromised. You’ll definitely want to create a new password for that website.

The last section lists breaches for which you’ve got an item in 1Password, but you’ve already updated the password so there’s nothing more to do.

How Does It Work?

The Breach Report is based on a new service provided by Have I Been Pwned which allows 1Password to query for compromised accounts based on an email address. 1Password can achieve this without needing to share the email address with Have I Been Pwned because this new service functions much like its Pwned Passwords service, and uses the same K-anonymity model. This model allows 1Password to work with Have I Been Pwned to find breaches without needing to share sensitive information with Have I Been Pwned. Let’s take a look at how that works…

Have I Been Pwned has a database with over 5 billion compromised accounts obtained from the various data breaches around the internet over the last few years. This database contains the email address associated with the account as well as a SHA-1 hash of the password that was compromised. The new service allows 1Password to look up entries in that database based on the email address.

Email Hash Illustration

In order to perform a lookup, 1Password takes the email address associated with your account, and hashes that using SHA-1. Sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your email address. Just like the Pwned Passwords service, this new service only requires the first few characters of the hash, six to be precise.

Similarly to Pwned Passwords, the process is completed within 1Password itself. Have I Been Pwned sends 1Password a list of possible matches based on the start of the hash that was sent, and 1Password needs to complete the search by looking for exact matches with the full hash that was created in the first step.

Bringing You More Info On Compromised Logins

When viewing items in the Compromised Logins section of Watchtower, you may notice that some of them have a slightly different banner at the top and include a “More Info” link.

Watchtower Notification Banner

Clicking it will bring up a panel with some information about the breach, letting you know what information in that account was made available.

Breach Info

This was made possible with the additional breach information that is provided by Have I Been Pwned.

Run, don’t walk, to change the password associated with this Login. And also change the password for any other Login item you might have that happens to share that password (you’re using strong unique passwords everywhere, right?).

Taking Watchtower Further

Have I Been Pwned allows us to push Watchtower further and do more to keep you safe online. The k-anonymity model used in both this service as well as Pwned Passwords ensures that your privacy is respected, which is incredibly important to us. We’re thrilled to be one of the first services using Have I Been Pwned in this way.

You can try it today by using Watchtower on 1Password.com, and we’re looking forward to bringing this feature to all of our apps.

Thank you Troy for building an excellent service that makes this feature possible.

 

Rick Fillion 1Password.com Lead

17 replies
  1. Joris
    Joris says:

    Great feature! But your advice seems to contradict itself: “If it’s a website for which you have no interest in having an account, you should delete the account as opposed to ignore it.” However, every next time you run the breach report, you will be reminded of the account by 1Password, with no way to hide it, so you will have to ignore it.

    Reply
    • Rick Fillion
      Rick Fillion says:

      You’re right, Joris. It’d be nice for us to add the ability to say that a breach has been taken care of such that we shouldn’t warn you about it again.

      Rick

  2. Daniel Cohen
    Daniel Cohen says:

    I have more than one email address. It looks as though this service only checks the address associated with the 1PW account. It would be good if we could enter another address and have that checked.

    Of course you wouldn’t want it to be possible to check an arbitrary address, but if an address is used in some login then one should be able to check for it.

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Daniel,

      Like you I’ve got multiple email addresses. I’ve got an @agilebits.com address and a @1password.com address for work. I’m hoping that we can build a feature that allows adding more email addresses to be checked. It would require that you verify that you do in fact have control of that email address. I’d love to see it scan my vault to find the various email addresses I use for my accounts and propose those.

      There’s a lot more that we can do with this, and we’re just getting started.

      Rick

    • Rick Fillion
      Rick Fillion says:

      I just thought I’d elaborate on my answer here as it’s probably not immediately obvious to people why we would require that an email address be verified as being under your control before we return you results for it.

      If you go to haveibeenpwned.com you can enter any email address at all and see breaches associated with that email address. Based on that, it’d be a legitimate question to ask why 1Password should need to do extra validation? 1Password needs to do extra validation because what is shown at haveibeenpwned.com is actually only a subset of the data available. If you use their email service they’ll send you a complete list which should contain all of the breaches shown on their website and others. The others, not shown on the website, are generally considered “sensitive” breaches. No one’s going to judge me differently because I had an account involved in a breach with Adobe. Other websites are much more sensitive (I’m sure you can use your imagination to come up with an example), and so Have I Been Pwned does the responsible thing and avoids giving that information unless the email address has been verified. 1Password will present the full list of breaches to you as the owner of that email address.

      Rick

  3. Michael
    Michael says:

    Love this feature and all of the continued development on 1Password. My only question has to do with parity between Watchtower on the 1Password.com website vs. the 1Password application. Can you explain the differences between Watchtower on 1Password.com and the thick applications (MacOS/Windows)? Also, I have two specific questions:

    1) My understanding was that 1Password sends a partial hash of a password to haveibeenpowned and then receives full hashes of all possible matches (maybe a couple of hundred). It then checks the full hash against the possible matches to see if there is a match and this search is done locally. In Watchtower on 1Password.com, how is the “local” comparison done?

    2) Does the 1Password thick application (MacOS/Windows) also check email addresses or is it limited to just passwords at this time?

    Thanks!

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Michael,

      Thanks! Let me try to answer these for you…

      Your understanding of how it works seems to be correct. The “local” comparison is done exactly the same on 1Password.com as it would be in our other apps. 1Password.com is not a traditional website and when you go to the sign-in page it downloads the entirety of the 1Password.com webapp as a large Javascript file. From then on, the 1Password.com webapp behaves just as locally as other apps would, except that it lives within a sandbox of your browser.

      For the time being, this new email address search feature is limited to 1Password.com and not available in our other apps. It’s something we’d love to bring to the other apps, but that’s going to take a bit of time.

      Rick

      <

      blockquote>

  4. Graeme
    Graeme says:

    Couple of things – this doesn’t appear to be available in my 1Password.com account – is there a delay in rolling out across all customers/regions? I have a family a/c.

    Secondly, I own and use 100s of email addresses (459 “masked” addresses to be precise) in addition to my “regular” address. Already looking forward to when 1P can check each of them.

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Graeme,

      This should be available to all 1Password.com accounts when using the webapp. You’ll need to go into your Personal/Private vault, and it should be available within Watchtower there.

      I’m looking forward to when we can check more email addresses too.

      Rick

  5. michael
    michael says:

    This is an awesome feature and wasn’t aware of the report available from 1Password.com. I ran the report and came up in the QuinStreet.com breach. Unfortunately, I can’t really address it because it looks like QuinStreet was a “maker of performance marketing products” that hosted forums for 28 separate sites (https://security.preston.ie/compromised-data-dates-of-birth-email-addresses-ip-addresses-passwords-usernames-website-466ef7913fc7). It doesn’t look like I can create a login item (and change password) for this one to get it to no longer show up in the breach report.

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Michael,

      In some cases a reported breach isn’t something that we can action upon as you’ve discovered. It would be nice for us to have a button to say something along the lines of “I acknowledge this breach, but there’s nothing I can do, so please hide it going forward” so that you’re not left with an item for which you can’t do anything.

      Rick

  6. Berrang
    Berrang says:

    @Rick
    Very good addition.
    I’d like to see an option to have my about 10 eMail-addresses included in a future version. Those that are already in 1Password.
    Thanky you

    Thomas

    Reply
  7. JB
    JB says:

    @Rick: Just wanted to support your idea “I’d love to see it scan my vault to find the various email addresses I use for my accounts and propose those”. Me too is using lots of addresses. Equally important to me is having that feature in the local apps.

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi @JB,

      I too think it’s important that this feature come to local apps. 1Password for Mac is where I do the vast majority of my direct interaction with 1Password, and that’s where I’d like to use this feature as well. It’s generally easier and faster for us to prototype this kind of feature on our webapp so that’s where we started with it. I’m hopeful that all of our apps will gain this feature.

      I want to make something clear though… this feature is not likely to ever come to standalone/local vaults in our apps, and is likely to require a 1Password account in order to function. Only verified email addresses are allowed to be queried on HIBP and right now the only verified email addresses (i.e. an email address that we’ve proven you control) we have are the ones associated with a 1Password account. I want to make it possible to verify additional email addresses, but we still need to attach the verified email addresses to some kind of account that would represent you.

      Rick

  8. Jonathan Courtois
    Jonathan Courtois says:

    Hi,

    Thanks for the feature, it’s great.

    Just one question, some website use a pin code which is usually 4 or 6 digits (not very secure but nothing I can do). The new system mark them all as breached, probably because there are so many little combination that over 5 billion password, someone used it?

    What can I do?

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hello Jonathan! First off, high five for looking into your Watchtower alerts and working to get them sorted out. ✋ We actually do our best to exclude PINs from Watchtower alerts, but we can only do so much without making invalid assumptions. If the item does not have a website saved and the password is all digits and 6 or less characters, it is considered a PIN code and should be excluded, but if you do have a website saved for the item, it will be flagged. In a way, it’s useful to know that password is vulnerable, even if you can’t do anything about it. It can let you know to keep a particularly close eye on activity on that site and, if you’re feeling adventurous, maybe even reach out to the company and encourage them to allow better passwords. 🙂 That said, this is just one case in which you may not be able to resolve a Watchtower alert and we understand these things happen. We’re thinking about ways to allow you to exclude certain items from Watchtower in these cases and may consider adding some options to address this down the road. 👍

      I’m sorry I don’t have a way to get Watchtower to stop nagging you, but I’m glad to hear you’re enjoying Watchtower all the same and hope those sites allow you to use some better passwords soon. 😊

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.