1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online

Discussion in 'Mac Blog Discussion' started by MacRumors, Feb 23, 2018.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Password management app 1Password this week got a new feature on the web, and developer AgileBits described it as a way for users to check and make sure that their passwords aren't "pwned passwords," or passwords that have been leaked online. While the launch is web-only right now, AgileBits said it will be coming to 1Password apps in the future.

    1Password's new feature integrates with a newly updated service by Troy Hunt -- who previously created a breach notification service called Have I Been Pwned -- and securely and privately checks your passwords against more than 500 million passwords collected from various breaches.

    This way, users can further ensure that their passwords saved within 1Password are as secure as possible, and if Hunt's new service surfaces a warning about compromised data, they can change to a new one without leaving 1Password.


    Pwned Passwords originally launched as a feature within Have I Been Pwned last August, but Hunt has now updated it to version two and greatly expanded the amount of passwords indexed, originally starting with 320 million. For 1Password's integration, which is still just a proof of concept as of now, AgileBits said the feature is available today to everyone with a 1Password membership, and shared the following steps:
    Once you click "Check Password," 1Password will communicate with Hunt's service of indexed passwords, letting you know if yours exists in his database. As AgileBits pointed out, "If your password is found, it doesn't necessarily mean that your account was breached. Someone else could have been using the same password." Still, the company encouraged immediate action for any user who sees a confirmation of a password matching to Hunt's service.

    In the announcement, AgileBits ensured that this communication with Pwned Passwords keeps user passwords "private and secure" because they are "never sent to us or his service." Hunt's service never receives the full password, and only requires the first five characters of each password hash. The developer stated, "we would never add it to 1Password unless it was private and secure."
    Hunt goes into more detail about Pwned Passwords in his own announcement post about the update to the service. AgileBits confirmed that it will be adding Pwned Passwords to its own security breach warning feature, called Watchtower, within 1Password apps "in future releases."

    Article Link: 1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online
  2. Christoffee macrumors 6502


    Jul 26, 2012
    Sometimes an idea is so obvious and fabulous I’m at a loss as to why it’s not been done before. I guess it’s only obvious once it’s obvious.
  3. Kajje macrumors 6502a


    Dec 6, 2012
    This is important. Your very unique special password you use is, even without your username, worth a lot converted into its hash. It can be added to rainbow tables for future 'decryption' (sic)
  4. Eidorian macrumors Penryn


    Mar 23, 2005
    It's a great program. I recommend it to everyone.
  5. casperghst42 macrumors member

    Jan 11, 2006
    I really like 1password, and have been using it for years, but SHA-1 is not really super secure.
  6. wfrancis macrumors newbie

    Sep 13, 2016
    San Francisco/Paris
    WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.
  7. unsaltedrhino macrumors member


    May 3, 2006
    Madrid, Spain
    I use it very happily without subscription. Am considering subscription for features such as this.
  8. manu chao macrumors 603

    Jul 30, 2003
    Forced? You can still buy standalone versions:
  9. jjduru macrumors member

    Apr 3, 2015
    Is it being kept up to date along with the subscription version?
    Same question stands for the windows version
  10. now i see it macrumors 68040

    Jan 2, 2002
    SHA-1 is a worthless hash. There are rainbow tables for every possible entry. This service seems like it's a breach waiting to happen.
  11. horsebattery, Feb 23, 2018
    Last edited: Feb 23, 2018

    horsebattery macrumors 6502

    Sep 24, 2013
    There's no difference in terms of minor version updates. There would, however, if AgileBits decides to release a paid major version upgrade.

    How does releasing a portion of the hash lead to a security breach exactly? It's not as if 1Password is continuously transmitting different portions of the entire hash and allowing an attacker to reconstruct a password that way.
  12. ck2875 macrumors 6502a


    Mar 25, 2009
    Mac is same version as subscription, it just doesn’t give you access to the 1Password website. Windows version is now subscription only, I believe.
  13. whyamihere macrumors 6502


    Jun 30, 2008
    Now that's smart and the proper way to handle it.
    -Hashing the password to start is just plain obvious and a no-brainer
    -Sending the first 5 characters seems like it would cause a lot of false positives
    -But then getting back the full hash possibilities and comparing locally is perfect.
  14. BigMcGuire Contributor


    Jan 10, 2012
    Very cool. I bought 1Password back in the day before they were subscription - used it a lot. I had LastPass for work (paid for by the company I worked for) but kept 1Password as my primary pw db.

    Finally decided to go subscription - my wife, 2 of my sisters sister, and my brother all get to use 1Password for $60/year. We can't see each other's passwords but if we wanted to share a password it is SUPER easy to do so with the shared collection. The nice thing is, with the subscription I can use it on my work computer (Windows) as well.

    I like this company and am happy to see it being active now that it has gone subscription (important to keep users happy).

    I try to use the pw generator for most new accounts but I know I have a handful (or more) of accounts from back in the day that used that 1 password I used everywhere for less important stuff (yes yes, very bad, I know - I tried to find all of them and change them).

    Edit: Just logged in and I don't see this yet on my passwords.
  15. JosephAW, Feb 23, 2018
    Last edited: Feb 23, 2018

    JosephAW macrumors 68020


    May 14, 2012
    I don't trust storing passwords in the cloud for anyone, Apple iCloud, 1Password or others. Everything is locally encrypted in iTunes. Even partial passwords hash is a red flag and some of us use personal algorithms & formulas and don't want to reveal any starting protocols. This could be a flytrap from the "dark web" to gather information. Sorry but no thanks.
  16. horsebattery macrumors 6502

    Sep 24, 2013
    That's quite an exaggeration - why make this claim when one can easily look up the old threads? I've seen many of his comments and most have been quite helpful in clearing up misconceptions/FUD. There's already one in this thread falsely claiming that users are forced into the subscription model and having to repurchase this "over and over again"
  17. JRobinsonJr macrumors 6502a

    Aug 20, 2015
    Arlington, Texas

    You have to use the 'double secret keypress combination' to make it visible!
  18. RightMACatU macrumors 65816


    Jul 12, 2012
    Great feature 1P! Those not liking this, just use the 2 feet rule: turn around, use your two feet and walk away :D
    As always conversation moves to subscription vs non-subscription models but hey, just ignore those.
  19. BigMcGuire Contributor


    Jan 10, 2012
    Wow. I haven't had my coffee yet. Thank you. Somehow my brain glossed over that.

    Edit: Ahaha, the tiny password I've used since the mid 90s (and have since stopped using a LONG time ago but used to use on all my accounts before I was smart) --- wasn't found. Would have guessed otherwise.
  20. ck2875, Feb 23, 2018
    Last edited: Feb 23, 2018

    ck2875 macrumors 6502a


    Mar 25, 2009
    Oops. I actually just went through his profile and didn’t immediately see him commenting about the customers having no idea which to buy. (Sorry Kyle). Apparently I was thinking of Ben? I just know the tone of their employees comments on MR and Reddit have completely jaded me towards a company I used to love.


  21. horsebattery macrumors 6502

    Sep 24, 2013
    I didn't realize there's a second employee that posts here - that's good to know. Personally I tend to give customer-facing folks quite a bit of slack given the nature of their work; the "forced subscription" comments never cease, for instance.

    Agilebits is fantastic when it comes to maintaining updates for their iOS/MacOS clients so I haven't had a reason to dislike them - yet.
  22. justiny Contributor


    Jul 28, 2008
    Fairfield, NJ
    I disagree. When a developer continues to improve and enhance a high-quality application (specifically in the field of information security where threats evolve daily), I don’t mind them getting paid along the way.
  23. MacBH928 macrumors 68040


    May 17, 2008
    I am just waiting to hear there was a bug that made this unsecure in the future
    --- Post Merged, Feb 23, 2018 ---
    its ok to get paid over again, just not in subscription model where you have online account. Maybe an app that locks down every 1 or 2 years if not repurchased. Putting things in the cloud is not a good idea. There are breaches all over the place
  24. AGKyle macrumors 6502a

    Jun 10, 2012
    We never removed the option to purchase a standalone license. As linked by others in this thread. It's also available via the Mac App Store app, feel free to check the available in-app purchases for proof of that.

    There is no difference between our standalone version of the app and the subscription version in terms of downloads. They're the same identical app. Bug fixes, improvements, and new features are added all the time. Some of those features may only be available for our subscription customers as they piggy back on features that are only possible due to our servers on the subscription side. But where possible we add features for both standalone customers and subscription customers.

    You missed the important bit. Your password is hashed.

    Then we take the first 5 characters of the hash and send that over.

    The Have I Been Pwned server takes these first 5 characters, compares to the database, finds all hashed passwords that match the first 5 characters and send those back to the client (1Password) which then checks the returned hashes to see if a match is made.

    Your fully hashed password is never sent to the server, only the first 5 characters. Troy Hunt, the creator of Have I Been Pwned has stated that pretty much every 5 character prefix hash has ~500 results, and it's entirely possible that password isn't even in the results and is safe. So it really doesn't help much at all, combined with the fact no username or URL is sent.
  25. manu chao macrumors 603

    Jul 30, 2003
    It just got an update to version 6.8.7. And I'd say it gets an update roughly in the order of every two months.

Share This Page

77 February 23, 2018