1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online

[MacRumors]

Password management app 1Password this week got a new feature on the web, and developer AgileBits described it as a way for users to check and make sure that their passwords aren't "pwned passwords," or passwords that have been leaked online. While the launch is web-only right now, AgileBits said it will be coming to 1Password apps in the future.

1Password's new feature integrates with a newly updated service by Troy Hunt -- who previously created a breach notification service called Have I Been Pwned -- and securely and privately checks your passwords against more than 500 million passwords collected from various breaches.

This way, users can further ensure that their passwords saved within 1Password are as secure as possible, and if Hunt's new service surfaces a warning about compromised data, they can change to a new one without leaving 1Password.

Pwned Passwords originally launched as a feature within Have I Been Pwned last August, but Hunt has now updated it to version two and greatly expanded the amount of passwords indexed, originally starting with 320 million. For 1Password's integration, which is still just a proof of concept as of now, AgileBits said the feature is available today to everyone with a 1Password membership, and shared the following steps:

- Sign in to your account on 1Password.com.

- Click Open Vault to view the items in a vault, then click an item to see its details.

- Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.

- Click the Check Password button that appears next to your password.

Once you click "Check Password," 1Password will communicate with Hunt's service of indexed passwords, letting you know if yours exists in his database. As AgileBits pointed out, "If your password is found, it doesn't necessarily mean that your account was breached. Someone else could have been using the same password." Still, the company encouraged immediate action for any user who sees a confirmation of a password matching to Hunt's service.

In the announcement, AgileBits ensured that this communication with Pwned Passwords keeps user passwords "private and secure" because they are "never sent to us or his service." Hunt's service never receives the full password, and only requires the first five characters of each password hash. The developer stated, "we would never add it to 1Password unless it was private and secure."

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy's new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Hunt goes into more detail about Pwned Passwords in his own announcement post about the update to the service. AgileBits confirmed that it will be adding Pwned Passwords to its own security breach warning feature, called Watchtower, within 1Password apps "in future releases."

Article Link: 1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online

 

[Christoffee]

Sometimes an idea is so obvious and fabulous I’m at a loss as to why it’s not been done before. I guess it’s only obvious once it’s obvious.

 

[Kajje]

...never receives the full password, and only requires the first five characters of each password hash...

This is important. Your very unique special password you use is, even without your username, worth a lot converted into its hash. It can be added to rainbow tables for future 'decryption' (sic)

 

[Eidorian]

It's a great program. I recommend it to everyone.

 

[casperghst42]

I really like 1password, and have been using it for years, but SHA-1 is not really super secure.

 

[wfrancis]

It's a great program. I recommend it to everyone.

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.

 

[unsaltedrhino]

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.

I use it very happily without subscription. Am considering subscription for features such as this.

 

[manu chao]

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.

Forced? You can still buy standalone versions:
https://agilebits.com/store

 

[jjduru]

Forced? You can still buy standalone versions:
https://agilebits.com/store

Is it being kept up to date along with the subscription version?
Same question stands for the windows version

 

[now i see it]

SHA-1 is a worthless hash. There are rainbow tables for every possible entry. This service seems like it's a breach waiting to happen.

 

[horsebattery]

Is it being kept up to date along with the subscription version?
Same question stands for the windows version

There's no difference in terms of minor version updates. There would, however, if AgileBits decides to release a paid major version upgrade.

SHA-1 is a worthless hash. There are rainbow tables for every possible entry. This service seems like it's a breach waiting to happen.

How does releasing a portion of the hash lead to a security breach exactly? It's not as if 1Password is continuously transmitting different portions of the entire hash and allowing an attacker to reconstruct a password that way.

 

[ck2875]

Is it being kept up to date along with the subscription version?
Same question stands for the windows version

Mac is same version as subscription, it just doesn’t give you access to the 1Password website. Windows version is now subscription only, I believe.

 

[whyamihere]

Now that's smart and the proper way to handle it.
-Hashing the password to start is just plain obvious and a no-brainer
-Sending the first 5 characters seems like it would cause a lot of false positives
-But then getting back the full hash possibilities and comparing locally is perfect.

 

[BigMcGuire]

Very cool. I bought 1Password back in the day before they were subscription - used it a lot. I had LastPass for work (paid for by the company I worked for) but kept 1Password as my primary pw db.

Finally decided to go subscription - my wife, 2 of my sisters sister, and my brother all get to use 1Password for $60/year. We can't see each other's passwords but if we wanted to share a password it is SUPER easy to do so with the shared collection. The nice thing is, with the subscription I can use it on my work computer (Windows) as well.

I like this company and am happy to see it being active now that it has gone subscription (important to keep users happy).

I try to use the pw generator for most new accounts but I know I have a handful (or more) of accounts from back in the day that used that 1 password I used everywhere for less important stuff (yes yes, very bad, I know - I tried to find all of them and change them).

Edit: Just logged in and I don't see this yet on my passwords.

 

[JosephAW]

I don't trust storing passwords in the cloud for anyone, Apple iCloud, 1Password or others. Everything is locally encrypted in iTunes. Even partial passwords hash is a red flag and some of us use personal algorithms & formulas and don't want to reveal any starting protocols. This could be a flytrap from the "dark web" to gather information. Sorry but no thanks.

 

[horsebattery]

Uh oh. Now you’ve undoubtedly summoned the Kyle guy from AgileBits to come and AstroTurf the f out of the thread by telling us how much value there is in buying a 1Password subscription, and that it was needed because their customers were too dumb to know whether to buy the Mac or Windows version and how that was the bane of their tech support’s existence.

That's quite an exaggeration - why make this claim when one can easily look up the old threads? I've seen many of his comments and most have been quite helpful in clearing up misconceptions/FUD. There's already one in this thread falsely claiming that users are forced into the subscription model and having to repurchase this "over and over again"

 

[JRobinsonJr]

Very cool. I bought 1Password back in the day before they were subscription - used it a lot. I had LastPass for work (paid for by the company I worked for) but kept 1Password as my primary pw db.

Finally decided to go subscription - my wife, 2 of my sisters sister, and my brother all get to use 1Password for $60/year. We can't see each other's passwords but if we wanted to share a password it is SUPER easy to do so with the shared collection. The nice thing is, with the subscription I can use it on my work computer (Windows) as well.

I like this company and am happy to see it being active now that it has gone subscription (important to keep users happy).

I try to use the pw generator for most new accounts but I know I have a handful (or more) of accounts from back in the day that used that 1 password I used everywhere for less important stuff (yes yes, very bad, I know - I tried to find all of them and change them).

Edit: Just logged in and I don't see this yet on my passwords.

You have to use the 'double secret keypress combination' to make it visible!

 

[RightMACatU]

Great feature 1P! Those not liking this, just use the 2 feet rule: turn around, use your two feet and walk away
As always conversation moves to subscription vs non-subscription models but hey, just ignore those.

 

[BigMcGuire]

You have to use the 'double secret keypress combination' to make it visible!

Wow. I haven't had my coffee yet. Thank you. Somehow my brain glossed over that.

Edit: Ahaha, the tiny password I've used since the mid 90s (and have since stopped using a LONG time ago but used to use on all my accounts before I was smart) --- wasn't found. Would have guessed otherwise.

 

[ck2875]

That's quite an exaggeration - why make this claim when one can easily look up the old threads?

Oops. I actually just went through his profile and didn’t immediately see him commenting about the customers having no idea which to buy. (Sorry Kyle). Apparently I was thinking of Ben? I just know the tone of their employees comments on MR and Reddit have completely jaded me towards a company I used to love.


https://forums.macrumors.com/thread...-sign-up-updated.1986181/page-2#post-23198372

https://forums.macrumors.com/thread...-sign-up-updated.1986181/page-7#post-23199525

 

[horsebattery]

Oops. I actually just went through his profile and didn’t immediately see him commenting about the customers having no idea which to buy. (Sorry Kyle). Apparently I was thinking of Ben? I just know the tone of their employees comments on MR and Reddit have completely jaded me towards a company I used to love.


https://forums.macrumors.com/thread...-sign-up-updated.1986181/page-2#post-23198372

https://forums.macrumors.com/thread...-sign-up-updated.1986181/page-7#post-23199525

I didn't realize there's a second employee that posts here - that's good to know. Personally I tend to give customer-facing folks quite a bit of slack given the nature of their work; the "forced subscription" comments never cease, for instance.

Agilebits is fantastic when it comes to maintaining updates for their iOS/MacOS clients so I haven't had a reason to dislike them - yet.

 

[justiny]

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.

I disagree. When a developer continues to improve and enhance a high-quality application (specifically in the field of information security where threats evolve daily), I don’t mind them getting paid along the way.

 

[MacBH928]

I am just waiting to hear there was a bug that made this unsecure in the future
[doublepost=1519401531][/doublepost]

I disagree. When a developer continues to improve and enhance a high-quality application (specifically in the field of information security where threats evolve daily), I don’t mind them getting paid along the way.

its ok to get paid over again, just not in subscription model where you have online account. Maybe an app that locks down every 1 or 2 years if not repurchased. Putting things in the cloud is not a good idea. There are breaches all over the place

 

[AGKyle]

WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.

We never removed the option to purchase a standalone license. As linked by others in this thread. It's also available via the Mac App Store app, feel free to check the available in-app purchases for proof of that.

Is it being kept up to date along with the subscription version?
Same question stands for the windows version

There is no difference between our standalone version of the app and the subscription version in terms of downloads. They're the same identical app. Bug fixes, improvements, and new features are added all the time. Some of those features may only be available for our subscription customers as they piggy back on features that are only possible due to our servers on the subscription side. But where possible we add features for both standalone customers and subscription customers.

SHA-1 is a worthless hash. There are rainbow tables for every possible entry. This service seems like it's a breach waiting to happen.

You missed the important bit. Your password is hashed.

Then we take the first 5 characters of the hash and send that over.

The Have I Been Pwned server takes these first 5 characters, compares to the database, finds all hashed passwords that match the first 5 characters and send those back to the client (1Password) which then checks the returned hashes to see if a match is made.

Your fully hashed password is never sent to the server, only the first 5 characters. Troy Hunt, the creator of Have I Been Pwned has stated that pretty much every 5 character prefix hash has ~500 results, and it's entirely possible that password isn't even in the results and is safe. So it really doesn't help much at all, combined with the fact no username or URL is sent.

 

[manu chao]

Is it being kept up to date along with the subscription version?
Same question stands for the windows version

It just got an update to version 6.8.7. And I'd say it gets an update roughly in the order of every two months.