1Password: How to check if your password has been compromised and leaked
1Password has incorporated security expert Troy Hunt's new Pwned Passwords database into its service.
Popular password management service 1Password has unveiled a cool new feature that allows users to check whether their password has been compromised in a data breach and leaked online. The proof-of-concept feature released this week is an integration of security expert Troy Hunt's new Pwned Passwords service that lets users check if their passwords have already been stolen.
Hunt announced the new Pwned Passwords service on Thursday, (22 February) which features a database of over 500 million passwords that have been leaked in previous data breaches.
"Checking your own passwords against this list is immensely valuable," AgileBits, the company behind 1Passwrod, said within a day of Hunt's announcement. "We loved Troy's new service so much that we couldn't help but create a proof of concept that integrates it with 1Password."
AgileBits notes that using the feature to check your password is safe and secure. The company hashes passwords using the SHA-1 hashing algorithm and sends the first five characters of the 40-character hash to Hunt's service.
Hunt's server then sends back a list of leaked password hashes that begin with those five characters. 1Password then compares the list locally to see if there is a match.
They also note that if a person's password does match one in the database, it may not necessarily mean that it was part of a data breach. Rather, it could mean someone else is using the same password. Either ways, the company recommends users change their passwords in this case.
AgileBits' "Chief Defender Against the Dark Arts" and security head Jeffrey Goldberg explains: "If you find that [your password] is on the list, it definitely isn't good, but may not be news. If [your password] is weak (or created by a human) it is likely that lots of other people use the same password. People are not very good at being random, especially when they are trying to be random.
"Any password that is likely to have ever been used by more than a tiny handful of people on the planet can easily end up on such a large list. So there is a fair chance that the instance of the password that ended up on the list isn't from your use of it."
However, he does advise users to change their password to a stronger one if it does show up on the list.
Users with a 1Password membership can already check out the tool (as seen in the video below) to see if their password has been leaked so far:
- Sign in to your 1Password account
- Click on Open Vault and select one of your credentials
- For Mac users, press and hold Shift-Control-Option-C. For Windows users, press and hold Shift+Ctrl+Alt+C to unlock the proof-of-concept feature.
- Click on the "Check Password" button that pops up next to your password to check the integrity of your credentials
"For now the Check Password feature is limited to the 1Password web client, and is not yet in the 1Password apps," AgileBits CEO Jeffery Shiner wrote in a comment on their blog post. "When I saw Troy's post, I wanted to make this feature available as soon as possible and this was simply the quickest way to do so.
"We plan on adding this feature to Watchtower in the 1Password client apps, like 1Password for Mac as we move forward. In fact, once this is in the client apps we should be able to take it further than we do today, showing all of your pwned passwords in a single view."
Hunt has already taken to Twitter to praise AgileBits for their new offering.
Hunt has made the Pwned Passwords database and API freely available for download via his "Have I been pwned?" website for other services to build upon and incorporate the useful feature. He has also named a few services that have already incorporated teh "first generation of Pwned Passwords" in a blog post.
"My hope is that they inspire others to build on top of this data set and ultimately, make a positive difference to web security for everyone," he wrote. "All those models are free, unrestricted and don't even require attribution if you don't want to provide it, just take what's there and go do good things with it."