1Password Can Find Your Pwned Passwords: Find Out How

Screenshot from 1Password

AgileBits has announced a tremendously important feature for 1Password subscriptions: the ability to see if your passwords are pwned passwords. It’s technically just a proof of concept now, but AgileBits said it was working on deeper implementation within 1Password. Here’s what you need to know about it.

Troy Hunt’s Pwned Passwords V2

Pwned is geek slang for something that has been compromised—it’s been owned, as it were, which was typoed as pwned, and thus was a concept born. With a myriad of data breaches out there, hundreds of millions of logins have been pwned by the bad guys, and those passwords are being peddled and used by miscreants the world over.

Enter Troy Hunt, a good guy if there ever was one. Among his many security-related projects is Pwned Passwords V2. It’s an accessible database of all the compromised logins Mr. Hunt has been able to gather from the dark corners of the interwebs.

This database is accessible via an API, and AgileBits has built a proof of concept mechanism for checking your passwords against that database. And it’s pretty awesome.

Finding Pwned Passwords With 1Password

To use this proof of concept, you’ll need to log in to your 1Password membership online—it’s not available within the app yet. Here’s a how-to video from AgileBits:

In written form, here’s how AgileBits described the process:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Screenshot from 1Password

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

Remember, this is a proof of concept. Troy Hunt launched his service yesterday, and mad props to AgileBits for getting this out so fast.

This Won’t Expose Your Passwords

Here’s the genius bit, and it’s a combination of Troy Hunt’s service and AgileBits’ implementation. Your password isn’t being sent anywhere. Instead, your password is hashed, and then the first five characters of that hash are sent by 1Password to Pwned Passwords V2.

The service then sends every known password that matches those first five characters. It’s 1Password itself that then compares your full password to all those pwned passwords. Your password is being accessed from your own vault and sent nowhere, and then compared to known compromised passwords.

As long as you act on the results and change any needed passwords, the world becomes a slightly more secure place! How cool is that?

More Is Coming

AgileBits hasn’t offered a timetable, but in its blog post, the company said a more comprehensive implementation is coming to the 1Password app’s Watchtower feature. There were hints that would include the ability to check all your passwords at once, rather than having to do them one at a time.

So hats off to AgileBits and Troy Hunt—go forth and be mindful of your online security!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.