1Password bolts on a ‘pwned password’ check

Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.

This is in addition to the more usual password strength indicator bar that tries to encourage web users to improve their security practices. The pwnage check builds on that by further reducing the risk of password reuse because it’s verifying if the specific password has appeared in a number of known data breaches.

Here’s a video of the new feature in action:

To power the feature, 1Password is leaning on Pnwed Passwords, a service launched by Troy Hunt last summer, and updated this month with a chunk more password data. It now contains around half a billion downloadable passwords, harvested by Hunt from various online dumps resulting from all sorts of different data breaches. The passwords in the database have been hashed by Hunt with SHA-1.

Hunt is best known for creating the Have I Been Pwned? breach notification service. And indeed it was through running that free online check, which lets people sign up to be informed if/when their email address surfaces in a data breach, that the idea for Pwned Passwords came about — as he says one of the most common reactions to people being informed their email had been found in a breach was to ask if they could also check whether their password had been breached.

Thing is, knowing your data has been found among millions of breached credentials, which you’re told includes emails and passwords, but not knowing exactly what was compromised in your case can feel frustrating. Although changing your password is always the sensible thing to do in such a situation.

And while Hunt has always resisted calls to make breached plain text passwords searchable (for obvious security and privacy reasons), the size of modern data breaches — which can almost routinely involve multi-millions of users these days — has demonstrably ramped up pressure on Have I Been Pwned? to also offer some sort of check for pwned passwords too.

Although, to be clear, Hunt’s Pwned Passwords service is not intended for people to check their actual passwords. Because no one should be typing actual passwords into another third party service, even one run by a such a demonstrably good guy.

(Hunt himself makes this point, writing: “[D]on’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”)

But he’s has done something much more useful and interesting than simply providing an amusing way to find out that “password” has been used as a password more than 3.3 million times in this database. Or that “123456” has been used over 20.7M times. (Which can itself provide a handy ‘security 101’ lesson if you need to help, for example, a less tech-savvy relative get up to speed on password risks.)

Because Hunt has made the pwned passwords downloadable and queryable via an API — in a way that does not entail the sharing of full passwords with third parties.

And this is what 1Password is using to power its new pwnage check.

Cloudflare gets some credit here too. After Hunt created the password database, he says he was contacted by a Cloudflare developer, Junade Ali, who wanted to make use of the database to improve password security but also wanted to incorporate an anonymity model to enable validation of leaked passwords without risking passwords being leaked in the process.

Ali has blogged here about the approach he took, using a mathematical property called k-anonymity — and both Hunt and 1Password are using this method to enable password checks against Pwned Passwords that don’t share the full hash of the password being checked (which would be a bad idea because it could create a breach risk).

“[O]ur approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries,” writes Ali. “As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”

Only the first five characters of the 40 character hash of the password to be validated are sent to the server hosting the password database, which then returns a list of leaked password hashes that contain the same five initial characters. After that it’s just a trivial local comparison between the hashed password and the list to see whether or not there’s a match.

Of course even if there is no match found during a pwnage check it does not absolutely guarantee the password you want to use hasn’t been breached or compromised in some way. But it’s at very least a way of weeding out passwords that absolutely have been breached — and nudging users away from reusing insecure credentials. A horrible practice which, er, has sometimes even caught out some very techie people.

1Password says the password check service is available now to everyone with a 1Password membership. To check their passwords users need to sign into their account on 1Password.com, then click “Open Vault” to view their items and then click an item to see its details.

After that it says they need to enter keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept, and then they can click the new “Check Password” button which appears next to the password.

Hunt has flagged a number of other services which have also incorporated the “first generation of Pwned Passwords” on his blog, including some which will entirely block password reuse, adding: “My hope is that they inspire others to build on top of this data set and ultimately, make a positive difference to web security for everyone.”

To be clear, he’s made the Pwned Passwords database and API freely available. Further burnishing his good guy credentials.

“All those models are free, unrestricted and don’t even require attribution if you don’t want to provide it, just take what’s there and go do good things with it,” he adds.