1Password bolts on a ‘pwned password’ check


Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.

This is in addition to the more usual password strength indicator bar that tries to encourage web users to improve their security practices. The pwnage check builds on that by further reducing the risk of password reuse because it’s verifying if the specific password has appeared in a number of known data breaches.

Here’s a video of the new feature in action:

[embedded content]

To power the feature, 1Password is leaning on Pnwed Passwords, a service launched by Troy Hunt last summer, and updated this month with a chunk more password data. It now contains around half a billion downloadable passwords, harvested by Hunt from various online dumps resulting from all sorts of different data breaches. The passwords in the database have been hashed by Hunt with SHA-1.

Hunt is best known for creating the Have I Been Pwned? breach notification service. And indeed it was through running that free online check, which lets people sign up to be informed if/when their email address surfaces in a data breach, that the idea for Pwned Passwords came about — as he says one of the most common reactions to people being informed their email had been found in a breach was to ask if they could also check whether their password had been breached.

Thing is, knowing your data has been found among millions of breached credentials, which you’re told includes emails and passwords, but not knowing exactly what was compromised in your case can feel frustrating. Although changing your password is always the sensible thing to do in such a situation.

And while Hunt has always resisted calls to make breached plain text passwords searchable (for obvious security and privacy reasons), the size of modern data breaches — which can almost routinely involve multi-millions of users these days — has demonstrably ramped up pressure on Have I Been Pwned? to also offer some sort of check for pwned passwords too.

Although, to be clear, Hunt’s Pwned Passwords service is not intended for people to check their actual passwords. Because no one should be typing actual passwords into another third party service, even one run by a such a demonstrably good guy.

(Hunt himself makes this point, writing: “[D]on’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”)

But he’s has done something much more useful and interesting than simply providing an amusing way to find out that “password” has been used as a password more than 3.3 million times in this database. Or that “123456” has been used over 20.7M times. (Which can itself provide a handy ‘security 101’ lesson if you need to help, for example, a less tech-savvy relative get up to speed on password risks.)

Because Hunt has made the pwned passwords downloadable and queryable via an API — in a way that does not entail the sharing of full passwords with third parties.

And this is what 1Password is using to power its new pwnage check.

Cloudflare gets some credit here too. After Hunt created the password database, he says he was contacted by a Cloudflare developer, Junade Ali, who wanted to make use of the database to improve password security but also wanted to incorporate an anonymity model to enable validation of leaked passwords without risking passwords being leaked in the process.

Ali has blogged here about the approach he took, using a mathematical property called k-anonymity — and both Hunt and 1Password are using this method to enable password checks against Pwned Passwords that don’t share the full hash of the password being checked (which would be a bad idea because it could create a breach risk).

“[O]ur approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries,” writes Ali. “As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”

Only the first five characters of the 40 character hash of the password to be validated are sent to the server hosting the password database, which then returns a list of leaked password hashes that contain the same five initial characters. After that it’s just a trivial local comparison between the hashed password and the list to see whether or not there’s a match.

Of course even if there is no match found during a pwnage check it does not absolutely guarantee the password you want to use hasn’t been breached or compromised in some way. But it’s at very least a way of weeding out passwords that absolutely have been breached — and nudging users away from reusing insecure credentials. A horrible practice which, er, has sometimes even caught out some very techie people.

1Password says the password check service is available now to everyone with a 1Password membership. To check their passwords users need to sign into their account on 1Password.com, then click “Open Vault” to view their items and then click an item to see its details.

After that it says they need to enter keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept, and then they can click the new “Check Password” button which appears next to the password.

Hunt has flagged a number of other services which have also incorporated the “first generation of Pwned Passwords” on his blog, including some which will entirely block password reuse, adding: “My hope is that they inspire others to build on top of this data set and ultimately, make a positive difference to web security for everyone.”

To be clear, he’s made the Pwned Passwords database and API freely available. Further burnishing his good guy credentials.

“All those models are free, unrestricted and don’t even require attribution if you don’t want to provide it, just take what’s there and go do good things with it,” he adds.

Featured Image: Laurence Dutton/Getty Images

1Password bolts on a ‘pwned password’ check


Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.

This is in addition to the more usual password strength indicator bar that tries to encourage web users to improve their security practices. The pwnage check builds on that by further reducing the risk of password reuse because it’s verifying if the specific password has appeared in a number of known data breaches.

Here’s a video of the new feature in action:

[embedded content]

To power the feature, 1Password is leaning on Pnwed Passwords, a service launched by Troy Hunt last summer, and updated this month with a chunk more password data. It now contains around half a billion downloadable passwords, harvested by Hunt from various online dumps resulting from all sorts of different data breaches. The passwords in the database have been hashed by Hunt with SHA-1.

Hunt is best known for creating the Have I Been Pwned? breach notification service. And indeed it was through running that free online check, which lets people sign up to be informed if/when their email address surfaces in a data breach, that the idea for Pwned Passwords came about — as he says one of the most common reactions to people being informed their email had been found in a breach was to ask if they could also check whether their password had been breached.

Thing is, knowing your data has been found among millions of breached credentials, which you’re told includes emails and passwords, but not knowing exactly what was compromised in your case can feel frustrating. Although changing your password is always the sensible thing to do in such a situation.

And while Hunt has always resisted calls to make breached plain text passwords searchable (for obvious security and privacy reasons), the size of modern data breaches — which can almost routinely involve multi-millions of users these days — has demonstrably ramped up pressure on Have I Been Pwned? to also offer some sort of check for pwned passwords too.

Although, to be clear, Hunt’s Pwned Passwords service is not intended for people to check their actual passwords. Because no one should be typing actual passwords into another third party service, even one run by a such a demonstrably good guy.

(Hunt himself makes this point, writing: “[D]on’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”)

But he’s has done something much more useful and interesting than simply providing an amusing way to find out that “password” has been used as a password more than 3.3 million times in this database. Or that “123456” has been used over 20.7M times. (Which can itself provide a handy ‘security 101’ lesson if you need to help, for example, a less tech-savvy relative get up to speed on password risks.)

Because Hunt has made the pwned passwords downloadable and queryable via an API — in a way that does not entail the sharing of full passwords with third parties.

And this is what 1Password is using to power its new pwnage check.

Cloudflare gets some credit here too. After Hunt created the password database, he says he was contacted by a Cloudflare developer, Junade Ali, who wanted to make use of the database to improve password security but also wanted to incorporate an anonymity model to enable validation of leaked passwords without risking passwords being leaked in the process.

Ali has blogged here about the approach he took, using a mathematical property called k-anonymity — and both Hunt and 1Password are using this method to enable password checks against Pwned Passwords that don’t share the full hash of the password being checked (which would be a bad idea because it could create a breach risk).

“[O]ur approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries,” writes Ali. “As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”

Only the first five characters of the 40 character hash of the password to be validated are sent to the server hosting the password database, which then returns a list of leaked password hashes that contain the same five initial characters. After that it’s just a trivial local comparison between the hashed password and the list to see whether or not there’s a match.

Of course even if there is no match found during a pwnage check it does not absolutely guarantee the password you want to use hasn’t been breached or compromised in some way. But it’s at very least a way of weeding out passwords that absolutely have been breached — and nudging users away from reusing insecure credentials. A horrible practice which, er, has sometimes even caught out some very techie people.

1Password says the password check service is available now to everyone with a 1Password membership. To check their passwords users need to sign into their account on 1Password.com, then click “Open Vault” to view their items and then click an item to see its details.

After that it says they need to enter keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept, and then they can click the new “Check Password” button which appears next to the password.

Hunt has flagged a number of other services which have also incorporated the “first generation of Pwned Passwords” on his blog, including some which will entirely block password reuse, adding: “My hope is that they inspire others to build on top of this data set and ultimately, make a positive difference to web security for everyone.”

To be clear, he’s made the Pwned Passwords database and API freely available. Further burnishing his good guy credentials.

“All those models are free, unrestricted and don’t even require attribution if you don’t want to provide it, just take what’s there and go do good things with it,” he adds.

Featured Image: Laurence Dutton/Getty Images

Momo buys Tantan, China’s Tinder, for $600M as Chinese social networks consolidate


WeChat is far and away the biggest messaging platform in China at the moment, and that is helping to drive a push among the smaller players to get together for better scale. Today, Momo, the Chinese location-based social networking app that has more recently made a big push into dating services and is traded on Nasdaq with a market cap of around $6 billion, announced that it has acquired Tantan, China’s top dating app, for $600.9 million in an all-cash deal.

It’s not clear how that price compares to Tantan’s pre-exit valuation: it had never disclosed the number. Overall, Tantan had raised $120 million, including a $70 million round last year from a mix of strategic and financial investors. Its backers included DST Global, Kleiner Perkins, video social network YY, Genesis Capital, SAIF China, Zhongwei, DCM and Bertelsmann.

We’d actually heard rumors of this acquisition recently, so it’s not coming as a complete surprise.

WeChat has in a way written the playbook in China for how to leverage a popular social platform to move into other services and it seems that would-be competitors are following suit. Other notable moves and exits in recent years have included Alibaba buying Youku Tudou and also investing heavily in WeChat competitor Weibo; selfie-making app Meitu going public and Meituan Dianping making a move into transportation. For its part, Momo had been moving into streaming services but with government pressure over the content of these services, going to its dating roots may have felt like a safer bet for now.

And the deal will indeed give Momo a big boost in its own dating business. Tantan said that it has enabled 5 billion matches since launching in 2015. (As a point of comparison, Tinder — one of the leading dating apps in the West — says that its enabled at least 8 billion matches since its launch in 2012.)

This does not signal a shift for Momo into dating exclusively (sorry for the pun), but to double down on one of the more successful ways that it’s diversified its business.

“Our core position will continue to center on social networking and this acquisition enriches our product line in the social space,” said Yan Tang, chairman and CEO of Momo, in a statement. “We will continue to invest and incubate more sub-brands to serve the social and entertainment needs of different demographics. Tantan has become widely recognized within a short period of three years since its inception, which is largely attributable to the outstanding performance of its talented team. We also respect Tantan’s product strategy that focuses on the customer experience of female users. After the acquisition, the Tantan team will continue to operate the mobile apps under the Tantan brand with our full support.”

Indeed, you can see this as similar to the strategy taken by IAC, which operates a number of dating apps alongside Tinder, such as Match.com and OKCupid.

For Tantan, the deal will give the company not just a funding boost but potentially some economies of scale in its developer backend and other areas of its business. “Momo and Tantan have their own strengths in their respective markets and among targeted customers,” said Yu Wang, chairman and CEO of Tantan, in his own statement. “The acquisition is a critical strategic upgrade to cover a greater range of user demographics and needs, and build up a larger social networking market through complementary businesses and strategic synergy. We are very confident in our future development.”

Additional reporting by Jon Russell (not this Jon Russell).

Trump says violent video games ‘shape’ young minds

Screenshot from Call of DutyImage copyright Activision

President Trump has vowed to "do something" about the violence in games and films watched by younger people.

In a meeting at the White House on school safety, President Trump said the violence played a role in shaping the way people saw the world.

The meeting was held the week after a school shooting in Florida in which 17 people died.

Some experts disputed the link between games and violence saying research showed no connection between the two.

'Desensitised people'

In comments made during the meeting, President Trump condemned the violence in video games saying: "We have to do something about maybe what they are seeing and how they are seeing it.

"I'm hearing more and more people say the level of violence on video games is really shaping young people's thoughts," he said.

Mr Trump also spoke about violence in films and the ease with which young people can see films in which "killing is involved".

Despite hinting at action on violence in video games and movies, President Trump did not go into detail about what would be done.

The president's comments came soon after those of Kentucky's governor who said violent games "celebrated death".

Last week, Kentucky Governor Matt Bevin, reacting to the Florida shooting, also singled out video games as an influence on the way younger people viewed the world.

Many games "celebrate the slaughter of people", said Mr Bevin.

He added: "They have desensitised people to the value of human life, to the dignity of women, to the dignity of human decency. We're reaping what we've sown here."

Image copyright EPA
Image caption The White House meeting involved survivors of the Florida shooting

'Noise and bluster'

In response Ethan Gach, a reporter at video games news site Kotaku, said video games were often blamed in the wake of mass shootings in the US.

"It's a familiar scapegoat many of us have been hearing for decades, one which often acts like a smokescreen to deflect responsibility away from the Second Amendment and lax gun laws."

John Walker, from games news site Rock Paper Shotgun, told the BBC that it was "disheartening" to hear politicians link video game violence to real world events when research has consistently shown no link.

He said: "The reason this matters, the reason why blaming games for such terrible tragedies against all reasonable proof is so horrifically serious, is it distracts us from identifying and addressing the real causes.

"Statements such as Trump's are easy, lazy get-outs, noise and bluster to keep people in a position of responsibility from actually doing the difficult, complex, long-term things that might actually help," said Mr Walker.

Samsung saves Opera Max browser app from the deadpool


Opera Max lives on after Samsung acquired the mobile browser to save it from oblivion.

The browser was one of the first data-friendly mobile browsers and it later added privacy-focused settings, including safeguards against insecure WiFi connections and a VPN. The popular app clocked up more than 500,000 installs, but that didn’t stop parent company Opera — which is owned by a consortium of Chinese firms — from announcing its closure last year.

“Opera has now decided to discontinue Opera Max. The product had a substantially different value proposition than our browser products, and represented a different focus for Opera,” it wrote at the time. “We, therefore, focus on our browsers and other upcoming services.”

Step forward Samsung, which said today that it has picked up the service and turned it into ‘Samsung Max’ — as first spotted by VentureBeat.

Screenshots of Samsung Max for Android

Opera Max users will get an update that brings them over to the now-Samsung-owned version, while other users can get their hands on the Android app or check the Galaxy Apps store. Bad news though, it’ll only be available on Samsung phones rather than all Android devices as had previously been the case.

In addition, Samsung plans to preload the app on its devices in a number of emerging markets: Argentina, Brazil, Indonesia, Mexico, Nigeria, South Africa, Thailand and Vietnam.

“At Samsung, we’ve been committed to creating inclusive data saving and privacy protection services for all our devices. Because of this, we are now introducing Samsung Max to our mid-range devices as an exclusive and unique service that sets Samsung devices apart from the rest of the smartphone market,” Seounghoon Oh, VP of Samsung R&D Institute India, said in a statement.

It’s unclear how much Samsung paid for the service, if anything at all, but you’d imagine it wasn’t a lot since it was destined for closure.

BT told to share poles for fibre broadband

Home with telegraph poleImage copyright Getty Images

BT must make it easier for rival internet providers to use its telegraph poles, telecoms regulator Ofcom says.

Ofcom has published a list of new measures to make it cheaper for companies to install ultrafast full fibre broadband infrastructure.

Connecting homes directly to the fibre network delivers much faster internet speeds than copper cables.

Rivals Talk Talk and Hyperoptic welcomed the announcement. BT said it was "considering the implications".

What are the new measures?

Ofcom says full fibre internet is currently available to 3% of UK homes and offices. It hopes to see 6 million buildings connected by 2020.

It said BT must make it easier for rivals to install fibre on its telegraph poles and in its underground tunnels.

It wants a clearer map of where there is capacity on the telegraph poles and in the tunnels for rivals to do so.

Ofcom suggested streets could be connected to full fibre in "hours" rather than days, as companies would no longer have to dig up roads to lay fibre.

It estimated that sharing infrastructure would halve the cost of connecting a home to full fibre - from £500 to £250.

Additionally, BT will be banned from reducing its wholesale prices in areas where rival networks are starting to lay infrastructure.

Openreach, which maintains most of the UK's telephone lines, will be ordered to repair faulty infrastructure and clear the way for competitors to access its tunnels.

"Openreach must ensure there is space on its telegraph poles for extra fibre cables connecting homes to a competitor's network," Ofcom said in a statement.

How have BT and Openreach reacted?

BT said it had "noted" the publication of Ofcom's proposals.

In a statement, it said the changes would have an "adverse financial impact on Openreach's revenue and profit" in the region of £80m to £120m.

Addressing the restriction on varying its wholesale prices, BT said it was "considering the implications for full and fair competition".

Openreach said Ofcom's statement gave the company "certainty on their approach".

But it said it had already been letting rival companies use its telegraph poles and tunnels.

"Our ducts and poles have been open since 2011 and we have been sharing a digital map of this network for more than a year," it said in a statement.

It added that telecoms firms needed to "be certain they can secure a return on their investment" if a nationwide rollout of full fibre was to be realised.

How have telecoms companies reacted?

Talk Talk said the announcement was "good for consumers, competition and investment". Hyperoptic said the move would strengthen the business case for investment in full fibre networks.

"This will ultimately create a better digital future for the UK, not just serve the interests of BT retail," said Hyperoptic chief executive Dana Tobak.

Consumer magazine Which? said the changes needed to be made more quickly.

"Consumers are crying out for better broadband... steps to ensure more investment in this vital service can't come soon enough," said spokeswoman Alex Neill.

The trouble knowing how much screen time is ‘OK’

A boy looks at a tabletImage copyright Getty Images
Image caption A Unicef review of research found digital technology can benefit some children

Concerns about the harm caused by "too much" screen time - particularly when it is spent on social media - are widespread. But working out what a "healthy" amount might be is far from easy.

Headlines rarely soothe nerves.

Apple's Tim Cook recently said he would not want his nephew on a social network, while child health experts wrote to Facebook warning excessive use of digital devices and social media "is harmful to children and teens".

There are many other such examples.

Some negative experiences on social media - like bullying, or becoming worried about how your appearance compares to others - can and do affect some children and young people.

However, this does not mean that technology use in general is harmful and it is difficult to make claims about how it will affect different people.

Indeed, some studies suggest that using social media can bring benefits, or have no effect on wellbeing at all.

An inquiry into the impact of social media and screen use on young people's health was announced this week by UK MPs, who hope to separate "understandable concerns from the hard evidence".

For now, anyone thinking about how much time using screens and social media is "OK" will ultimately have to make a personal judgement.

Image copyright Getty Images

Consider the picture painted by a Unicef review of existing research into the effects of digital technology on children's psychological wellbeing, including happiness, mental health and social life.

Rather than stating that social media was harmful, it suggested a more complex effect.

The Unicef report highlighted a 2017 study by my colleagues at the University of Oxford that examined 120,000 UK 15-year-olds.

Among those teenagers who were the lightest users, it was found that increasing the time spent using technology was linked to improved wellbeing - possibly because it was important for keeping up friendships.

In contrast, among the heaviest users of technology, any increase in time was linked to lower levels of wellbeing.

The researchers suggested that for those teens, technology use might get in the way of taking part in other important activities.

The point at which the use of technology flips from having a positive effect to a negative effect was different for each category at which the researchers looked.

For example, more than two hours of smartphone use on a weekday, and more than four hours on a weekend day, was linked to lower wellbeing.

This effect, however, was small and only predicted 1% of a teenager's wellbeing.

The researchers suggested that the positive effect of regularly eating breakfast, or getting a proper night's sleep, was three times stronger.

Overall, the Unicef study suggested that some screen time could be good for children's mental wellbeing.

"Digital technology seems to be beneficial for children's social relationships," it said. The impact on physical activity levels, however, was "inconclusive".

Image copyright Getty Images

Similar trends for technology's effects on wellbeing were found in a subsequent study among large numbers of teenagers in the US.

However, the researchers warned that social media and technology use negatively affects teenage wellbeing.

The findings made headlines.

One of the authors, professor of psychology Jean Twenge, suggested "excessive" use of devices was the problem.

But again, the effects were small, with the positive effects of exercise being more significant.

In contrast to the authors of the Oxford study, Dr Twenge recommends less screen time for children.

"Half an hour, an hour a day, that seemed to be the sweet spot for teen mental health in terms of electronic devices," she said.

You might also be interested in:

A broader look at evidence provided by some other high quality studies again suggests the story is not clear-cut.

An early study in 2013 looked at how the television and video game habits of 11,000 UK five-year-olds affected them two years later.

It is one of few studies actually tracing the effects of technology over time.

It suggested that, compared with children who watched one hour of television or less on a weekday, a small increase in conduct problems was seen among those who watched more than three hours each day.

Playing electronic games, however, was not seen as leading to a greater risk of hyperactivity, or friendship or emotional problems.

Image copyright Getty Images
Image caption Parents will need to use their own judgement on how much screen time is "OK"

So how much time should we, or our children, spend looking at screens?

It is difficult to be precise as different people spend time online in such different ways.

For example, someone enjoying their time chatting with friends is using social media very differently to someone worrying about their own life as they flick through contacts' photos.

It appears to be the case that much of the debate about social media oversimplifies the reality.

A useful comparison might be with sugar.

Broadly speaking, people agree that excessive amounts of sugar can be bad for your health.

But the effect it might have can depend on many factors, from the type of sugar - fruit, or refined; to the person - athlete, or diabetic; and the amount - one gram, or many.

We would not readily trust anyone who claims to predict how someone is affected by consuming one gram of sugar.

The same could be said for social media usage: the outcomes depend on so many factors that only very crude predictions are possible.

Research about social media can sometimes help us navigate the debate, but concrete evidence does not yet exist.

This situation could improve significantly as more research is conducted in the coming years.

But for now, we will need to rely on our own judgements to decide about just how much time we - and our children - spend on social media.

About this piece

This analysis piece was commissioned by the BBC from an expert working for an outside organisation.

Amy Orben is researching the effects of social media on human relationships at the University of Oxford. Follow her @OrbenAmy

Edited by Duncan Walker