1Password bolts on a ‘pwned password’ check


Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.

This is in addition to the more usual password strength indicator bar that tries to encourage web users to improve their security practices. The pwnage check builds on that by further reducing the risk of password reuse because it’s verifying if the specific password has appeared in a number of known data breaches.

Here’s a video of the new feature in action:

[embedded content]

To power the feature, 1Password is leaning on Pnwed Passwords, a service launched by Troy Hunt last summer, and updated this month with a chunk more password data. It now contains around half a billion downloadable passwords, harvested by Hunt from various online dumps resulting from all sorts of different data breaches. The passwords in the database have been hashed by Hunt with SHA-1.

Hunt is best known for creating the Have I Been Pwned? breach notification service. And indeed it was through running that free online check, which lets people sign up to be informed if/when their email address surfaces in a data breach, that the idea for Pwned Passwords came about — as he says one of the most common reactions to people being informed their email had been found in a breach was to ask if they could also check whether their password had been breached.

Thing is, knowing your data has been found among millions of breached credentials, which you’re told includes emails and passwords, but not knowing exactly what was compromised in your case can feel frustrating. Although changing your password is always the sensible thing to do in such a situation.

And while Hunt has always resisted calls to make breached plain text passwords searchable (for obvious security and privacy reasons), the size of modern data breaches — which can almost routinely involve multi-millions of users these days — has demonstrably ramped up pressure on Have I Been Pwned? to also offer some sort of check for pwned passwords too.

Although, to be clear, Hunt’s Pwned Passwords service is not intended for people to check their actual passwords. Because no one should be typing actual passwords into another third party service, even one run by a such a demonstrably good guy.

(Hunt himself makes this point, writing: “[D]on’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”)

But he’s has done something much more useful and interesting than simply providing an amusing way to find out that “password” has been used as a password more than 3.3 million times in this database. Or that “123456” has been used over 20.7M times. (Which can itself provide a handy ‘security 101’ lesson if you need to help, for example, a less tech-savvy relative get up to speed on password risks.)

Because Hunt has made the pwned passwords downloadable and queryable via an API — in a way that does not entail the sharing of full passwords with third parties.

And this is what 1Password is using to power its new pwnage check.

Cloudflare gets some credit here too. After Hunt created the password database, he says he was contacted by a Cloudflare developer, Junade Ali, who wanted to make use of the database to improve password security but also wanted to incorporate an anonymity model to enable validation of leaked passwords without risking passwords being leaked in the process.

Ali has blogged here about the approach he took, using a mathematical property called k-anonymity — and both Hunt and 1Password are using this method to enable password checks against Pwned Passwords that don’t share the full hash of the password being checked (which would be a bad idea because it could create a breach risk).

“[O]ur approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries,” writes Ali. “As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”

Only the first five characters of the 40 character hash of the password to be validated are sent to the server hosting the password database, which then returns a list of leaked password hashes that contain the same five initial characters. After that it’s just a trivial local comparison between the hashed password and the list to see whether or not there’s a match.

Of course even if there is no match found during a pwnage check it does not absolutely guarantee the password you want to use hasn’t been breached or compromised in some way. But it’s at very least a way of weeding out passwords that absolutely have been breached — and nudging users away from reusing insecure credentials. A horrible practice which, er, has sometimes even caught out some very techie people.

1Password says the password check service is available now to everyone with a 1Password membership. To check their passwords users need to sign into their account on 1Password.com, then click “Open Vault” to view their items and then click an item to see its details.

After that it says they need to enter keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept, and then they can click the new “Check Password” button which appears next to the password.

Hunt has flagged a number of other services which have also incorporated the “first generation of Pwned Passwords” on his blog, including some which will entirely block password reuse, adding: “My hope is that they inspire others to build on top of this data set and ultimately, make a positive difference to web security for everyone.”

To be clear, he’s made the Pwned Passwords database and API freely available. Further burnishing his good guy credentials.

“All those models are free, unrestricted and don’t even require attribution if you don’t want to provide it, just take what’s there and go do good things with it,” he adds.

Featured Image: Laurence Dutton/Getty Images

1Password bolts on a ‘pwned password’ check


Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.

This is in addition to the more usual password strength indicator bar that tries to encourage web users to improve their security practices. The pwnage check builds on that by further reducing the risk of password reuse because it’s verifying if the specific password has appeared in a number of known data breaches.

Here’s a video of the new feature in action:

[embedded content]

To power the feature, 1Password is leaning on Pnwed Passwords, a service launched by Troy Hunt last summer, and updated this month with a chunk more password data. It now contains around half a billion downloadable passwords, harvested by Hunt from various online dumps resulting from all sorts of different data breaches. The passwords in the database have been hashed by Hunt with SHA-1.

Hunt is best known for creating the Have I Been Pwned? breach notification service. And indeed it was through running that free online check, which lets people sign up to be informed if/when their email address surfaces in a data breach, that the idea for Pwned Passwords came about — as he says one of the most common reactions to people being informed their email had been found in a breach was to ask if they could also check whether their password had been breached.

Thing is, knowing your data has been found among millions of breached credentials, which you’re told includes emails and passwords, but not knowing exactly what was compromised in your case can feel frustrating. Although changing your password is always the sensible thing to do in such a situation.

And while Hunt has always resisted calls to make breached plain text passwords searchable (for obvious security and privacy reasons), the size of modern data breaches — which can almost routinely involve multi-millions of users these days — has demonstrably ramped up pressure on Have I Been Pwned? to also offer some sort of check for pwned passwords too.

Although, to be clear, Hunt’s Pwned Passwords service is not intended for people to check their actual passwords. Because no one should be typing actual passwords into another third party service, even one run by a such a demonstrably good guy.

(Hunt himself makes this point, writing: “[D]on’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”)

But he’s has done something much more useful and interesting than simply providing an amusing way to find out that “password” has been used as a password more than 3.3 million times in this database. Or that “123456” has been used over 20.7M times. (Which can itself provide a handy ‘security 101’ lesson if you need to help, for example, a less tech-savvy relative get up to speed on password risks.)

Because Hunt has made the pwned passwords downloadable and queryable via an API — in a way that does not entail the sharing of full passwords with third parties.

And this is what 1Password is using to power its new pwnage check.

Cloudflare gets some credit here too. After Hunt created the password database, he says he was contacted by a Cloudflare developer, Junade Ali, who wanted to make use of the database to improve password security but also wanted to incorporate an anonymity model to enable validation of leaked passwords without risking passwords being leaked in the process.

Ali has blogged here about the approach he took, using a mathematical property called k-anonymity — and both Hunt and 1Password are using this method to enable password checks against Pwned Passwords that don’t share the full hash of the password being checked (which would be a bad idea because it could create a breach risk).

“[O]ur approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries,” writes Ali. “As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”

Only the first five characters of the 40 character hash of the password to be validated are sent to the server hosting the password database, which then returns a list of leaked password hashes that contain the same five initial characters. After that it’s just a trivial local comparison between the hashed password and the list to see whether or not there’s a match.

Of course even if there is no match found during a pwnage check it does not absolutely guarantee the password you want to use hasn’t been breached or compromised in some way. But it’s at very least a way of weeding out passwords that absolutely have been breached — and nudging users away from reusing insecure credentials. A horrible practice which, er, has sometimes even caught out some very techie people.

1Password says the password check service is available now to everyone with a 1Password membership. To check their passwords users need to sign into their account on 1Password.com, then click “Open Vault” to view their items and then click an item to see its details.

After that it says they need to enter keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept, and then they can click the new “Check Password” button which appears next to the password.

Hunt has flagged a number of other services which have also incorporated the “first generation of Pwned Passwords” on his blog, including some which will entirely block password reuse, adding: “My hope is that they inspire others to build on top of this data set and ultimately, make a positive difference to web security for everyone.”

To be clear, he’s made the Pwned Passwords database and API freely available. Further burnishing his good guy credentials.

“All those models are free, unrestricted and don’t even require attribution if you don’t want to provide it, just take what’s there and go do good things with it,” he adds.

Featured Image: Laurence Dutton/Getty Images

Momo buys Tantan, China’s Tinder, for $600M as Chinese social networks consolidate


WeChat is far and away the biggest messaging platform in China at the moment, and that is helping to drive a push among the smaller players to get together for better scale. Today, Momo, the Chinese location-based social networking app that has more recently made a big push into dating services and is traded on Nasdaq with a market cap of around $6 billion, announced that it has acquired Tantan, China’s top dating app, for $600.9 million in an all-cash deal.

It’s not clear how that price compares to Tantan’s pre-exit valuation: it had never disclosed the number. Overall, Tantan had raised $120 million, including a $70 million round last year from a mix of strategic and financial investors. Its backers included DST Global, Kleiner Perkins, video social network YY, Genesis Capital, SAIF China, Zhongwei, DCM and Bertelsmann.

We’d actually heard rumors of this acquisition recently, so it’s not coming as a complete surprise.

WeChat has in a way written the playbook in China for how to leverage a popular social platform to move into other services and it seems that would-be competitors are following suit. Other notable moves and exits in recent years have included Alibaba buying Youku Tudou and also investing heavily in WeChat competitor Weibo; selfie-making app Meitu going public and Meituan Dianping making a move into transportation. For its part, Momo had been moving into streaming services but with government pressure over the content of these services, going to its dating roots may have felt like a safer bet for now.

And the deal will indeed give Momo a big boost in its own dating business. Tantan said that it has enabled 5 billion matches since launching in 2015. (As a point of comparison, Tinder — one of the leading dating apps in the West — says that its enabled at least 8 billion matches since its launch in 2012.)

This does not signal a shift for Momo into dating exclusively (sorry for the pun), but to double down on one of the more successful ways that it’s diversified its business.

“Our core position will continue to center on social networking and this acquisition enriches our product line in the social space,” said Yan Tang, chairman and CEO of Momo, in a statement. “We will continue to invest and incubate more sub-brands to serve the social and entertainment needs of different demographics. Tantan has become widely recognized within a short period of three years since its inception, which is largely attributable to the outstanding performance of its talented team. We also respect Tantan’s product strategy that focuses on the customer experience of female users. After the acquisition, the Tantan team will continue to operate the mobile apps under the Tantan brand with our full support.”

Indeed, you can see this as similar to the strategy taken by IAC, which operates a number of dating apps alongside Tinder, such as Match.com and OKCupid.

For Tantan, the deal will give the company not just a funding boost but potentially some economies of scale in its developer backend and other areas of its business. “Momo and Tantan have their own strengths in their respective markets and among targeted customers,” said Yu Wang, chairman and CEO of Tantan, in his own statement. “The acquisition is a critical strategic upgrade to cover a greater range of user demographics and needs, and build up a larger social networking market through complementary businesses and strategic synergy. We are very confident in our future development.”

Additional reporting by Jon Russell (not this Jon Russell).

Is Uber selling its Southeast Asia business to Grab?


If you read the tech press, you might have seen reports that Uber is pursuing a sale in Southeast Asia that would see Grab, its Singapore-headquartered rival valued at $6 billion, acquire Uber’s business in the region.

Rumors of such a tie-in have been rife for a while. Uber sold its China business in exactly such an arrangement in 2016, and it made a similar exit from Russia last year. In both cases, the firm’s motivation was to purportedly shape up for a potential IPO by offloading loss-making units that had lost the local market.

Why not, then, extend that into Southeast Asia and sell to Grab?

There is competition.

Reliable data is hard to come by, but it is fairly widely accepted that Uber, once the leader in Southeast Asia, has dropped behind Grab across the region as a whole, while both companies trial local startup Go-Jek — a unicorn itself, too — in Indonesia, the only market Go-Jek operates in.

There are challenges.

Despite a cumulative population that exceeds six billion people, Southeast Asia’s ride-sharing business did just $5.1 billion last year, according to estimates from a report authored by Google and investment firm Temasek. Uber is not expected to be profitable in the region “in the near future,” CEO Dara Khosrowshahi said last year.

There is the motivation.

Uber and Grab share a common investor in SoftBank. The Japanese firm first backed Grab back in 2014, and it recently pumped in $2 billion in fresh capital alongside China’s Didi Chuxing — the company that bought Uber China and, by virtue of that deal, is also an Uber stockholder. SoftBank, of course, secured a much-publicized investment in Uber in January.

Pitting two of its portfolio together in a loss-making market probably doesn’t make sense to SoftBank at this point.

Someone, somewhere, seems very keen to make a deal happen, and so we have the reports.

Last week, CNBC cited two people “with knowledge of the matter” who said that Uber “is preparing to sell Southeast Asia unit to Grab.”

The news was widely re-reported by a number of other media. But if you skip down to the second line of the original CNBC article, the transaction seems less definitive that the title suggests.

“No deal has been reached yet, and the timing of any such deal is uncertain,” CNBC reporter Alex Sherman wrote.

Uber and Grab both declined to comment on the report when we asked.

The Grab office in Singapore

The deal can make sense in financial terms, as above, but in practice there are certainly some question marks.

Uber may have fallen behind Grab, but it still has the brand. Uber invented ride-hailing, and it can continue to maintain a sizable market share, if not close the gap with some investment.

The word Uber is already a verb to many people, such is the company’s profile, and that isn’t just limited to the English language. There’s a huge amount of consumer awareness that Uber trades on, even when its competitors push hard with discounts, marketing and other strategies, is very much alive in Southeast Asia.

The market in the region is tipped to grow massively.

The same Google-Temasek report noted that the ride-hailing market in Southeast Asia has grown four-fold since 2015 and it is tipped to reach $20.1 billion by 2025. More generally, Southeast Asia is now the world’s third-largest region for internet users — with more people online than the entire U.S. population — with upwards of 3.8 million people coming online for the first time each month.

It might be hasty for Uber to retreat at this time. Certainly, the chips are down and things have been better, but the game is far from won as it was in China, where Uber had little mainstream recognition and was spending over $1 billion just to try to keep up with Didi.

There hasn’t been much of a reaction to the reports from Uber, but this week Khosrowshahi — who was in India as part of his first Asia tour with Uber — made a series of bullish comments that seemed to reaffirm a commitment to Southeast Asia, according to Reuters.

“We expect to lose money in Southeast Asia and expect to invest aggressively in terms of marketing, subsidies etc,” Khosrowshahi told reporters in New Delhi, adding there is huge potential in the region thanks to a big population and fast internet user growth.

You could, of course, offer a counter argument that Khosrowshahi is playing hard to get or making negotiations with Grab tougher. But the Uber CEO also pointed out to press that Uber is just one shareholder and thus its aims and objective don’t represent the path that the company will take.

From Reuters again:

Khosrowshahi said SoftBank is an investor but Uber, which has a valuation of around $68 billion, will take any final decisions along with the board on mergers and partnerships.

There has certainly been some suspicion that the leaks may be coming from the investor side of Uber/Grab, given the benefits that consolidation might bring. The fact that these leaks have also intensified since SoftBank became interested in an Uber investment, certainly gives credence to that theory.

Indeed, SoftBank board member Rajeev Misra — who joined the Uber board following the investment — told the Financial Times that Uber should focus on Western markets and cut its losses in emerging regions.

Is SoftBank the source of these new leaks? You can draw your own conclusions.

So, while a deal might make some sense on paper, reports of an imminent acquisition seem wide of the mark. That said, this is the ride-hailing industry, and anything can happen.

Featured Image: ANTHONY WALLACE/Getty Images

Nissan and DeNA will begin testing a self-driving taxi service in Japan next month


Nissan Motor and DeNA announced today that field tests of Easy Ride, the self-driving taxi service they developed together, will begin next month in Japan. This means that Nissan and DeNA now rank among Uber, Lyft, GM, Didi Chuxing and other companies pioneering self-driving taxi pilots, with the goal of launching commercially within the next few years.

DeNA is a Tokyo-headquartered online services company that is probably best known outside of Japan for a partnership with Nintendo that has produced mobile games like “Fire Emblem Heroes.” Its other services, however, encompass a wide range of verticals, including e-commerce, entertainment, healthcare, social networking and automotive tech. Two years ago, DeNA launched its first production vehicles with French autonomous vehicle company EasyMile, which are used to provide a driverless shuttle service called Robot Shuttle in Japanese cities.

Easy Ride’s first field test will begin on March 5 in Yokohama, the city to the south of Tokyo where Nissan’s global headquarters are located. Its self-driving taxis, which the companies call “robo-vehicles,” will take passengers along a 4.5 kilometer set route between the Yokohama World Porters shopping center and Nissan’s corporate complex. During the ride, passengers can try out Easy Ride’s concierge features by using a mobile app to ask for suggestions about local sightseeing destinations, which are then displayed on an in-car tablet screen, with coupons available for download. A remote monitoring center will oversee the cars during the field test and passengers will be asked after their ride to complete a survey about their experiences and how much they would be willing to pay for Easy Ride when it launches.

Nissan is one of several Japanese automakers that want to get self-driving vehicles on the road by the beginning of the next decade, motivated by the country’s aging population, which needs more transportation options, and the 2020 Summer Olympics in Tokyo. Prime Minister Shinzo Abe has said he wants self-driving vehicles to help with transportation during the games and also serve as a showcase for Japan’s manufacturing and technological prowess. The government is currently in the process of drawing up laws meant to make the process of testing and commercializing autonomous vehicle systems more efficient.

Nissan and DeNA say they plan to launch full service of Easy Ride in the early 2020s, after a limited rollout. The fields tests will be used to “develop service designs for driverless environments, expanded service routes, vehicle distribution logic, pick-up/drop-off processes and multilingual support,” the companies said in a release.

The taxi industry in major Japanese cities like Tokyo is heavily regulated and cab drivers are required to have special licenses, so companies there must focus on other services instead of ride-sharing. For example, earlier this week Sony announced that it will launch an AI-based taxi-calling app, while Uber chief executive officer Dara Khosrowshahi said the company wants to form partnerships with a taxi companies to put new life into its Japanese expansion strategy.

Featured Image: Bloomberg/Getty Images

Angry Birds maker craters on bad guidance, losing half its market value


Angry Birds maker Rovio’s stock price tanked cratered after their latest quarterly earnings report painted a dismal future for the game maker. The stock is down 50 percent after the company sent investors a warning in their latest earnings report that revenues were likely to suffer in 2018.

Despite a strong over reliance on the Angry Birds brand, which seems to have been integrated into any and every licensing deal possible over the past few years, the 15-year-old Rovio is still making moves. The company had $365 million (297.2 million euros) in revenues in 2017, a 55 percent increase over the previous year as the game-maker made more money off of its titles and brand licensing deals.

The strong reaction today was the result of investors feeling misled by the company’s optimism in past future guidance. Rovio, which is listed on Finland’s main stock exchange in Helsinki, forecast that its 2018 revenues would likely sink below the previous year and profits may dip as well as user acquisition costs have gotten higher and the future has become more uncertain.

Game developers that strike it rich off a single title have historically seemed to have a rough go as public companies. The company was valued at $1 billion preceding its IPO late last year, but the goings have been a bit rough with its market cap now sitting below $500 million.

Featured Image: John Lamparski/WireImage/Getty Images

Apple devices are butt dialing 911 from its refurbishing facility – 20 times per day


Since October, emergency responders in Elk Grove and Sacramento County, California have received over 1,600 false alarm 911 calls coming from an Apple repair and refurbishing site in the area.

It’s not clear if the calls are coming from Apple’s iPhones or Watches but each time a call originates out of the Elk Grove facility, there’s no one on the other end of the line and it’s gumming up the emergency response system in the area, draining resources and possibly slowing down response teams in actual emergencies.

“The times when it’s greatly impacting us is when we have other emergencies happening and we may have a dispatcher on another 911 call that may have to put that call on hold to triage the incoming call,” police dispatcher Jamie Hudson told Sacramento CBS Local News, which first reported these incidents.

The Sacramento County Sheriff’s Department says it has also received these false calls, telling CBS Local dispatchers sometimes heard technicians in the background.

iPhones and Apple Watches are easily triggered to call emergency response services with an accidentally long touch of a button. iPhone X, iPhone 8, or iPhone 8 Plus call up the SOS emergency service by holding down the side button and one of the volume buttons for an extended period. The Watch triggers a call to 911 just by pressing and holding the side button.

Though Apple Watches and iPhones make it easier for individuals to get hold of 911 dispatchers quickly, the Watch’s accidental calls issue has been a known problem for a while now. In early 2017, Tolland County, Connecticut emergency responders reported a series of accidental calls coming from Apple Watches in the Tolland and Hartford areas. Earlier this month, a dispatcher in Ottawa County, Michigan told Newsweek his local branch had been receiving accidental butt dials from Apple Watches at least 10 times a day.

Apple has told CBS Local it was aware of the problem and was “working closely with local law enforcement to investigate the cause and ensure this doesn’t continue.”

We’ve reached out to Apple to find out what specific measures it is taking to stop these false alarm calls from causing havoc on the emergency systems in the area and possibly slowing down responders from getting to a real life and death situation. So far, we have yet to hear back but will be sure to update you when we do.