Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.
This is in addition to the more usual password strength indicator bar that tries to encourage web users to improve their security practices. The pwnage check builds on that by further reducing the risk of password reuse because it’s verifying if the specific password has appeared in a number of known data breaches.
Here’s a video of the new feature in action:
To power the feature, 1Password is leaning on
Hunt is best known for creating the
Thing is, knowing your data has been found among millions of breached credentials, which you’re told includes emails and passwords, but not knowing exactly what was compromised in your case can feel frustrating. Although changing your password is always the sensible thing to do in such a situation.
And while Hunt has always resisted calls to make breached plain text passwords searchable (for obvious security and privacy reasons), the size of modern data breaches — which can almost routinely involve multi-millions of users these days — has demonstrably ramped up pressure on Have I Been Pwned? to also offer some sort of check for pwned passwords too.
Although, to be clear, Hunt’s Pwned Passwords service is not intended for people to check their actual passwords. Because no one should be typing actual passwords into another third party service, even one run by a such a demonstrably good guy.
(Hunt himself makes this point, writing: “[D]on’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”)
But he’s has done something much more useful and interesting than simply providing an amusing way to find out that “password” has been used as a password more than 3.3 million times in this database. Or that “123456” has been used over 20.7M times. (Which can itself provide a handy ‘security 101’ lesson if you need to help, for example, a less tech-savvy relative get up to speed on password risks.)
Because Hunt has made the pwned passwords downloadable and queryable via an API — in a way that does not entail the sharing of full passwords with third parties.
And this is what 1Password is using to power its new pwnage check.
Cloudflare gets some credit here too. After Hunt created the password database, he says he was contacted by a Cloudflare developer, Junade Ali, who wanted to make use of the database to improve password security but also wanted to incorporate an anonymity model to enable validation of leaked passwords without risking passwords being leaked in the process.
“[O]ur approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries,” writes Ali. “As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”
Only the first five characters of the 40 character hash of the password to be validated are sent to the server hosting the password database, which then returns a list of leaked password hashes that contain the same five initial characters. After that it’s just a trivial local comparison between the hashed password and the list to see whether or not there’s a match.
Of course even if there is no match found during a pwnage check it does not absolutely guarantee the password you want to use hasn’t been breached or compromised in some way. But it’s at very least a way of weeding out passwords that absolutely have been breached — and nudging users away from reusing insecure credentials. A horrible practice which, er, has sometimes even
1Password says the password check service is available now to everyone with a 1Password membership. To check their passwords users need to sign into their account on 1Password.com, then click “Open Vault” to view their items and then click an item to see its details.
After that it says they need to enter keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept, and then they can click the new “Check Password” button which appears next to the password.
Hunt has flagged a number of other services which have also incorporated the “first generation of Pwned Passwords” on
To be clear, he’s made the
“All those models are free, unrestricted and don’t even require attribution if you don’t want to provide it, just take what’s there and go do good things with it,” he adds.
Featured Image: Laurence Dutton/Getty Images