1Password Warns You Off Reusing Leaked Passwords
Making sure that we secure our various online identities with unique passwords can be a tough thing to do, but thankfully, we have password managers to help us out with that. These password managers have varying features but at the end of the day should all do the same thing: allow you to organize and store your passwords securely. 1Password is a service that's frequently brought up in discussions about password managers, and today it's adding a neat new feature that should help you make even better password decisions.
Beginning today, 1Password will tell you if the password you're thinking of using for a login has been leaked in the past. In addition to the usual "Copy, "Reveal," and "Large Type" buttons you usually see next to an entry in your 1Password library, you'll now see a fourth option: "Check Password." You can use this to see if the password you're considering has been leaked in any previous data breaches.
Those who concern themselves with password security likely already know of a similar service called Pwned Passwords. Troy Hunt launched the service last year as a feature of "Have I Been Pwned," a website that allows you to see if your email address has been involved in a leak stemming from a security breach. Pwned Passwords does much the same for passwords, letting you enter a password to see if it's ever been leaked before, something that could drastically decrease that password's security.
Yesterday, Hunt rolled out version 2 of Pwned Passwords, and just over a day later, 1Password has implemented it as the backbone of its new Check Password feature. In a post to the Agile Bits blog, the 1Password team explains how it checks your password against Hunt's database of 500 million leaked passwords while still keeping it secure.
Passwords you want checked are hashed with SHA-1 encryption, with the first five characters of that hash sent to Pwned Password. The service will then send back a list of leaked password hashes that match the first five characters of yours, and then 1password locally compares your password to the ones on that list. If you get a match, you should consider a different password, because the fact that your desired password has been breached before could make it less secure.
You can read more about how Pwned Password version 2 works over on Troy Hunt's website. Eventually, 1Password says that it will implement this feature in Watchtower across all of its apps, but for now, it exists as a proof of concept within the browser version of the service.