1Password uses first five characters of a hash to compare passwords to breaches.
Security researcher Troy Hunt this week announced his new version of “Pwned Passwords,” a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API.
Within a day, the company AgileBits had integrated Hunt’s new tool into the 1Password password manager. AgileBits’ announcement describes how it works:
Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
Customers with 1Password.com accounts can already use the tool in a Web browser. You’ll need to input “Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.” After that, a “Check Password” button will appear next to your passwords.
“Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database,” AgileBits CEO Jeff Shiner wrote. “If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.”
1Password also has many customers who bought the desktop or mobile apps but haven’t subscribed to the newer online service. They can’t use the tool just yet, but they will apparently gain access to it in the future. “In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day,” Shiner wrote.
Providing the feature to 1Password users who don’t use the company’s cloud service “is certainly our intention at this point,” AgileBits “Chief Defender Against the Dark Arts” Jeffrey Goldberg told Ars today. ” There is nothing in this particular feature that makes use of the technology that is specific to what is done through the 1Password.com service. But we won’t know what snags we run into until we start development for the native clients.”
“We were able to introduce what is really just a proof of concept in our Web client in a day because it is much quicker to prototype and deploy things there than in native clients,” Goldberg also said.
Future versions might also add the ability to “see all your pwned passwords at a glance.”
Hunt praised AgileBits after seeing the end result.
“I’m so impressed with what they’ve done here; I launched this service only 27 hours ago and they’ve already pushed this out,” Hunt tweeted yesterday. “They had no prior knowledge I was doing this, they just got hands on tools right away and made it happen. That’s awesome.”
Hey, you know what would be cool? If @1Password was to integrate with my newly released Pwned Passwords k-Anonymity model so you could securely check your exposure against the service (it’d have to be opt in, of course). Oh wow – look at this! https://t.co/RCspu1kNtR
— Troy Hunt (@troyhunt) February 22, 2018
Hunt makes breached password data available for download at his “Have I been pwned?” website, which also has the online search tool for checking passwords. The tool used to include a message that said, “Do not send any password you actively use to a third-party service—even this one!”
Hunt’s blog explains how he integrated the new, safer approach into his password-checking system.
“[T]he problem with my existing implementation was that whilst you could pass just a SHA-1 hash of the password, if it returned a hit and I was to take that and reverse it back to the clear (which I could easily do because I created the hashes in the first place!) I’d know the password. That made the service hard to justify sending real passwords to,” Hunt wrote.
But while Hunt was developing the next version last month, he heard from Cloudflare engineer Junade Ali. Ali “wanted to build a tool to search through Pwned Passwords V1 but to do so in a way that allowed external parties to use it and maintain anonymity.”
Junade’s idea was different, though; he proposed using a mathematical property called k-anonymity and within the scope of Pwned Passwords, it works like this: imagine if you wanted to check whether the password “P@ssw0rd” exists in the data set. (Incidentally, the hackers have worked out people do stuff like this. I know, it sucks. They’re onto us.) The SHA-1 hash of that string is “21BD12DC183F740EE76F27B78EB39C8AD972A757” so what we’re going to do is take just the first 5 characters, in this case that means “21BD1”. That gets sent to the Pwned Passwords API and it responds with 475 hash suffixes (that is everything after “21BD1”) and a count of how many times the original password has been seen.
“This model of anonymity is what now sits behind the online search feature,” Hunt wrote. If you type a password into the search field, it is hashed on your device “and just the first 5 characters [are] passed to the API.” Hunt is confident enough in this method that he removed the warning against typing in-use passwords into the search form.
Ali has written about the technology in more detail on the Cloudflare blog. Because it applies k-Anonymity to password hashes “in the form of range queries… the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later,” Ali wrote.
The post also describes how software developers can integrate the new password-checking system into their applications.
As noted previously, 1Password’s implementation currently limits password checking to one password at a time. It’s not clear when the service might add support for checking all of one’s password at once. The company wants to make sure it presents the information as precisely as possible before applying the search tool to a user’s entire password keychain.
“We do intend to bring this to our Security Audit tool, but we also need more information about how to present this,” Goldberg said. “There is scope for people to misinterpret what it means when something is found on the [breached passwords] list, given that the list is so large.”
In a comment on the AgileBits blog, Goldberg offered more explanation of how users should interpret their password checking results. For example, just because your password is on the list doesn’t mean that your account was compromised, “but you should change [your password] along with other weak passwords because they are weak.”
If you have a very strong password that is on the list of breached passwords, you should “change the password immediately” because “it is likely that your account credentials have been compromised,” Goldberg wrote.