Data leaks and breaches are increasingly common nowadays, potentially putting user information in harm’s way. Password protection service 1Password has a proof of concept feature that will help further secure its users' accounts, notifying them if their password has been compromised thanks to its integration with Troy Hunt’s Pwned Passwords.
Pwned Passwords is a service that contains over 500 million compromised passwords, mined from previous data breaches available to everyone. For now, 1Password has granted its subscribers the ability to manually check whether or not their password has been leaked by opining the Vault in its service and comparing it with the 500 million in Pwned Passwords' database.
Clicking on an item in the Vault, followed by Shift+Ctrl+Alt+C or Shift-Control-Option-C depending on the user’s preference between Windows and Mac respective, the user is granted access to a “Check Password” button.
This button checks the integrated Pwned Passwords list and compares it to that of the user’s password. If it matches one on the list, the user is prompted with a message stating “Oops, this password was found,” whereas those fortunate enough to have a secure password will be met with the much happier message of “Not found, way to go. :).” Of course, if the user ever sees that their password has been compromised, they should change it immediately.
The integration is one way with no checked passwords being sent to Pwned Passwords or directly to 1Password. Instead, the system works by hashing a portion of the password and pitting it against a portion of the comparison list. Anything that matches the first few characters will be flagged for the user to see.
For now, this feature is in its early stages, with the company stating that future updates will bring it to Watchtower within the 1Password apps.
KitGuru Says: The potential of this feature is impressive, as this paves the way for it to automated systems to let the user know when they’ve chosen a bad password immediately or give a prompt when a major leak has been made public. If anyone doesn’t use password protection services, it is strongly advised in order to keep your data as safe as possible.