Security researcher Troy Hunt recently launched a new service called Pwned Passwords that makes it easy to see if your passwords have been leaked on the Internet. The team over at AgileBits Inc. liked the idea so much that they’ve created a proof of concept that integrates the service into their popular password manager, 1Password.
The proof of concept is available right now for anyone with a 1Password membership. To give it a whirl, first sign into your 1Password account, then click Open Vault. From there, you’ll want to enter the following sequence – Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) – to unlock the proof of concept.
It’s worth noting that even if you get a positive hit on a password, it doesn’t necessarily mean the associated account was breached. It’s possible that someone else could have been using the same password which of course indicates that your password wasn’t very strong.
Also of note is the fact that this service works without revealing your password to a third party.
Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.
Additional details on the technical aspects of the checker can be found over on AgileBits’ blog.
The company said it plans to integrate the functionality into the Watchtower section of 1Password apps down the line.