1Password now has a feature which makes use of the first five characters of the given hash in order to compare passwords that any given breach affected.
Most of us already know that 1Password, a widely used and reliable password manager, has introduced a new system.
This new system securely checks the user’s passwords to know whether a known data breach made that password public.
1Password has made the announcement that the company had started to implement the new feature.
The new password tool allows 1Password customers to find out if a data breach managed to leak their passwords.
Moreover, they don’t have to transmit their full credentials to any server in order to find out that information.
Last week, Troy Hunt (a security researcher), announced that he had come up with a new version of his search tool called Pwned Passwords.
This search tool lists around 500 million (and more) passwords that hackers managed to leak via various data breaches.
Users who want to check if their passwords suffered the same fate can access the tool via an online interface.
Developers too can take advantage of the search tool.
They can use the tool’s API to connect their applications to it.
Less than 24 hours after the announcement, AgileBits (a company) made the announcement that it had integrated Troy Hunt’s new tool.
AgileBits is the company behind the popular password manager 1Password.
The password manager will now have full integration with the search tools.
AgileBits made an official announcement to describe how the tool would work it the company’s password manager.
The company wrote in the post that Troy’s new search tool service allowed the company to check the user’s passwords.
All the while, they could keep their user’s secure and safe.
In other words, the company does not send those passwords to Troy’s service or even its own servers.
How does the search tool work then?
Well, the AgileBits post mentioned that first, the 1Password password manager hashed the user’s password.
It did that with SHA-1.
Of course, if it sent the full SHA-1 hash directly to the company’s server, it would provide the server with a bit too much user information.
Moreover, it could also allow someone with less than good intentions to reconstruct the user’s original password.
Hence, the search tool takes a different approach.
The tool, which is Tony’s new password search service, works by only requiring the user password’s first five characters.
The full hash character consists of 40 such characters.
When the search tool has completed the process, the server begins to send back the related list which consists of leaked passwords which start with the same five password characters that the user provided.
After that, the 1Password password manager moves ahead to compare the received list to all local data stored within the password manager.
Then the password manager sees if the local data contains the entire hash of the user’s password.
If the password manager finds the perfect match then the company knows that hackers had managed to expose that password in a data breach.
Using that information, the password manager can inform the user if the user should change that particular password.
1Password is a password manager that most customers use from their web browsers.
It comes in the form of a tool.
Users first have to create an account with the company and then they have to actually install the tool in their web browsers.
After that, the user will need to press a couple of keys in order t unlock the real proof of concept.
The keys that the user need to press are Shift plus Control plus Option plus C.
If the user is on a Windows machine then the combination of keys would change to Shift plus Ctrl plus Alt plus C.
When the user has done that the web browser tool will show the user a Check Password button.
The button mentioned above should appear right next to the user’s passwords.
Jeff Shiner, CEO of AgileBits, recently wrote that if the user clicked the Check Password box or button, then the password manager would simply call out the new Troy search tool service.
Then the service will let the user know if their password exists in the tool’s database.
The CEO also wrote that if the search tool found the user’s password, it wouldn’t necessarily mean that hackers managed to breach the user’s account and/or password.
It is also a possibility that someone else apart from the user used the same password as the user.
Regardless, the CEO recommended to users that if the search tool does come back with a matched password, they should promptly go ahead and change their password.
Now even though the new feature has started to work, many 1Password customers haven’t come on board yet.
These are the customers who initially bought 1Password mobile apps and desktop software.
To use the newer online service, one still has to subscribe to the new service.
In other words, 1Password customers can’t really use the tool automatically just yet.
1Password has already announced that it has started to integrate the new tool but it hasn’t said anything on when it would allow access to it.
Apparently, 1Password users will have to wait for a bit before the company gives them access to the tool in the future.
Shiner recently also wrote that in future releases the company would add this to the official Watchtower that exists within the 1Password official apps.
That way, users would have an easier time in seeing their pwned passwords right from their 1Password official app that they probably use every day.
AgileBits also said that the company wanted to focus on a particular kind of customer at the moment.
The company basically wants the feature to focus on those 1Password users who haven’t subscribed to the company’s online cloud service.
AgileBits said that is the company’s certain intention at the current moment in time.
Jeffrey Goldberg, the company’s Chief Defender Against the Dark Arts also talked to reporters from Ars Technica.
He told Ars about four days ago that he did not see anything in the new feature which particularly made use of the above-mentioned technology which was specific to what the company had done through the official 1Password.com service.
Jeffrey also mentioned that the company did not really know what snags they might hit or run into until and unless they can start the development process for the company’s native clients.
Goldberg also mentioned that the company had managed to introduce only what they could call a proof of concept.
And they have done so only for their web client.
It took the company’s developers around 24 hours to come up with a solution.
How did they come up with the proof of concept so quickly?
Well, according to Goldberg, the company found it much quicker to simply prototype and then deploy things on its web client interface rather than the company’s native clients.
He also noted that in the future the company may develop versions of its product which would add new abilities.
New abilities such as the ability for users to see all their compromised and/or pwned password at a single glance.
It Is A Team Effort Afterall
Troy wanted commended AgileBits for implementing the feature so quickly after he saw the end result.
Hunt took to Twitter to describe his feelings.
Last week Hunt Tweeted that he was impressed with what 1Password had done with his search tool.
He also mentioned that he had just launched his search tool service only 27 hours ago.
Apparently, that was enough for 1Password developers to push out the new feature.
He also noticed that 1Password had no prior knowledge of what his search tools as about.
And they just got their hands on the search tools right away.
Then they made it happen and that, according to hunt, was awesome.
Troy Hunt also tweeted that he had another idea of what would be cool.
He suggested that 1Password developers could just integrate its service with his newly release search tool called Pwned Passwords K-Anonymity model so that users could securely manage to check their own exposure against his service.
But Troy also added that the company must ensure that the new feature would be an opt-in feature.
Readers who are interested in the new feature should know that Hunt had already made his breached password data publicly available to online users via another one of his services.
That service is actually a website.
And it goes by the name of Have I Been Pwned.
Users can also download the data from the same site.
This website also comes with an online search tool.
As mentioned before, users can make use of this tool to check their passwords for exposure to data breaches.
The online search tool used to display a specific message to users.
That message basically indicated to users that they should not send any of their passwords that they actively use to any third-party service.
And by any third-party service they did mean ANY third-party service.
Even the one that users were trying to use at the given time.
Hunt also has a blog.
In a recent blog post, he explained how he managed to integrate the safer and newer approach directly into his tool.
Or as he calls it, his password-checking system.
Hunt also wrote that his version of the implementation of the tool had an annoying problem.
What was that problem?
That problem was that while users could easily just pass an SHA-1 hash of their password if the tool returned with a match or a hit, then he (Hunt) could easily take that value and then reverse it back.
He could reverse it back right to the clear.
And he could do that easily because he created the tool and the hashes in the first place.
Doing that, Hunt would know the user’s password.
Hunt also wrote that this problem made his service extremely hard to justify users sending it real passwords.
Needless to say, Hunt probably made the tweet and then went back to work.
While Hunt kept himself busy with developing the latest version of his tool for the last month or so, he also managed to hear from Junade Ali.
Who is Junade Ali?
He is an engineer.
And works at CloudFlare.
Ali had an idea.
He wanted to build an online search tool which would allow users to search right through Pwned Passwords V1.
However, he wanted the tool to work in a different way.
He wanted the tool to allow external parties to use its capabilities.
And to allow so by maintaining the anonymity of the users.
Troy Hunt recently also wrote that he found Junade’s search tool idea very different.
According to Troy, Juande proposed making use of a special mathematical property.
This property is known as K-anonymity.
Junade wanted the tool to make use of the K-anonymity property within the Pwned Passwords scope.
How did it exactly work?
Let’s find out.
Basically, if you want to understand how the tool works, you would have to imagine a user.
A user who wanted to check whether his/her password, let’s say, “P@ssw0rd” existed in the current data set.
On a side note, Hunt also mentioned that hackers had actually worked out that people made use of specific passwords a bit too much.
Of course, that’s bad news.
Probably sucks for anyone with a generic password.
According to Hunt, hackers had gained significant ground on all online users as far as the security of their passwords was concerned.
So the string P@ssw0rd would have an SHA-1 hash value of:
If someone could just take the first five characters of the string mentioned above.
In the case that Hunt referred to in his post, that came to 21BD1.
So when a user would use the online search tool, the five first characters would go straight to Pwned Passwords API.
In turn, the Pwned Passwords API would respond to the sent characters with around 475 hash suffixes.
For readers who didn’t get that, the 475 hash suffixes mean that it would respond with everything that came after 21BD1 in the big string that we mentioned above.
Then the API would respond with a count.
This count would consist of a number.
The number would represent how many times it had seen the original password.
Hunt wrote that this model allowed users to have anonymity.
And hence, this is the model that the company allowed to sit behind their new online search tool feature.
All a user has to do is to type his or her unique password directly into the search field.
Then the tool will do its magic and hash the password on the user’s device.
After that, as Hunt explained before, the tool would only pass the first five characters of the big string to the Pwned Password API.
Naturally, Hunt has a lot of confidence in his new tool.
Or at least enough that he has deemed it appropriate to remove that warning message that we talked about before.
Yes, that same warning advised users against typing their active passwords into the tool’s online search form.
Readers might find comfort in the fact that Junade Ali has also written about this technology on the company’s blog.
That is the official CloudFlare blog.
There Junade talks more about the tool in a bit more detail.
Ali recently wrote on the company’s blog that the search tool now made use of k-Anonymity.
It used it to generate password hashes but only in the form of range queries.
In other words, the official Pwned Passwords API never get the opportunity to allow service to have too much information about any non-breached password hash.
And since it can’t know much about a non-breached password, it cannot really move forward to breach the non-breached password sometime later.
Ali’s post also described how different software developers around the world could work to integrate the new tool.
According to Ali, it shouldn’t present them with a problem to integrate the password-checking system directly into their existing applications.
We have already noted before that 1Password’s current implementation of the tool comes with limitations.
These limitations come in the form of the user not having the facility to check more than one password at any given time.
As of now, the company has not given any indication that it might add official support for people to check more than one or all of their passwords in a single go.