1Password 8 Feature Request - Vulnerable Passwords Paranoid Mode

mattlorimor

Feature Request

The "Check for vulnerable passwords" functionality utilizes Troy Hunt's pwnedpasswords API.

It would be nice for those that utilize 1Password who have a legitimate man-in-the-middle concern to be able to flip an advanced sub-toggle of "Check for vulnerable passwords" where, when enabled, calls to https://api.pwnedpasswords.com/range/[sha_1_first_5] include the Add-Padding: true header on the GET request. Call it "Paranoid mode" or something to that effect. Maybe put it under the "Advanced" tab instead of inline with the password check setting itself.

Troy's reasoning for the existence of the specified header is here:

The value proposition for Pwned Passwords is that by introducing padding we can abstract the actual size of the underlying response from the observable size that someone may see on the wire.

This feature, if implemented, should not be the default operation of the vulnerable passwords check feature. Mostly because it can increase the response size returned from the API:

Using padding needs to be an opt-in feature as enabling it by default could cause all sorts of unexpected behaviour for existing consumers, most notably due to the response sizes increasing massively and the presence of the zero-occurrence hash suffixes.

Of special note (if implementing this feature):

One thing to keep in mind if you're considering implementing the padding is how you handle those zero occurrence padding rows. For example, if the hash you were searching for matched one of the generated suffixes then unless you specifically discard it due to the zero value, you'd end up with a false positive (then again, this is effectively a hash collision and the chances of that happening randomly are exceptionally remote).

Devil's Advocate

It's probably fair to say that, if somebody is so worried about sniffers on the wire, maybe they shouldn't be using 1Password in the first place or should be downloading the password dumps directly from PwnedPasswords.

However, a header add is a pretty simple, low-risk thing to implement, and the benefit could be there for some.

---

1Password Version: 8.8.0
Extension Version: Not Provided
OS Version: Windows 10
Browser:_ Not Provided

alexander.b_1P

Hi @mattlorimor!

Thank you for the fantastic suggestion! We're always looking to improve the security of 1Password.

We've gone ahead and enabled the Add-Padding header for everyone who uses the "check for vulnerable passwords" option. In my tests, the increase in network usage is only about 10%, with no noticable increase in time taken to process these requests (the time taken seems mostly due to round trip latency, rather than bandwidth).

I understand that you suggested the feature be opt-in on the user's settings menu, but given that the network load did not seem to increase too dramatically and that the requests are done by individual clients (which as Troy writes could be tied to individuals, and therefore benefit more from this feature), we opted to enable this for all users who use the "check for vulnerable passwords" option.

This change will have to make it through nightly and beta releases prior to being available in the production release of 1Password 8. If you'd like to give it a try as soon as it's available, you can follow the steps here to try the nightly or beta releases: Use 1Password beta releases

Thanks again for bringing this to our attention!

Best,
Alex

ref: dev/core/core#17017

mattlorimor

@alexander.b_1P

Wonderful! I'm glad that you were able take a look at this so quickly and determine how to best utilize that feature of Troy's API.

mattlorimor

And, since Troy (and crew) do so much caching and utilize Cloudflare Workers to pull a lot of this off, I don't think there will be any hard-hitting performance/cost issues on his side of the fence.

mattlorimor

And I just got confirmation from Troy (Twitter DM) that this should not be an issue on their side!

I wanted to double check even though the blog post detailing the implementation made it sound very much like a client concern. I'd rather ask a [dumb] question than hundreds of thousands (millions?) of clients do something to wreck the API.

alexander.b_1P

@mattlorimor Thanks for checking! My read of the blog post was that he was making it opt-in because the clients might have trouble with the increased traffic, rather than his service, but it's good to have a positive confirmation of that!

Best,
Alex