Question about Watchtower vulnerable password integration with haveibeenpwned.com.
I have been reading both the 1Password and the haveibeenpwned documentation on your integration. It is a very interesting feature.
Since the integration occurs at the client level, and because only 5 hash characters are passed to haveibeenpwned.com, but potentially hundreds of hashes can be returned, I am guessing this could become a resource intensive process (eg. 200 passwords in 1Password x 500 records returned from haveibeenpwned would require 100K records to be processed on the client).
I further assume that this is not just a one-time process. You can't just check with haveibeenpwned when a password is created or modified, because any password could be reported in a breach at any time in haveibeenpwned, and that event would require a reprocessing of all the passwords stored in local client.
So how does this work? Is there a batch job which runs on the local client every day or every few days to check passwords against haveibeenpwned? If so, what is the average delay time between when a password is reported in haveibeenpwned and when it is reported in Watchtower?
Thanks,
Dean
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:haveibeenpwned.com frequency
Comments
-
Hi there @thedean
Watchtower checks haveibeenpwned.com every 24 hours, or if an item is edited, whichever comes first. So to answer your follow-up question, if there's a new report on havibeenpwned.com, any of your items that match will be flagged within a day.
As far as workload on your device is concerned, the hashing isn't likely to be much more than what happens when you unlock 1Password with your account password, which already involves a few hundred thousand rounds of hashing. Considering how quickly unlocking 1Password happens, it's reasonable to assume that the Watchtower checks can be performed within the same sort of timescale – a matter of seconds, even if you have lots of items.
I hope that answers your question, but I'll be here if you need anything. :)
— Grey
0 -
Grey:
Thank you for the quick response. Just to clarify, my concern about workload was not really about the hashing time. I assumed (perhaps incorrectly) that hashing only needs to occur at the time a new password is created, or an old one is updated, and that the hash could be stored directly in the 1Password record for future comparisons with haveibeenpwned. I don't really see a need to hash every time you communicate with haveibeenpwned. Or do I have that wrong?
My workload concern was really about the amount of I/O required to communicate with haveibeenpwned.com. As I mentioned in my original question, if I have several hundred passwords stored in 1Password and haveibeenpwned returns 500 rows of 35-byte suffixes for each and every password I have stored in 1Password, that is a lot of I/O to process on the client every day. CPU cycles are cheap; I/O is not.
This raises an additional question about the design. Does this communication with haveibeenpwned occur on all platforms? Or is it just performed on "power" platforms like Windows, Mac and Unix, and then synchronized with less powerful platforms (like phones) using the regular 1Password sync process? Just curious.
Thanks again.
Dean0 -
Different checks with haveibeenpwned.com are returned in different ways.
For example, if Watchtower checks a password against haveibeenpwned.com's Pwned Passwords list, it'll receive a standard HTTP response, such as
404(not on the list) or200(on the list). This is pretty lightweight as it is, and again, it's only performed once per item per day, or if the item is edited. Let's say you have 1000 items – it would take approximately (1000 x 3 = 3000 bytes ≈ 3 kB) to check all of your passwords.In the case of checking for breached domains, Watchtower sends an HTTP GET request, of the form
GET https://haveibeenpwned.com/api/v3/breachedaccount/{account} hibp-api-key: [API key]. If the domain in question was breached, the response from haveibeenpwned.com is about a kilobyte in size. You can see this one about Adobe as an example of what's returned.Let's say that we check those 1000 items for both vulnerable passwords and breached domains. Let's further assume that all 1000 of them have vulnerable passwords and breached domains. Let's further say that each HTTP GET request (2 per item) is 128 bytes in length. That's 256 kB total for all of those checks.
Now let's look at the responses. Each of the vulnerable passwords checks will return a 3-digit HTTP response, so that's about 3 kB. Then, let's assume that all the responses on the breached domains checks were also about a kilobyte in size, like the Adobe one. That's 1 MB, and that's a theoretical maximum where every single item has a breach report, which wouldn't be the case in real life.
So, in total, for a thousand items, we're sending about 256 kB each day, and receiving (as a theoretical unrealistic example) just a hair over 1 MB.
In answer to your other question, because this process is as fast and lightweight as it is, and because there might be unforeseen circumstances where your devices don't sync to each other (if one is turned off, for example), each device where you're signed in to 1Password performs these checks independently. This is to make sure you're alerted to any potential problems as soon as possible.
Even in a "worse-than-worst-case" of about a megabyte per device per day, it should be safe to assume that this won't put too much strain on devices or your connection.
— Grey
0 -
Grey:
Thank you for your very thorough response. You have answered all my concerns.
Dean
0 -
I'm happy that Grey was able to help. 🙂
-Dave
0
