Feature Request: Allow checking in Have I Been Pwned

KenBonny
KenBonny
Community Member
edited February 2018 in Lounge

I use the alias function from Gmail a lot. As in, 70 to 80% of my logins are in the format of me+domain@gmail.com. For example, my dropbox account is me+dropbox@gmail.com. Unfortunately, Have I Been Pwned does not take aliases into account. Could you add a feature that would take all email addresses in the logins and checks them against the Have I Been Pwned database.

This could be done locally as the app knows all the logins and posts them one by one to the service (to account for the rate limit) and just display the ones who are pwned. That way I would know which ones to change.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @KenBonny: It's definitely an interesting idea. It's been discussed here before, but isn't something we're working on building into 1Password at this time for a number of reasons — as a practical example, that's a lot of data for a user to have to download, and we will not act as a middleman since that could allow us to know user passwords and the websites they use. XIII did offer a cool method of doing a local comparison, so you might want to check that out.

    If in the future bandwidth (I'm stuck at about 5mbps until I can get settled and pay for gigabit fiber installation — and many people won't even have that option) and storage (SSDs are wonderful, but have set us back a decade with regard to price and size) limits become irrelevant, or we can figure out some other way of accomplishing this without sacrificing user experience or privacy, I suspect we'll jump at the chance. Thanks for bringing this up! :)

  • KenBonny
    KenBonny
    Community Member

    The post you are linking to wants to check against used passwords. I don't want to check against passwords, I want to check against logins. I want to be able to send my logins to the Have I Been Pwned API (like GET https://haveibeenpwned.com/api/v2/breachedaccount/me+domain@gmail.com), but for all my accounts at once. I would only need a list of accounts that have been found in HIBP. This lets me know if I should change any passwords.

    Maybe an additional check to see when the last time my password changed and when the latest breach occurred of that account occured. Timeline for clarity:

    | Create account at domain.com (me+domain@gmail.com) | Breach occurs | Change password | Password check in 1Password | Nothing found because I changed my password after the breach occured |

  • AGAlumB
    AGAlumB
    1Password Alumni

    @KenBonny: You've pretty much just described what Watchtower does. What version(s) of 1Password are you using?

  • KenBonny
    KenBonny
    Community Member

    1Password 6 for teams. Apparently, I need to learn about all the features of 1Password and not just the password generator. :blush: :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2018

    @KenBonny: No worries! Frankly, it's our job to do better at making the features we have discoverable. I'm sorry if we've let you down in that regard. We've got Security Audit and Watchtower already in 1Password for Mac, and they're currently in the public alpha of 1Password 7 on Windows as well. So either way, we've got more in store for you to help make it easier for you to find accounts you may need to update. Let me know if there's anything I can help with. :)

  • KenBonny
    KenBonny
    Community Member

    Ooooh, a reference to 1Password 7... with Windows Hello support. Fingerprint unlock: score!

    Btw, I need to learn more about the products I use. I bet there are many useful features in all apps I use I have no idea about. This was just one of them. Hadn't heard of Watchtower or Security Audit before this thread. Thanks for the teaching moment. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for giving me the opportunity to tell you about something of which we should have done a better job of making you aware! Really glad to hear you're as excited about 1Password 7 as we are. You ain't seen nothing yet. ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Yeah, I considered posting a followup here, but figured you'd be on top of this. ;)

  • XIII
    XIII
    Community Member
    edited February 2018

    Full Watchtower support will be nice!

    It took my MacBook Pro a very long time to sort that 31,6 GB file to be used by the look command...

  • wkleem
    wkleem
    Community Member

    WOW!. Fantastic work, although the Watchtower on the web is in dire need of a revamp, You guys keep surprising me, teaming up with Troy Hunt.

    https://watchtower.agilebits.com/

  • :+1: :)

    Ben

  • alanhoyle
    alanhoyle
    Community Member
    edited February 2018

    I like this feedback! I'm glad that you all recognize that this really isn't that useful without Watchtower support so I'm glad that is planned. I have several hundred passwords in various vaults, and it's way too many clicks to check everything in the current implementation.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It took my MacBook Pro a very long time to sort that 31,6 GB file to be used by the look command...

    @XIII: This! So glad Troy made this service not only available but so incredibly accessible. :chuffed:

    I like this feedback! I'm glad that you all recognize that this really isn't that useful without Watchtower support so I'm glad that is planned. I have several hundred passwords in various vaults, and it's way too many clicks to check everything in the current implementation.

    @alanhoyle: It's crazy, but not only did we not have any foreknowledge of this as a company...all of it happened on my day off, so it was quite a surprise for me yesterday as well! So while it will probably take some time to integrate at a deeper level with Watchtower both as a service and in all of the apps, I think we're off to a good start — both with Troy's awesome Pwned Passwords v2 and being able to integrate it into 1Password itself. :chuffed:

  • XIII
    XIII
    Community Member
    edited February 2018

    1Password got a honourable mention in Troy Hunt's update post:

    Perhaps most notably is 1Password's use of the service having pushed out integration within 27 hours. They had no prior noticed of this either, they just got down to business and did it as soon as I launched.

    https://www.troyhunt.com/i-wanna-go-fast-why-searching-through-500m-pwned-passwords-is-so-quick/

  • AGAlumB
    AGAlumB
    1Password Alumni

    :love: As much as I was a little chagrined to miss such an exciting day, I enjoyed my day off...and am always delighted when I get a chance to be surprised by something new like this.

This discussion has been closed.