Any reason to be concerned with security of Watchtower haveibeenpwned integration?
I'm debating turning on the "Check for Vulnerable Passwords" option in Watchtower. As I understand it, 1Password takes the first several characters of a hash of a password and sends that to haveibeenpwned. If there's a match, haveibeenpwned sends back all hashes that begin with that string. 1Password then locally checks the full password hash against what haveibeenpwned sends back.
At the surface, that sounds pretty secure. Is there any reason at all to have concern about the security around this process? Is this something a security professional would feel comfortable enabling?
1Password Version: 7.0.4
Extension Version: 4.7.1
OS Version: macOS 10.13.5
Sync Type: 1Password.com Families
Comments
-
I'm debating turning on the "Check for Vulnerable Passwords" option in Watchtower.
You won't regret it; it's awesome.
Is there any reason at all to have concern about the security around this process?
Not that we're aware of after careful scrutiny, no.
Is this something a security professional would feel comfortable enabling?
You're speaking to a forum-full of security professionals, both employees and other users of 1Password. And also Troy Hunt, and we all think it's safe.
0 -
Thanks for the reply. One question about how it works. How often does it communicate with haveibeenpwned? I assume once turning it on, it will run through every password I have. Once that's done, does it periodically do it again? Or does it only do it again upon password changes or additions?
0 -
Great thanks!
0 -
You're very welcome! :chuffed: :+1:
0