Any reason to be concerned with security of Watchtower haveibeenpwned integration?

Options
btownguy
btownguy
Community Member

I'm debating turning on the "Check for Vulnerable Passwords" option in Watchtower. As I understand it, 1Password takes the first several characters of a hash of a password and sends that to haveibeenpwned. If there's a match, haveibeenpwned sends back all hashes that begin with that string. 1Password then locally checks the full password hash against what haveibeenpwned sends back.

At the surface, that sounds pretty secure. Is there any reason at all to have concern about the security around this process? Is this something a security professional would feel comfortable enabling?


1Password Version: 7.0.4
Extension Version: 4.7.1
OS Version: macOS 10.13.5
Sync Type: 1Password.com Families

Comments

  • Lars
    Lars
    1Password Alumni
    Options

    @btownguy

    I'm debating turning on the "Check for Vulnerable Passwords" option in Watchtower.

    You won't regret it; it's awesome.

    Is there any reason at all to have concern about the security around this process?

    Not that we're aware of after careful scrutiny, no.

    Is this something a security professional would feel comfortable enabling?

    You're speaking to a forum-full of security professionals, both employees and other users of 1Password. And also Troy Hunt, and we all think it's safe.

  • btownguy
    btownguy
    Community Member
    Options

    Thanks for the reply. One question about how it works. How often does it communicate with haveibeenpwned? I assume once turning it on, it will run through every password I have. Once that's done, does it periodically do it again? Or does it only do it again upon password changes or additions?

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @btownguy: It's once per week, but 1Password also caches some of this locally to avoid network requests for known compromised passwords. Cheers! :)

  • btownguy
    btownguy
    Community Member
    Options

    Great thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    You're very welcome! :chuffed: :+1:

This discussion has been closed.