Only a day after well-known security researcher Troy Hunt launched his new new Pwned Passwords service, AgileBits has already built a proof of concept leveraging the service to help users determine if their passwords have been leaked onto the internet as part of a password breach. In a blog post, the company explains how they’ve integrated 1Password with Hunt’s new online database containing over 500 million passwords that have been collected from various breaches across the internet. While users can visit Pwned Passwords to check their passwords against the database manually, AgileBits has taken this a step further by adding a “Check Password” button in the web-based version of 1Password that can be unlocked with a specific keyboard sequence. This initial integration is strictly a proof of concept at this time, however AgileBits has stated that it plans to add this capability to the Watchtower password monitoring feature within the 1Password Mac and iOS apps to allow users to see if their passwords have been “pwned” right in the app.
The blog post goes on to explain how AgileBits has taken advantage of the work by Troy Hunt and Cloudflare to allow passwords to be checked without having to send actual passwords out to the Pwned Passwords service, or even expose them to AgileBits own servers. The rather clever solution involves sending the first five characters of the forty-character password hash to the service; this is not nearly enough data for the original password to be reconstructed, or even checked against the database directly, but it does allow the server to send back a manageable list of leaked passwords that match the five-character hash prefix, which can then be compared to the user’s original password locally, such that the actual password never leaves the user’s computer.