Monday, February 26, 2018

Why you should consider using 1Password


This is a very good week for 1Password users. AgileBits reports that they have integrated the 1Password online password manager with Troy Hunt's Have I Been Pwned? (HIBP) service.

I mentioned Troy in this blog a couple times and I always point his blog and his HIBP service here and to people who are somehow interested in their security online.

Have I Been Pwned?

HIBP allows you to search from 500 million passwords collected from various data breaches.

Checking your passwords against this list is crucial to keep your data safe. Apart from passwords, ut can also check if your email account, a website you use or a domain has been compromised in a data breach. And there's a lot of data there. We're talking about half a billion leaked passwords.

So, HIBP has my password. Does it mean I was hacked?

Not necessarily. If it's a common password, maybe it was being used by someone else. If it was a complex one, probably.

HIBP tells me my email address has leaked, was I hacked?

Also not necessarily. But unfortunately, it's highly probable that your email is already in the hands of spammers.

Is it safe? 

Well, if Troy with all his expertise in the field cannot be trusted, who else can? Also, AgileBits and lots of other people use his services. Don't see why we shouldn't. For more info, check this FAQ.

Are my passwords kept secret?

Yes. HIBP doesn't have access to your password. Here's what AgileBits report:
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
Source: https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-with-1password/

If my passwords wasn't leaked, am I safe?

No. This is only a dataset of know breaches. Obviously there's way more circulating out there that neither Troy nor other researches have yet reported. Also, don't forget that a website you use may yet be exposed to a security breach meaning that your credentials can be leaked in the future.

As a suggestion, keep returning to the site to make sure that your account hasn't leaked. You can also use the NotifyMe feature or even the RSS feed.

How does it work?

Benefit for 1Password users

This integration is immensely beneficial for 1Password users and I would be very happy to see more integration with HIBP. Basically because the service will notify you upfront that you're using a weak password.

Conclusion

This is a very welcome feature to 1Password and I sincerely hope that more websites integrate with that tool. I also urge you to start using that service and hopefully you start generating stronger passwords. I already wrote a post about that here.

In the meantime, let's all thank Troy for his awesome work, shall we?

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Integrated security vulnerability alerts on GitHub - Why it matters
For more security posts on this blog, please click here.

References

1Password online password manager
Troy Hunt
Have I Been Pwned