Agile Bits planning 1Password support for Pwned Passwords
February 26th 2018
Agile Bits announced plans to integrate the Pwned Passwords service into it 1Password. The service lets people check their password against known data breaches of leaked passwords. This can be an easy way to determine if one of your accounts may have been compromised. It's also possible you're just using the same password of a compromised account, but either way, it's a good idea to change that account's password.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
The service is available as a preview with Agile Bit's 1Password subscription service. The company said it plans to bring it to the 1Password app within its WatchTower monitoring feature.