Skip to main content

1Password Can Tell If Your Password's Been Leaked

Data breaches spill the beans on our passwords so often that it's hard to keep track of which passwords are still safe to use. Fortunately, AgileBits, the company behind the 1Password password manager (a favorite among Apple users) has come up with a new weapon with which to test your passwords.

AgileBits didn't do it alone, though. The new Check Passwords option is built on the work of the trusted security researcher Troy Hunt, who's been letting people know if their passwords have been pwned for years.

MORE: Best Password Managers

How to Try It Yourself

The new tool, available now on the web-based version of 1Password (at 1Password.com), scans Hunt's database of more than 500 million leaked passwords  to see if yours is among them. I tried this out for myself with a few passwords of my own and was delighted to get the desired result of "Not found, way to go. :)" with each.

To test AgileBits' implementation of this tool for yourself, you'll need a 1Password subscription. (Sorry, but users of the 1Password desktop app who don't have a 1Password subscription won't be able to use this.)

Log on at 1Password.com, unlock your vault, open a login entry and hit a keyboard shortcut (Shift+Ctrl+Option on Macs, Shift+Ctrl+Alt+C on Windows) to unlock the feature.

If you hover over a password, you'll see a new Check Password button. Tapping that will tell you if your password's been leaked in any of the dozens of data breaches that Hunt has compiled.

Of course, you can also skip the middleman and try this without a 1Password account by entering any password at Hunt's Pwned Passwords site here.

Hunt recently overhauled the front end of Pwned Passwords to add more security enhancements. In the six months since his service originally launched, his database has grown from 320 million passwords to nearly 502 million.

What's most impressive about this situation is that only a mere 27 hours separated Hunt launching the new version of Pwned Passwords yesterday (Feb. 22, Australian time). As you might expect, Hunt was impressed by the turnaround time.

1Password's new feature works in conjunction with Hunt's anonymizing technology, which means your passwords are first hashed (disguised) with a SHA-1 one-way encryption algorithm. It's not even sending the whole hashed password, either, as Hunt's service requires only the first five characters of the 40-character hash.

For more of the technical nitty-gritty about what makes Hunt's new service so secure, check out his write-up here. We've reached out to AgileBits to see if they plan to add this feature to the stand-alone versions of 1Password.