Stories
Slash Boxes
Comments

Dev.SN ♥ developers

posted by Subsentient on Monday August 17 2020, @05:00AM   Printer-friendly
from the peace-of-mind dept.

New tool checks if a password has been compromised, without sending it to a remote server:

A new system that securely checks whether your passwords have been made public in known data breaches has been integrated into the widely used password manager, 1Password. This new tool lets customers find out if their passwords have been leaked without ever transmitting full credentials to a server.

Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can access it online and developers can connect applications to it via an API.

Within a day, the company AgileBits had integrated Hunt's new tool into the 1Password password manager. AgileBits' announcement describes how it works:

Troy's new service allows us to check your passwords while keeping them safe and secure. They're never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy's new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.