Password manager 1Password has added a new feature to its software that allows users to check whether their passwords are amongst the 500 million leaked passwords collected by security researcher Troy Hunt. He has created a service that allows 1Password to check whether a password hash appears in his database.
1Password users with a subscription now have an additional option in their password manager. Through the option ‘Check password’ they can check whether their password is in the database of Hunt. The password is not sent to AgileBits, the developer of 1Password.
To compare the password with the database entries, first a SHA-1 hash is created. Of that hash, the first 5 characters are sent to the service of Hunt which then sends back a list of leaked password hashes that start with the same 5 characters. 1Password then checks, locally on the user’s system, whether that list contains the full password hash of the user.
When there’s a match, the user is warned. AgileBits stresses that when a hit is found through the new feature, it doesn’t mean the user’s account is compromised. It’s very well possible that someone else uses the same password. It does mean it’s not unique and that it’s advisable to change the password nevertheless.