Watchtower: we shall fight on the breaches

Watchtower: we shall fight on the breaches

Rick Fillion by Rick Fillion on

1Password’s Watchtower service has been helping users identify accounts that have been affected by breaches for years. Today we’re proud to announce an enhancement to how 1Password finds and identifies breached accounts.

1Password can now use Have I Been Pwned to find accounts that have been compromised based on the email address associated with the account. It can even do this without needing to share your email address with anybody.

Before we dive in to learn about the details, take a look at the awesome work Matt and Jasper did to bring this to life.


Breach Report

There’s actually a fair amount to unpack here, and it’s difficult to see detail on a video, so let’s break down the breach report in screenshot form.

Breach Report

The Breach Report is split into three sections.

The top most section is a list of websites where an account with your email address has been identified as having been compromised, but you don’t have any information about this website in 1Password.

That’s amazingly powerful as 1Password can help you identify breaches that impact you without you having actually added information to 1Password. In this case, you’re going to want to generate a unique strong password for that website, and while you’re at it you should consider adding it to 1Password.

If it’s a website for which you have no interest in having an account, you should delete the account as opposed to ignore it. Accounts often have additional data, such as a mailing address or maybe a phone number. You should be protecting that private information, and thanks to excellent pieces of legislation like the GDPR most websites have a way to request permanent deletion of your data.

The second section lists breached websites for which you’ve got an item in 1Password, but 1Password suspects that password to be compromised. You’ll definitely want to create a new password for that website.

The last section lists breaches for which you’ve got an item in 1Password, but you’ve already updated the password so there’s nothing more to do.

How Does It Work?

The Breach Report is based on a new service provided by Have I Been Pwned which allows 1Password to query for compromised accounts based on an email address. 1Password can achieve this without needing to share the email address with Have I Been Pwned because this new service functions much like its Pwned Passwords service, and uses the same K-anonymity model. This model allows 1Password to work with Have I Been Pwned to find breaches without needing to share sensitive information with Have I Been Pwned. Let’s take a look at how that works…

Have I Been Pwned has a database with over 5 billion compromised accounts obtained from the various data breaches around the internet over the last few years. This database contains the email address associated with the account as well as a SHA-1 hash of the password that was compromised. The new service allows 1Password to look up entries in that database based on the email address.

Email Hash Illustration

In order to perform a lookup, 1Password takes the email address associated with your account, and hashes that using SHA-1. Sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your email address. Just like the Pwned Passwords service, this new service only requires the first few characters of the hash, six to be precise.

Similarly to Pwned Passwords, the process is completed within 1Password itself. Have I Been Pwned sends 1Password a list of possible matches based on the start of the hash that was sent, and 1Password needs to complete the search by looking for exact matches with the full hash that was created in the first step.

Bringing You More Info On Compromised Logins

When viewing items in the Compromised Logins section of Watchtower, you may notice that some of them have a slightly different banner at the top and include a “More Info” link.

Watchtower Notification Banner

Clicking it will bring up a panel with some information about the breach, letting you know what information in that account was made available.

Breach Info

This was made possible with the additional breach information that is provided by Have I Been Pwned.

Run, don’t walk, to change the password associated with this Login. And also change the password for any other Login item you might have that happens to share that password (you’re using strong unique passwords everywhere, right?).

Taking Watchtower Further

Have I Been Pwned allows us to push Watchtower further and do more to keep you safe online. The k-anonymity model used in both this service as well as Pwned Passwords ensures that your privacy is respected, which is incredibly important to us. We’re thrilled to be one of the first services using Have I Been Pwned in this way.

You can try it today by using Watchtower on 1Password.com, and we’re looking forward to bringing this feature to all of our apps.

Thank you Troy for building an excellent service that makes this feature possible.

VP of Engineering: 1Password.com

Rick Fillion - VP of Engineering: 1Password.com Rick Fillion - VP of Engineering: 1Password.com

Tweet about this post