
Have I Been Pwned Is Now Partnering with 1Password - weinzierl
https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/
======
AdmiralAsshat
Eh...partnerships make me uneasy.

Let's say 1Password somehow got breached, and customer vault passwords
exfiltrated and posted online. Would Troy post about the breach and pull them
into the database, as he has always done in the past? Or would his "partner"
gently tap him on the shoulder and ask him to kindly hold off on that,
because, hey, they're really sure they plugged that hole good this time; and
they already let the affected customers know privately, so, why make a big
deal about it?

~~~
thaumaturgy
Troy is hobbying in a _really_ gray area, where potentially the possession of
massive amounts of passwords from breaches could be a legal liability, and
he's trying to do it in a way that benefits the average user and business. To
do that, he needs to get and keep their trust.

I've pointed a few folks to his site and their very first question, every
time, is some variation of, "you mean you want me to type my password into
this dude's site?"

So haveibeenpwned is basically relying on Troy's reputation alone, which he
alludes to in pretty much all of his blog posts about it.

It's hard for me to imagine him not publishing everything he learned about a
1password breach.

~~~
JohnStrangeII
I for one will certainly not type any real-world password in Troy's site and
this has nothing to do with Troy's reputation.

Entering your password on this site effectively reduces the strength of your
encryption (or whatever you use the password for) to the strength of the SSL
encryption used, plus all possible side channel attacks you can mount against
browsers and network protocols like DNS, plus the security or insecurity of
Troy's own machines, and the guy is already a viable target for dozens of
intelligence agencies. Note that a man-in-the-middle attack on this site is
almost impossible to detect and there is no way for you to tell whether Troy
Hunt's servers and developer machines are compromised or not.

So in a nutshell, it's a big No No. But it makes sense for a company like
1Password to cooperate with him, since these companies are in the business of
storing all your passwords "in the cloud" anyway.

~~~
thaumaturgy
I would guesstimate that around 90% of all passwords these days belong to web-
based services, for which everything you just said is still true, with the
exception that they aren't run by Troy Hunt. There is an extraordinarily long
tail of sites for which "run by Troy Hunt" would be a huge improvement.

Actually I bet my guesstimate is way too low.

Furthermore: if you're using unique random passwords anyway, then there's no
sense in checking them against HIBP, and if you're not, then punching them
into HIBP is how I try to convince people that they should be.

------
droopybuns
Wow. Interesting reading through the top rated HN comments on this. I'm
obviously in the minority:

This is an incredible value to normal humans who are not in the tech field.
This password manager will help them proactively discover a stolen password.
This is a powerful step forward for normal people who don't have any grasp of
how bad the security situation is in the world.

I know this isn't perfect for technicians, but I would recommend this as
worthy of subscription for my family members who I love but for whom I am
unwilling to provide IT support.

~~~
crispinb
> This is an incredible value to normal humans who are not in the tech field

Perhaps, but I have my doubts. I have stopped recommending 1P to non-technical
friends & family because none of them can ever figure out how to use it (or
remember for long enough to continue doing so). I have persuaded many to try
it over the years, but literally only one of them has continued with it. That
happened to be my mother (because I'm in frequent contact so can help her when
she gets stuck). Everything I've witnessed leads me to believe 1P is primarily
a tool for the tech savvy.

~~~
signal11
I recommended 1P too, and for a long time my non-tech friends didn’t act on
it, until they started hearing about password managers in the news. These days
quite a few do use it. Depending on their tech skills they might require
differing levels of hand-holding though.

~~~
crispinb
Your non-tech friends (or at least 'quite a few' of them) are clearly more
tech savvy than mine ;)

I've been using 1Password since nearly the beginning, and am really quite
dependent on it now (so much so that I had a hard time coming to terms with an
inevitable eventual move to Linux, until the release of 1PasswordX). So I'm an
advocate.

But I think the whole computer industry outside of a very few (notably
Facebook and Amazon) has a grossly inadequate picture of just how little most
people (including most of the so-called 'digital native' generations) know
about the many computers in their lives. They don't _use_ computers -- they
are _trained_ by a small number of commercial interfaces. It's extremely basic
rat-in-maze stuff.

The companies rightly lauded for their design skills targeted at _us_ (this
includes Apple and AgileBits) aren't even in this ballpark, and from
everything I see and hear from them, they haven't a clue that they're not
there.

------
gtirloni
No Linux support yet
([https://1password.com/downloads](https://1password.com/downloads)).

~~~
rxdazn
They have a new Chrome extension, 1Password X (Beta) which works as
standalone. Only downside is it's only available for Chrome at the moment.

[https://blog.agilebits.com/2017/11/13/1password-x-a-look-
at-...](https://blog.agilebits.com/2017/11/13/1password-x-a-look-at-the-
future-of-1password-in-the-browser/)

[https://support.1password.com/getting-
started-1password-x/](https://support.1password.com/getting-
started-1password-x/)

~~~
gtirloni
That's great, thank you!

Issues I faced immediately after installing it:

* Entering username/password and choosing the "Save in 1Password" option complains about not being able to reach server.

* Clicking on the extension icon and choosing New Item only shows a spinning wheel.

I'll try again when it's officially released but thanks again.

EDIT: Sent an email to their support detailing the issues.

~~~
veemjeem
Their 1Password X is excellent. I've been using it on a chromebook for a few
months now. Chromebook does run linux, so it should work for you too.

I think it's basically the ideal place for 1Password to be running. It's hard
for malware authors to infect the chromebook with stuff like keyloggers etc. I
bought the chromebook for the sole purpose of managing financial transactions
-- accessing investment/bank websites etc.

------
SeriousM
I'll stay with www.enpass.io . No need to have it running in chrome, support
for windows, Linux and Android aaand it works offline without a subscription
model. I can sync my enpass instances over multiple ways like Google drive,
Dropbox, one drive, webdav or by my very own way to sync a single file. I use
it now for 4 years and had never any problem with syncing or loosing a single
password.

~~~
bradknowles
I've been a satisfied 1Password customer for many years, and so far as I know,
they have always supported the "bring your own" method for doing password
database synchronization via some other cloud service. DropBox was the first
obvious solution in this space, but they should work with any of the others.

And they've also always supported the local wifi-only solution, where you have
to be on the same network, and physically authorize both devices to talk to
each other, before they can sync the password database.

If enpass.io works for you, that's great. I'm glad you're happy with it. But
this feature isn't unique to enpass.io.

~~~
SeriousM
Well, it's not unique to sync but different to 1password as my passwords were
never on central server!

~~~
mrunkel
Neither are 1password’s if you don’t use their sync service.

And honestly your passwords aren’t on their servers. An encrypted blob is.
Encrypted with a password only you know.

~~~
bad_user
The problem is that same password is required in the web interface for
administrative settings. And a web interface can always be compromised, as it
can always inject some extra JS code in one of your sessions, without you
having any way to verify that the JS blob you got served is the same you got
the last time or that it’s the same blob that all the other users are getting.

This is actually an important attack vector and AgileBits themselves admitted
the possibility. Imagine that a compromised HTTPS root certificate can open
the door to a huge man-in-the-middle attack, which is totally within the reach
of governments or of well funded crime syndicates.

Also the cloud sync is no longer optional. The standalone version is no longer
available anywhere on their website and Google doesn’t help either.

At this point the standalone version is still available only for those in the
know, being on life support probably to not piss old timers off. At least they
are thinking about us, I’ll grant them that.

~~~
wool_gather
This is a fair point, but it's worth noting that the password you memorize and
enter is only a part of the encryption key. There's another component -- I
think they call it the "master key" \-- which is generated locally when you
set up your database and must be transferred out-of-band to other devices. It
doesn't go over a network, not even a local one. So losing control of your
password via the web interface still does not constitute a complete breach.

------
paulryanrogers
Not sure why he trusts whitepapers over fully open source solutions. Perhaps
if Bitwarden were more mature or Keepass more usable they would get more
attention.

~~~
Sylos
How does Keepass not get attention? I'm pretty sure that is the most widely
used password manager among professionals.

It doesn't generate as much marketing buzz on its own as a Lastpass or a
1Password does, but too many people have too much stake in their passwords for
them to even consider a less secure solution solely based on marketing.

~~~
tex0
Keepass is nice, but somewhat limited in flexibility.

I'd prefer a CLI based password manager for it's flexibility.

~~~
sebazzz
Keepass has a scripting plugin for your flexibility needs.

------
albertop
Anybody with good security background care to comment on the white paper
mentioned in the article -
[https://1password.com/files/1Password%20for%20Teams%20White%...](https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf).
Troy seems to endorse their cloud service. I am paranoid and do not like my
password stored there :-)

~~~
tptacek
You can (and should) just use their standalone product.

~~~
hoistbypetard
Can you still purchase that? Last time I tried to help someone buy it, we
could not find a way.

~~~
extra88
Yes, you can, though clearly AgileBits is heavily promoting choosing a
subscription instead. The recent announcement of 7 beta for Mac that appeared
on HN [0] mentions standalone licenses will still be an option.

[0]
[https://blog.agilebits.com/2018/03/28/the-1password-7-beta-f...](https://blog.agilebits.com/2018/03/28/the-1password-7-beta-
for-mac-is-lit-and-you-can-be-too/)

~~~
tzs
I think those standalone licenses for version 7 are only available to people
who _already_ have a standalone license for version 6.

~~~
extra88
My point was only that they are not stopping the sale of standalone licenses
as some people feared.

------
BinaryIdiot
Is it safe to assume that 1Password has some sort of data feed from HIBP to
handle this locally? I can't imagine they are calling a service out of their
control to send your passwords or email addresses (or even hashes of them),
no?

That was the only concern part for me and unless I missed it I couldn't find
where it was addressed.

Beyond that this is a great idea!

~~~
eridius
HIBP now has an API for testing if passwords have been pwned that preserves
the secrecy of the password. It's called k-anonymity, and you can read about
it in the second half of [https://www.troyhunt.com/ive-just-launched-pwned-
passwords-v...](https://www.troyhunt.com/ive-just-launched-pwned-passwords-
version-2/)

~~~
ninkendo
I figure it’s easy to do something like this by generating a nonce over a TLS
connection and using it as a shared salt value, and just checking if the
hashes of the two passwords match when using the nonce as a salt.

Not sure what k-anonymity is but I wouldn’t be surprised if it’s something
similar.

Edit: nope, looks like k-anonymity basically lets you search by the first few
characters of the sha512 hash, and it responds with all of the hashes that
have that as the first few characters, along with the count for each (how many
people use that password, likely.)

~~~
eridius
Yeah. It produces a response that’s small, easy and fast to generate, easy and
fast to parse, without actually telling the server much of anything (all the
server learns is that it _isn’t_ a password whose hash starts with something
else, but that barely narrows the search space).

------
TimWolla
> Step 2 Enable 2 factor authentication and store the codes inside your
> 1Password account.

Doesn't storing the backup codes of 2-factor in your password safe where your
first factors resides negate the whole "2 factors" thing?

Personally I write down the backup keys on a piece of physical paper.

~~~
scrollaway
It does (only partly if you're only storing the backup codes instead of the
seed), but it doesn't negate the benefits of OTP.

Also see my introduction to password managers: [https://leclan.ch/password-
managers/](https://leclan.ch/password-managers/)

------
andruby
I don’t understand HN. I posted this 7 hours earlier and it didn’t get picked
up.

[https://news.ycombinator.com/item?id=16715230](https://news.ycombinator.com/item?id=16715230)

~~~
grzm
It's just timing. More people noticed the second one. Maybe a slight
recognition penalty by abbreviating HIBP, but even without that, the same
thing has happened to me more than once.

Edit to add: There is a dupe detector that prevents duplicate submissions, but
I'm not sure what the parameters are (e.g., detection window duration, whether
it does title matching). Sometimes when I've submitted dupes, it returns the
previous submission rather than creating a new one. Clearly that didn't kick
in in this case.

------
skybrian
It seems like the "paradox of choice" could be handled better. Ideally this
would be handled similar to how Wirecutter does reviews, with a clear
recommendation followed by alternatives.

------
amorphid
I initially read that as "I have been pwned by 1password", which is why
clicked at all. How the brain reads things is funny sometimes.

Hopefully that turns into a fruitful partnership!

------
Fej
How can I be guaranteed (for lack of a better word; I know it's not
_guaranteed_ ) that 1Password is secure, given that it isn't independently
auditable?

Same goes for LastPass, as a side note.

------
AceJohnny2
Host seems down as of 9:16 UTC, which is surprising considering Hunt's
background. Some disgruntled hackers fiddling with things? :)

------
fwgwgwgch
Troy please do it for keepass too.

------
hartator
I still don’t get the value of using 1Password vs. using Chrome included
solution. Anyone cares to explain?

~~~
dharmab
1Password on mobile works well for mobile app passwords.

1Password also holds documents and notes; in my state, documents such as car
insurance can be legally carried on your phone for traffic stops. I also have
my health insurance cards in there for ease of use.

Plus, if you want to use multiple browsers across various operating systems
you need your password manager to be browser independent.

~~~
pktgen
> 1Password also holds documents and notes; in my state, documents such as car
> insurance can be legally carried on your phone for traffic stops. I also
> have my health insurance cards in there for ease of use.

I wouldn't rely on this because it turns your phone into a single point of
failure (your battery could die or your phone could fail at the wrong time).
Similarly, I would never rely on mobile wallets without physical cards as a
backup.

------
iammyIP
Regardless of the partnering - why would you ever put in your passwords into a
public website like this?

~~~
fwip
I recommend you read the section "Consuming the API (and the Mechanics Behind
the Range Search)" of [https://www.troyhunt.com/ive-just-launched-pwned-
passwords-v...](https://www.troyhunt.com/ive-just-launched-pwned-passwords-
version-2/) \- it explains how you can search for your password with the API
without letting the service know what your password is.

------
Guereric
I cannot support 1Password, a _Canadian_ company which charges in US dollars
and refuses to transact in local currency. I understand the rationale for it
when starting businesses want to limit expenses, but not when it's an
established corporation with 1+ million customers.

~~~
jeromegv
They do support Canadian dollar transactions and storing of their cloud
service on Canadian servers on [https://1password.ca](https://1password.ca)

~~~
Guereric
My mistake. The Canadian (and EU) versions appear to have been set up in the
last 6 months.

------
darksim905
For people who are looking for something different than 1Password, I suggest
looking at 2 Factor Buddy:
[https://www.twofactorbuddy.com/](https://www.twofactorbuddy.com/)

~~~
urda
This isn't a thread about choices or alternatives, the topic is about the
partnership.

------
newscracker
Without sugar coating, let me just say that this is really a nasty move,
primarily because AgileBits is a shady company (though it has a good enough
product) that uses dark patterns to lure people to buy subscriptions and makes
people jump through hoops to find the standalone version. Putting such a
company in front of thousands of users is a nasty way to treat his site's
visitors, IMO.

In the blog post, Troy says the cost of HIBP is more than a few coffees, but
am not sure if that's per day or per week. Hopefully the latter. Someone in
his position wouldn't feel the pinch, as he himself states that "the time
commitment" is what concerns him more. Regardless, his effort and time are
worth paying for so that more people can benefit from the service. My
contention is that AgileBits is not the right entity to partner with to get
some money for this service.

He also hasn't yet talked about the long term plans for HIBP, though people
have asked him about the "bus factor" currently being 1. He's said he'd write
about it soon. If he's going to hand over management of HIBP to AgileBits,
that would make it look really weird and remove at least some of the trust
that HIBP now commands.

Wish he had put up some fundraising page or an annual fundraiser — given his
fame in tech circles, I'm sure that would've gotten more money than necessary
to run HIBP and to pay for his time. Wish he had planned to hand over HIBP to
a set of individuals (not companies) for long term care. Alas, what a sad
move!

