Hacker News new | past | comments | ask | show | jobs | submit login
Have I Been Pwned Is Now Partnering with 1Password (troyhunt.com)
342 points by weinzierl on Mar 30, 2018 | hide | past | web | favorite | 128 comments

Eh...partnerships make me uneasy.

Let's say 1Password somehow got breached, and customer vault passwords exfiltrated and posted online. Would Troy post about the breach and pull them into the database, as he has always done in the past? Or would his "partner" gently tap him on the shoulder and ask him to kindly hold off on that, because, hey, they're really sure they plugged that hole good this time; and they already let the affected customers know privately, so, why make a big deal about it?

Unless they kept it a secret (and they haven't if they've "let affected customers know privately"), Troy, by refraining from posting it, would, in a single act, lose all the good will and respect and credibility he's spent YEARS building up by acting professionally, honorably, and highly competently.

So, yeah, I think it's quite safe to be confident he wouldn't do that.

It would be too much of a double edged sword that I'm sure Troy must have realized.

Oh, I'm sure he'll post it. 1Password is software that falls into the same interest area as those who care about password disclosures, hence this probably being a good partnership.

The moment 1Password is compromised and Troy "nothing to see here"'s it? People would turn on both products very quickly because they'd find out about the former as private users and when the latter didn't disclose it, it would lose credibility.

1Password is a proprietary walled garden.

But who will leak?

What is the question? Are you asking who breached 1Password? Some hacker, just like any breach.

Are you asking who tell the general public? Some hacker, or some chain of associates, just like any breach. HIBP only stores breaches that have previously been made public. So for for HIBP to "ignore" a breach, the breach has to already be public, so there will be news organizations covering the breach if it's big.

Lets say it did happen. And now they keep it quiet.

This DB would end up on a darknet auction somewhere, and that's where things get "fun". Now, people can talk about this auction and all the really bad ramifications of both parties hiding it.

Worse yet, I could see someone waiting a month, and them leaking a DB that's fake and encrypting and dumping on the Darknet. The goal there is slander.. It doesn't have to happen for the damage to be done.

I'm not sure your scenario actually makes sense, even beyond the trust destruction issues others have highlighted.

>Let's say 1Password somehow got breached, and customer vault passwords exfiltrated and posted online.

First, 1Pass is not LastPass. Even their cloud service is optional (I don't use it for one), and it still operates end-to-end encrypted through a native client doesn't it? At least for those clients AgileBits simply doesn't have this information at all so there's nothing to breach. Unless by "breached" you meant "hacked so badly that a copy of the client with malware got signed and made it through app store review." But an infected client is much more easily noticed by massive numbers of people, making secrecy even more pointless then it'd be otherwise (which would still be pointless because such a breach would be obvious instantly if it was put to use).

Second and more importantly, one of the entire fundamental points of password managers isn't merely to not get breached, it's that if they do there's an orderly way to go through and change every single password to something new and random. Yes, it'd be an irritation for a whole vault, and if it happened repeatedly it'd be reason to move to something else, but the only possible way for it to escalate from a minor problem to a huge one would be for notification to be delayed. I don't see how it wouldn't be in AgileBit's direct financial interest to come clean as instantly and rapidly as possible, which would minimize both customer impact and liability. With word out operators of sensitive services could also know to be on higher alert and/or issue mandatorh resets. This last part would apply to LastPass or any other such service too fwiw.

Granted I'd hope such a thing, or even the possibility, would motivate an industry push for standardized password/username interaction APIs. There's no technical reason that cycling every single password you've got shouldn't be at least a mostly automatable operation. It'd be better still if passwords were done away with entire in favor of certs but might as well keep improving the current pile of hacks if that's the best we can manage piecemeal I guess.

I guess time will tell, but from what I’ve seen I don’t think they’d hold back.

There was a company which literally handed their database to Troy after a breach so everyone would be on equal footing to the attackers.


Several. It was covered in another post by troy hunt: https://www.troyhunt.com/the-legitimisation-of-have-i-been-p...

Troy is hobbying in a really gray area, where potentially the possession of massive amounts of passwords from breaches could be a legal liability, and he's trying to do it in a way that benefits the average user and business. To do that, he needs to get and keep their trust.

I've pointed a few folks to his site and their very first question, every time, is some variation of, "you mean you want me to type my password into this dude's site?"

So haveibeenpwned is basically relying on Troy's reputation alone, which he alludes to in pretty much all of his blog posts about it.

It's hard for me to imagine him not publishing everything he learned about a 1password breach.

> I've pointed a few folks to his site and their very first question, every time, is some variation of, "you mean you want me to type my password into this dude's site?"

And this is why the v2 API design is important.[0]

Instead of sending a password to an external site, you hash the password locally with SHA1, and send in just the first five hex digits. In return you get a list of hash suffixes of known-broken passwords. You get to verify locally whether the password is known, without the password ever being transmitted.

The API is so simple to use that one of our engineers implemented and deployed a HIBP check roundtrip in less than a day. Usually a functional change in authentication path would stay in review for somewhat longer (due to people wanting to make very sure we don't mess it up), but the new API is really straightforward to reason about. It was trivial for reviewers to see that we couldn't leak information by accident.[ß]

0: https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

ß: Technically it would be possible for Troy and Cloudflare to correlate the number of times a particular blob is requested and the "times found" count in the list of suffixes. But because we reject known-broken passwords, the only real information that gets exposed is the number of times users attempt to choose passwords that may have higher-than-usual incident counts.

I for one will certainly not type any real-world password in Troy's site and this has nothing to do with Troy's reputation.

Entering your password on this site effectively reduces the strength of your encryption (or whatever you use the password for) to the strength of the SSL encryption used, plus all possible side channel attacks you can mount against browsers and network protocols like DNS, plus the security or insecurity of Troy's own machines, and the guy is already a viable target for dozens of intelligence agencies. Note that a man-in-the-middle attack on this site is almost impossible to detect and there is no way for you to tell whether Troy Hunt's servers and developer machines are compromised or not.

So in a nutshell, it's a big No No. But it makes sense for a company like 1Password to cooperate with him, since these companies are in the business of storing all your passwords "in the cloud" anyway.

I would guesstimate that around 90% of all passwords these days belong to web-based services, for which everything you just said is still true, with the exception that they aren't run by Troy Hunt. There is an extraordinarily long tail of sites for which "run by Troy Hunt" would be a huge improvement.

Actually I bet my guesstimate is way too low.

Furthermore: if you're using unique random passwords anyway, then there's no sense in checking them against HIBP, and if you're not, then punching them into HIBP is how I try to convince people that they should be.

So glad I signed up for client-side 1password back when it was still available.

I'm still baffled that they decided to sunset it.

Is it completely gone? I thought it could be found by posting on the forums or searching deep within the site (not easy, but was possible).

I for one have moved out of 1Password on the desktop and use other clients. I don't mind paying for software, but companies using dark patterns like hiding purchase options intentionally don't deserve my money.

1Password costs 36 USD/year. Lastpass costs 24 USD/year (from 12 USD/year since they got bought by LogMeIn). Bitwarden costs 12 USD/year (if you use 2FA), and Bitwarden is open source. Easy choice if you ask me.

That doesn't make sense. People don't learn about breaches from a single place. What could 1password possibly gain from this, even if they could somehow do it?

This isn't about breach detection, it's more about "which of my many pwds that I use has already been doxxed and likely in a try first dictionary"?

Read the concern in the parent to what you're responding to. Essentially, "with this partnership, is Troy likely to hand wave if 1Password's logins are breached?" and the credibility concerns that this partnership may create.

PR management is what this is about. I wouldn't put it past a company to not do that when the situation arises.

Not going to happen. The moment that leaked out both parties would lose all trust from the industry. That's a hell of a hypothetical question though.

Wow. Interesting reading through the top rated HN comments on this. I'm obviously in the minority:

This is an incredible value to normal humans who are not in the tech field. This password manager will help them proactively discover a stolen password. This is a powerful step forward for normal people who don't have any grasp of how bad the security situation is in the world.

I know this isn't perfect for technicians, but I would recommend this as worthy of subscription for my family members who I love but for whom I am unwilling to provide IT support.

> This is an incredible value to normal humans who are not in the tech field

Perhaps, but I have my doubts. I have stopped recommending 1P to non-technical friends & family because none of them can ever figure out how to use it (or remember for long enough to continue doing so). I have persuaded many to try it over the years, but literally only one of them has continued with it. That happened to be my mother (because I'm in frequent contact so can help her when she gets stuck). Everything I've witnessed leads me to believe 1P is primarily a tool for the tech savvy.

I recommended 1P too, and for a long time my non-tech friends didn’t act on it, until they started hearing about password managers in the news. These days quite a few do use it. Depending on their tech skills they might require differing levels of hand-holding though.

Your non-tech friends (or at least 'quite a few' of them) are clearly more tech savvy than mine ;)

I've been using 1Password since nearly the beginning, and am really quite dependent on it now (so much so that I had a hard time coming to terms with an inevitable eventual move to Linux, until the release of 1PasswordX). So I'm an advocate.

But I think the whole computer industry outside of a very few (notably Facebook and Amazon) has a grossly inadequate picture of just how little most people (including most of the so-called 'digital native' generations) know about the many computers in their lives. They don't use computers -- they are trained by a small number of commercial interfaces. It's extremely basic rat-in-maze stuff.

The companies rightly lauded for their design skills targeted at us (this includes Apple and AgileBits) aren't even in this ballpark, and from everything I see and hear from them, they haven't a clue that they're not there.

> none of them can ever figure out how to use it (or remember for long enough to continue doing so)

Can you elaborate on this? I'm curious what they get stuck on; why do they find it any more complex than web browser bookmarks, or email?

Some I can remember were:

- not understanding the distinction between the password stored in 1password vs that on the server, eg thinking that changing the 1password one would change the original, thus locking themselves out ;)

- being completely thrown by 1Password's distinction between password & login entries

- assuming that changing the OS password would change the 1P master password automatically (really)

- the iOS share menu-based version is particularly opaque to almost all of them, and only my mother ever got familiar enough with it to manage it when I'm not around (& this only because of my regular interventions over months)

- not understanding (or noticing) the difference between updating a login entry and creating a new one, and ending up with a mess of contradictory logins

- getting completely thrown by different logins for different subdomains

There have been many more, these are just a sample of what I remember now. At a rough guess I'd say I've introduced 1Password to perhaps 20 non-tech users. Only one has continued. Many people simply lack any mental model whatsoever of how the different faces of software interact, so they get in a terrible muddle.

> why do they find it any more complex than web browser bookmarks, or email?

I don't think any use bookmarks (few people do, not even many use urls -- the vast majority in my experience use google to find sites. Every visit!).

Email's a special case. It's been around a very long time, and is used throughout the day in many workplaces, so a much higher level of familiarity has built up. Even here though, it's only the advent of large scale cloud providers (gmail, exchange/outlook/live etc) that has made email truly usable for many. Before gmail in particular, I used to have to help all my friends and family with their email, at least during setup, and often again with things like managing inbox quotas etc (with POP). It is easier now, mainly because the common interfaces hide just about everything, and there are few enough dominant ones such that devices come preconfigured knowing how to connect to them.

Okay, yeah, those are all perfectly understandable. In fact

> being completely thrown by 1Password's distinction between password & login entries

I had a hard time at first figuring out what the "password" type was for, too.

No Linux support yet (https://1password.com/downloads).

They recently introduced a 1st-party CLI that supports Linux:



However their official CLI sadly only supports interactions with the subscription service. If you are using local vaults then there are still open source CLIs for Linux:

https://github.com/latkin/1poshword (disclaimer: my project)


They have a new Chrome extension, 1Password X (Beta) which works as standalone. Only downside is it's only available for Chrome at the moment.



That's great, thank you!

Issues I faced immediately after installing it:

* Entering username/password and choosing the "Save in 1Password" option complains about not being able to reach server.

* Clicking on the extension icon and choosing New Item only shows a spinning wheel.

I'll try again when it's officially released but thanks again.

EDIT: Sent an email to their support detailing the issues.

Their 1Password X is excellent. I've been using it on a chromebook for a few months now. Chromebook does run linux, so it should work for you too.

I think it's basically the ideal place for 1Password to be running. It's hard for malware authors to infect the chromebook with stuff like keyloggers etc. I bought the chromebook for the sole purpose of managing financial transactions -- accessing investment/bank websites etc.

I've been testing their beta version for Firefox and it looks really good. I would expect it to come out soon.

You can sign up here: https://agilemail.createsend.com/h/r/0D6ED375D55C4CF1

There is an open-source linux client that works reasonably well, at least for retrieving passwords.


I use the windows 1Password 4 client through wine.

Unfortunately the 1Password 7 beta uses some APIs not supported by mono (yet?).

+1. Using 1Password v4 via Wine for years. Works reasonably well.

They do have a Chrome extension since about 6 months which works pretty well and appears to be improving rapidly.

Hah, that was going to be my first question.

So my entire dev environment is out.

I still use it on Linux through the chrome app, but I have to open chrome every time I do instead of staying in Firefox.

I'll stay with www.enpass.io . No need to have it running in chrome, support for windows, Linux and Android aaand it works offline without a subscription model. I can sync my enpass instances over multiple ways like Google drive, Dropbox, one drive, webdav or by my very own way to sync a single file. I use it now for 4 years and had never any problem with syncing or loosing a single password.

I've been a satisfied 1Password customer for many years, and so far as I know, they have always supported the "bring your own" method for doing password database synchronization via some other cloud service. DropBox was the first obvious solution in this space, but they should work with any of the others.

And they've also always supported the local wifi-only solution, where you have to be on the same network, and physically authorize both devices to talk to each other, before they can sync the password database.

If enpass.io works for you, that's great. I'm glad you're happy with it. But this feature isn't unique to enpass.io.

Well, it's not unique to sync but different to 1password as my passwords were never on central server!

Neither are 1password’s if you don’t use their sync service.

And honestly your passwords aren’t on their servers. An encrypted blob is. Encrypted with a password only you know.

The problem is that same password is required in the web interface for administrative settings. And a web interface can always be compromised, as it can always inject some extra JS code in one of your sessions, without you having any way to verify that the JS blob you got served is the same you got the last time or that it’s the same blob that all the other users are getting.

This is actually an important attack vector and AgileBits themselves admitted the possibility. Imagine that a compromised HTTPS root certificate can open the door to a huge man-in-the-middle attack, which is totally within the reach of governments or of well funded crime syndicates.

Also the cloud sync is no longer optional. The standalone version is no longer available anywhere on their website and Google doesn’t help either.

At this point the standalone version is still available only for those in the know, being on life support probably to not piss old timers off. At least they are thinking about us, I’ll grant them that.

This is a fair point, but it's worth noting that the password you memorize and enter is only a part of the encryption key. There's another component -- I think they call it the "master key" -- which is generated locally when you set up your database and must be transferred out-of-band to other devices. It doesn't go over a network, not even a local one. So losing control of your password via the web interface still does not constitute a complete breach.

I'm very uneasy with how much astroturfing enpass has done in the past so I will stay far away from them. Track record means a lot when dealing with such sensitive information.

Could you give more information about your concerns?

1Password user here. I only use the manual sync option. And I use Resillo Sync to kept all my devices in sync... Which means, most of the time, it's only syncing on my local network. Works great, and was a one off cost, not subscription model.

The best thing about Enpass, in my opinion, is how they approach syncing. I don't want another cloud sync service in my life, I already use one that I like. Enpass is smart to let me use the service I already have instead of forcing me into their own service.

So does 1Password and it has done so for much longer than they have offered their own service.

What do you use for sync?

Google drive. That's what I use for my stuff and it's 2FA secured

Not sure why he trusts whitepapers over fully open source solutions. Perhaps if Bitwarden were more mature or Keepass more usable they would get more attention.

How does Keepass not get attention? I'm pretty sure that is the most widely used password manager among professionals.

It doesn't generate as much marketing buzz on its own as a Lastpass or a 1Password does, but too many people have too much stake in their passwords for them to even consider a less secure solution solely based on marketing.

Keepass is nice, but somewhat limited in flexibility.

I'd prefer a CLI based password manager for it's flexibility.

Keepass has a scripting plugin for your flexibility needs.

> How does Keepass not get attention?

My guess is that the lack of browser integration (with extensions) that helps people autofill on specific sites/domains is what keeps it from being recommended as much as LastPass or 1Password.

The Keepassxc-Browser plugin works really great and has security improvements if you compare it to the old Http plugin that you used to connect the database to the browser.

What it's still missing is the possibility to have (almost) concurrent edit on the database, if you sync that on the cloud. Talking about the KeepassXC browser, they are close to a release where multiple users will be able to edit the database without breaking everything.

I got recommendations for KeePass from many friends (some were actually working in security) but what keeps me away is the Mac OS support [0], specifically that I have to install Mono.


Open source without reviews from security experts is as insecure as proprietary code without reviews.

And 1Password got plenty of attention and reviews, whereas Bitwarden did not.

Granted I’d prefer the open source solution when all other things are equal.

But I cannot trust Bitwarden with my data without hosting it myself and the current server implementation is expensive to host. Bitwarden copies LastPass as a model but I think that’s the wrong model to copy.


As you can read on the keepassXC site, an audit checks only a limited snapshot of code. You can have flaws in the implementations on in plug-ins, for example in the http KeePass plugin (https://github.com/pfn/keepasshttp/issues/258).

Anybody with good security background care to comment on the white paper mentioned in the article - https://1password.com/files/1Password%20for%20Teams%20White%.... Troy seems to endorse their cloud service. I am paranoid and do not like my password stored there :-)

You can (and should) just use their standalone product.

Can you still purchase that? Last time I tried to help someone buy it, we could not find a way.

The current pricing structure is a subscription, but you can use that subscription to use local vaults (syncing manually or via something like Dropbox):


Subscription pricing is pretty optimal for something like 1Password since if there is one product you want to make sure is being actively worked on it is the one with all your passwords. If you previously purchased a license you can continue to do that.

To confirm: have you tested that, or are you basing it solely on the linked doc?

I'm a huge fan of 1Password, and also a fan of paying subscription pricing for apps and dev teams making things I enjoy, but I'd seen the linked doc and parsed it the exact opposite way: "If you don’t want the benefits of a 1Password membership, you can use these third-party and advanced sync options:" --> ~"If you don't want to pay for a subscription, the non-subscription version of 1Password supports the following"

Up until now I've been counting the days until Agilebits finally sunsets the non-subscription plan since I thought the subscription option didn't support the "advanced/third-party" sync options. Will go re-evaluate that now.

If any Agilebits folks are lurking, it may be worth disambiguating that "switching to subscription billing" does not mandate "switching to an Agilebits-hosted vault"

I had a few interactions with them over the years, and the official answer has always been (quote) "...we have no intention of removing the standalone licenses as an option." (email exchange in Aug 2016).

Of course they can change their minds at any moment, but they did enough things right over the years that I have chosen to trust them.

Business-wise, they already have the best of both worlds: a cloud-based option for regular users (which generates steady income), and a standalone option for pro users who want full control (which generates spiky income, and a lot of goodwill).

From a brand perspective, pro users are much more likely to be spreading the word to friends and family (I definitely don't want my mom to be dealing with Dropbox issues, so cloud is just fine for her). From a cost perspective, maintenance of the standalone version is likely minimal, compared to supporting a cloud service safely.

Killing the standalone option would be net negative.

> I had a few interactions with them over the years, and the official answer has always been (quote) "...we have no intention of removing the standalone licenses as an option." (email exchange in Aug 2016).

I don't think these statements have any value whatsoever if AgileBits is unwilling to expose this option on its website and make it easy to buy. There is no way to buy the standalone option without spending a lot of time on the website and hunting for it (or asking on the forums). It doesn't have to be (and shouldn't be) so hard, unless AgileBits is not confident about the subscription model or wants to hide something. As a potential customer, this is how I see it.

That's pretty silly. Every popular commercial password manager is subscription-based server-mediated SAAS software, and that's who AgileBits competes with. Not only is the SAAS model much more lucrative, but support costs for SAAS customers are far lower.

Despite all that, AgileBits goes way out of its way to not only provide a standalone password manager but keep it within shooting distance of the functionality of the non-standalone product.

But that's not enough for you: if they don't actively advertise and promote the variant of their product that is most expensive for them to provide, unlike, you know, any business on the planet, you're unsatisfied with their support.

They actually said so in my email exchange: "...when we introduced 1Password, the subscription option for individuals, we clearly wanted to steer new users in this direction. If we gave them choices to get the standalone and the subscription option together it defeated the purpose of making their lives easier. Again, you and I, we get this stuff, but the average consumer doesn't."

I'm totally fine with it. It's a very reasonable business decision to try to steer away users towards the cloud option, while still offering the standalone (even if it's a bit buried). If you can't find the standalone subscription with a few more clicks, maybe you really shouldn't be using it in the first place.

Kudos to AgileBits for staying true to their origins. Provided they don't screw up, I'll continue to promote their products to friends and family.

> If you can't find the standalone subscription with a few more clicks, maybe you really shouldn't be using it in the first place.

Of course, I don't use 1Password (standalone) because I don't think a company that actively hides the standalone option deserves to get my money. "A few more clicks" is actually not the correct way to describe it. Like you, I will continue to state this dark pattern for as long as AgileBits follows this and warn people about such tactics, which I strongly believe are not good.

Actually, what's silly is that you missed my point by a very long distance. It just doesn't matter if AgileBits provides a standalone product or not if one cannot find it easily on its website and buy it. So yes, that's not enough for me! And claiming brownie points for a standalone version that's not visible on its website, in my books, is shady as heck! Please try to buy the standalone version and see for yourself how difficult it is before passing comments about it.

As for other popular commercial password manager being subscription based, that's not the topic of discussion in my comment. Such a deflection is not useful for discussion.

I, too, hope they never discontinue the standalone product. If it makes you feel any better, I noticed on their blog they're offering a paid upgrade for the next standalone version of 1password. So they're not getting rid of it in the next major version.


I have been a user for years so I have a license, but I set someone else up with it in the recent past and used iCloud to sync. There aren’t different versions of the software so I’m 99% sure anyone can sync how they’d like.

It makes some amount of sense, by now they have picked up most of the tech savvy crowd and for the average user hearing a list of sync options is intimidating.

Yes, you can, though clearly AgileBits is heavily promoting choosing a subscription instead. The recent announcement of 7 beta for Mac that appeared on HN [0] mentions standalone licenses will still be an option.

[0] https://blog.agilebits.com/2018/03/28/the-1password-7-beta-f...

I have tried the download and the just took me to the “try for free” subscription version. I did not want to import my data so I bailed out :-(. Not sure if one can try desktop beta.

I think those standalone licenses for version 7 are only available to people who already have a standalone license for version 6.

My point was only that they are not stopping the sale of standalone licenses as some people feared.

Is it safe to assume that 1Password has some sort of data feed from HIBP to handle this locally? I can't imagine they are calling a service out of their control to send your passwords or email addresses (or even hashes of them), no?

That was the only concern part for me and unless I missed it I couldn't find where it was addressed.

Beyond that this is a great idea!

HIBP now has an API for testing if passwords have been pwned that preserves the secrecy of the password. It's called k-anonymity, and you can read about it in the second half of https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

Mozilla also uses this k-anonymity in their implementation of Google Safe Browsing. (As they need to ask Google's server, if the webpage you're visiting or the file you're downloading is safe, without telling Google the webpage/file that you are visiting/downloading.)

Pretty good documentation on that: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-...

Another idea here, stolen from Mozilla's implementation, would be to add in a few noise entries when making a request.

So, if the user types in their password and the hash evaluates to "2e78f...", you would send off the request for that range and also send off requests for a handful of random, other ranges.

In effect, this isn't particularly different from using less symbols to denote the range, e.g. asking for "2e78" instead of "2e78f". But that gives you 16 times as many results, whereas with noise entries, you can fine-tune it to give you for example only 5 times as many results (with 4 noise entries, that is).

I figure it’s easy to do something like this by generating a nonce over a TLS connection and using it as a shared salt value, and just checking if the hashes of the two passwords match when using the nonce as a salt.

Not sure what k-anonymity is but I wouldn’t be surprised if it’s something similar.

Edit: nope, looks like k-anonymity basically lets you search by the first few characters of the sha512 hash, and it responds with all of the hashes that have that as the first few characters, along with the count for each (how many people use that password, likely.)

Yeah. It produces a response that’s small, easy and fast to generate, easy and fast to parse, without actually telling the server much of anything (all the server learns is that it isn’t a password whose hash starts with something else, but that barely narrows the search space).

Anyone can download the whole list of hashes

They already have the Watchtower service in 1Password that audits your passwords: "Your website information is never transmitted to the 1Password Watchtower service"

> Step 2 Enable 2 factor authentication and store the codes inside your 1Password account.

Doesn't storing the backup codes of 2-factor in your password safe where your first factors resides negate the whole "2 factors" thing?

Personally I write down the backup keys on a piece of physical paper.

It does (only partly if you're only storing the backup codes instead of the seed), but it doesn't negate the benefits of OTP.

Also see my introduction to password managers: https://leclan.ch/password-managers/

I don’t understand HN. I posted this 7 hours earlier and it didn’t get picked up.


It's just timing. More people noticed the second one. Maybe a slight recognition penalty by abbreviating HIBP, but even without that, the same thing has happened to me more than once.

Edit to add: There is a dupe detector that prevents duplicate submissions, but I'm not sure what the parameters are (e.g., detection window duration, whether it does title matching). Sometimes when I've submitted dupes, it returns the previous submission rather than creating a new one. Clearly that didn't kick in in this case.

It seems like the "paradox of choice" could be handled better. Ideally this would be handled similar to how Wirecutter does reviews, with a clear recommendation followed by alternatives.

I initially read that as "I have been pwned by 1password", which is why clicked at all. How the brain reads things is funny sometimes.

Hopefully that turns into a fruitful partnership!

How can I be guaranteed (for lack of a better word; I know it's not guaranteed) that 1Password is secure, given that it isn't independently auditable?

Same goes for LastPass, as a side note.

Host seems down as of 9:16 UTC, which is surprising considering Hunt's background. Some disgruntled hackers fiddling with things? :)

Troy please do it for keepass too.

I still don’t get the value of using 1Password vs. using Chrome included solution. Anyone cares to explain?

As to OnePassword, I don’t know exactly. As to other password managers like LastPass and DashLane specifically against chrome built in...

- follow you around on encrypted cloud blob

- trusted machines you know you’ll log in from

- 2FA / MFA

- shareable passwords with friends/family

- works in all browsers

- works on mobile app / log in on any PC

- one time password access

- non-password things like door codes, software licenses, etc

- a lot more I’m just not thinking of I’m sure

At a more generalized level then some of the other replies: password and secure information management is a specific set of tasks and requirements that are orthogonal to web browsing. Abstracting that out into an independent piece of software makes it much easier to swap either side. It's much easier to jump from one web browser to any other web browser if there is no information transfer between them required. It's much easier to use multiple browsers simultaneously for the same reason. It's much easier to move from one password manager to another if that doesn't affect any other application that plugs into it at all. Decentralizing and fragmenting authentication and secure information is a problem.

Additionally dedicated problem programs tend to be more responsive and featureful then when the functionality is tacked on non-core in something else. Password managers facilitate sharing within groups and organizations for example in a secure and structured way. For many people that may be one of their most valuable features in fact, right down to the level of families.

I mean, this basic philosophy shows up a lot in computing right? For example, it's an important idea at least at the heart of some of the original Unix style of doing things, where you have lots of independent programs that do something well and then link them for more complex operations rather then everything-and-the-kitchen-sink. The latter has its place sometimes too but there are strengths to the former, or to programming styles that splits up larger systems into smaller tasks joined together.

1Password on mobile works well for mobile app passwords.

1Password also holds documents and notes; in my state, documents such as car insurance can be legally carried on your phone for traffic stops. I also have my health insurance cards in there for ease of use.

Plus, if you want to use multiple browsers across various operating systems you need your password manager to be browser independent.

> 1Password also holds documents and notes; in my state, documents such as car insurance can be legally carried on your phone for traffic stops. I also have my health insurance cards in there for ease of use.

I wouldn't rely on this because it turns your phone into a single point of failure (your battery could die or your phone could fail at the wrong time). Similarly, I would never rely on mobile wallets without physical cards as a backup.

Everything that isn’t in a browser? Mobile apps, SSH/OS, vpns, etc

The ability to give an emergency recovery key to my loved ones in a sealed envelope, and to save a note in 1P for them to read should anything terrible ever happen; that note tells them where to find my bank details^ (1P), various PINs to unlock my devices (1P), logins to my not-web-based email and web servers (1P).

I keep everything in 1P. Why carry around a library/health/gym/etc. card when you need the number once a week? 1P. Credit cards. Colour copies of my passport & licence. Backups of SSH keys. Passwords to sparsebundle disk images containing sensitive files. Loyalty program numbers & PINs.

It does so much that Chrome doesn’t. The iOS apps are magnificent. Their sync service is magnificent. I couldn’t live without it.

(^A friend of mine died a few years ago and we had a hell of a time figuring out where his finances were. Shit job. Don’t let that happen to your friends. Label your stuff in a password manager and make sure someone you trust has the key.)

Here’s what I just realised, while doing the washing-up. The people reading this are all capable of rolling their own solution or using some esoteric Unix-only MIT-licensed command line doohickey. That’s fine. Go for it.

Your family and friends, however, are not. They need advice. They need your advice. And your advice should be that they use 1Password.

* I don't always use Chrome

* I don't really trust Google too much

* I use passwords for non-web-based services routinely

* I share passwords for some accounts with my wife

* I like to be able to access my passwords anywhere I am

* I store credential-related secrets as well (such as security question answers, which I make up the answer to)

* Mobile sync.

* Non-browser passwords.

* Portable between browsers.

* Much better UX.

* Better password generation.

* Secure notes.

* Probably better security (both in terms of the crypto used, and in terms of what you need to do to view your passwords). Reasonable experts will disagree here.

Chrome is better than nothing. But 1Password (standalone) is better than Chrome.

I share a 1password vault with several coworkers, am issued a vault by a company I do contract work for, and have a 3rd vault shared with my family.

I'm fairly certain that scenario isn't possible with what any browser has.

For starters: not everyone uses Chrome.

No, but all major browsers have a solution for storing passwords.

Not everything is done through a browser though. And no browser exists natively on all the platforms I use.

I'm also not limited to just passwords.

My point was that "not everyone uses Chrome" is not a good response to the question of 1Password vs just using the browser's password storage (which was the original question), because Chrome isn't the only browser that saves passwords. I wasn't making any judgement on using the browser vs 1Password, though I think some people interpreted my comment as such.

all reasonable, but I think the post you're responding to is just widening the net of the original post of 1password vs chrome feature. the follow up was what about people who use a different browser which exposes a flaw in being too specific for the b case, and the follow up to that is just widening it to 1password vs web browser password storage. I didn't even take it as a defense of the b case, just an "okay, think of Edge/Safari/Firefox's password keeper instead"

It could also be added as a benefit for the 1password or other password management application side is that the passwords stored would be usable in all of those browsers whereas Chrome's would be locked in Chrome, Firefox's locked in Firefox, etc.

So the moral of the story, ignoring security in all (external vs browser) cases, if the specific browser is all you use, it is a fine password manager. The moment you go outside of that use case, the values flip quickly.

one of the big ones is 2FA OTP generation. when I am logging into my 2FA secured accounts, 1Password autofills my user/password, and then puts a OTP in my clipboard.

Regardless of the partnering - why would you ever put in your passwords into a public website like this?

I recommend you read the section "Consuming the API (and the Mechanics Behind the Range Search)" of https://www.troyhunt.com/ive-just-launched-pwned-passwords-v... - it explains how you can search for your password with the API without letting the service know what your password is.

Well, what good is the password by itself?

If you don’t know where it’s been used and with what username, it hasn’t mich value.

In any case, you can use his V2 API to check your password without sending the password or even the complete hash.

You can check out my little go script which does this here: https://github.com/mrunkel/checkpass

I cannot support 1Password, a Canadian company which charges in US dollars and refuses to transact in local currency. I understand the rationale for it when starting businesses want to limit expenses, but not when it's an established corporation with 1+ million customers.

They do support Canadian dollar transactions and storing of their cloud service on Canadian servers on https://1password.ca

My mistake. The Canadian (and EU) versions appear to have been set up in the last 6 months.

For people who are looking for something different than 1Password, I suggest looking at 2 Factor Buddy: https://www.twofactorbuddy.com/

This isn't a thread about choices or alternatives, the topic is about the partnership.


Without sugar coating, let me just say that this is really a nasty move, primarily because AgileBits is a shady company (though it has a good enough product) that uses dark patterns to lure people to buy subscriptions and makes people jump through hoops to find the standalone version. Putting such a company in front of thousands of users is a nasty way to treat his site's visitors, IMO.

In the blog post, Troy says the cost of HIBP is more than a few coffees, but am not sure if that's per day or per week. Hopefully the latter. Someone in his position wouldn't feel the pinch, as he himself states that "the time commitment" is what concerns him more. Regardless, his effort and time are worth paying for so that more people can benefit from the service. My contention is that AgileBits is not the right entity to partner with to get some money for this service.

He also hasn't yet talked about the long term plans for HIBP, though people have asked him about the "bus factor" currently being 1. He's said he'd write about it soon. If he's going to hand over management of HIBP to AgileBits, that would make it look really weird and remove at least some of the trust that HIBP now commands.

Wish he had put up some fundraising page or an annual fundraiser — given his fame in tech circles, I'm sure that would've gotten more money than necessary to run HIBP and to pay for his time. Wish he had planned to hand over HIBP to a set of individuals (not companies) for long term care. Alas, what a sad move!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact