1passwordPassword management app 1Password this week got a new feature on the web, and developer AgileBits described it as a way for users to check and make sure that their passwords aren't "pwned passwords," or passwords that have been leaked online. While the launch is web-only right now, AgileBits said it will be coming to 1Password apps in the future.

1Password's new feature integrates with a newly updated service by Troy Hunt -- who previously created a breach notification service called Have I Been Pwned -- and securely and privately checks your passwords against more than 500 million passwords collected from various breaches.

This way, users can further ensure that their passwords saved within 1Password are as secure as possible, and if Hunt's new service surfaces a warning about compromised data, they can change to a new one without leaving 1Password.

1password pwned passwords
Pwned Passwords originally launched as a feature within Have I Been Pwned last August, but Hunt has now updated it to version two and greatly expanded the amount of passwords indexed, originally starting with 320 million. For 1Password's integration, which is still just a proof of concept as of now, AgileBits said the feature is available today to everyone with a 1Password membership, and shared the following steps:

- Sign in to your account on 1Password.com.

- Click Open Vault to view the items in a vault, then click an item to see its details.

- Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.

- Click the Check Password button that appears next to your password.

Once you click "Check Password," 1Password will communicate with Hunt's service of indexed passwords, letting you know if yours exists in his database. As AgileBits pointed out, "If your password is found, it doesn't necessarily mean that your account was breached. Someone else could have been using the same password." Still, the company encouraged immediate action for any user who sees a confirmation of a password matching to Hunt's service.


In the announcement, AgileBits ensured that this communication with Pwned Passwords keeps user passwords "private and secure" because they are "never sent to us or his service." Hunt's service never receives the full password, and only requires the first five characters of each password hash. The developer stated, "we would never add it to 1Password unless it was private and secure."

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Hunt goes into more detail about Pwned Passwords in his own announcement post about the update to the service. AgileBits confirmed that it will be adding Pwned Passwords to its own security breach warning feature, called Watchtower, within 1Password apps "in future releases."

Tags: 1Password, AgileBits

Top Rated Comments

Christoffee Avatar
Christoffee
102 months ago
Sometimes an idea is so obvious and fabulous I’m at a loss as to why it’s not been done before. I guess it’s only obvious once it’s obvious.
Score: 10 Votes (Like | Disagree)
wfrancis Avatar
wfrancis
102 months ago
It's a great program. I recommend it to everyone.
WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.
Score: 9 Votes (Like | Disagree)
AGKyle Avatar
AGKyle
102 months ago
WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.
We never removed the option to purchase a standalone license. As linked by others in this thread. It's also available via the Mac App Store app, feel free to check the available in-app purchases for proof of that.

Is it being kept up to date along with the subscription version?
Same question stands for the windows version
There is no difference between our standalone version of the app and the subscription version in terms of downloads. They're the same identical app. Bug fixes, improvements, and new features are added all the time. Some of those features may only be available for our subscription customers as they piggy back on features that are only possible due to our servers on the subscription side. But where possible we add features for both standalone customers and subscription customers.

SHA-1 is a worthless hash. There are rainbow tables for every possible entry. This service seems like it's a breach waiting to happen.
You missed the important bit. Your password is hashed.

Then we take the first 5 characters of the hash and send that over.

The Have I Been Pwned server takes these first 5 characters, compares to the database, finds all hashed passwords that match the first 5 characters and send those back to the client (1Password) which then checks the returned hashes to see if a match is made.

Your fully hashed password is never sent to the server, only the first 5 characters. Troy Hunt, the creator of Have I Been Pwned has stated that pretty much every 5 character prefix hash has ~500 results, and it's entirely possible that password isn't even in the results and is safe. So it really doesn't help much at all, combined with the fact no username or URL is sent.
Score: 8 Votes (Like | Disagree)
BigMcGuire Avatar
BigMcGuire
102 months ago
I had the grandfathered? app purchase from years and years ago and I never felt forced or even coerced by Agilebits to upgrade. I got the 1Password Family Teams plan recently - because I wanted to. Never once was I forced or more than a few times encouraged to get the Teams / subscription plan - this is something VERY FEW companies do. Most companies blast in your face: "UPGRADE NOW" every time you open the app. Because Agile bits didn't do this was a huge factor in my decision to upgrade. I will go out of my way to not upgrade when companies "force" or overly coerce.

So up until recently I was using the iCloud standalone app and want to voice my opinion that I was never forced or even slightly encouraged to upgrade via the application.
Score: 7 Votes (Like | Disagree)
Eidorian Avatar
Eidorian
102 months ago
It's a great program. I recommend it to everyone.
Score: 7 Votes (Like | Disagree)
justiny Avatar
justiny
102 months ago
WAS a great program. It used to be standalone (the only reason I still use it) but they needlessly forced new users to switch to a subscription model so you have to keep buying it over and over again. No thanks.
I disagree. When a developer continues to improve and enhance a high-quality application (specifically in the field of information security where threats evolve daily), I don’t mind them getting paid along the way.
Score: 6 Votes (Like | Disagree)
Read All Comments

Popular Stories

iOS 26

15 New Things Your iPhone Can Do in iOS 26.2

Friday December 5, 2025 9:40 am PST by
Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below. Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the ...
Read Full Article51 comments
Intel Inside iPhone Feature

Apple's Return to Intel Rumored to Extend to iPhone

Friday December 5, 2025 10:08 am PST by
Intel is expected to begin supplying some Mac and iPad chips in a few years, and the latest rumor claims the partnership might extend to the iPhone. In a research note with investment firm GF Securities this week, obtained by MacRumors, analyst Jeff Pu said he and his colleagues "now expect" Intel to reach a supply deal with Apple for at least some non-pro iPhone chips starting in 2028....
Read Full Article151 comments
iPhone 14 Pro Dynamic Island

iPhone 18 Pro Leak Adds New Evidence for Under-Display Face ID

Monday December 8, 2025 4:54 am PST by
Apple is actively testing under-screen Face ID for next year's iPhone 18 Pro models using a special "spliced micro-transparent glass" window built into the display, claims a Chinese leaker. According to "Smart Pikachu," a Weibo account that has previously shared accurate supply-chain details on Chinese Android hardware, Apple is testing the special glass as a way to let the TrueDepth...
Read Full Article66 comments
iPhone 17 Pro Cosmic Orange

10 Reasons to Wait for Next Year's iPhone 18 Pro

Monday December 1, 2025 2:40 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article107 comments
Johny Srouji

Apple Chip Chief Johny Srouji Could Be Next to Go as Exodus Continues

Sunday December 7, 2025 10:41 am PST by
Apple's senior vice president of hardware technologies Johny Srouji could be the next leading executive to leave the company amid an alarming exodus of leading employees, Bloomberg's Mark Gurman reports. Srouji apparently recently told CEO Tim Cook that he is "seriously considering leaving" in the near future. He intends to join another company if he departs. Srouji leads Apple's chip design ...
Read Full Article379 comments
iOS 26

Apple Seeds Second iOS 26.2 Release Candidate to Developers and Public Beta Testers

Monday December 8, 2025 10:18 am PST by
Apple today seeded the second release candidate version of iOS 26.2 to developers and public beta testers, with the software coming one week after Apple seeded the first RC. The release candidate represents the final version iOS 26.2 that will be provided to the public if no further bugs are found. Registered developers and public beta testers can download the betas from the Settings app on...
Read Full Article46 comments
Johny Srouji

Apple's Chipmaking Chief Johny Srouji Responds to Report About Him Potentially Leaving

Monday December 8, 2025 9:23 am PST by
Apple's chipmaking chief Johny Srouji has reportedly indicated that he plans to continue working for the company for the foreseeable future. "I love my team, and I love my job at Apple, and I don't plan on leaving anytime soon," said Srouji, in a memo obtained by Bloomberg's Mark Gurman. Here is Srouji's full memo, as shared by Bloomberg:I know you've been reading all kind of rumors and...
Read Full Article79 comments
top stories 2025 12 04a

Top Stories: iOS 26.2 Coming Soon, Apple Execs Depart, and More

Saturday December 6, 2025 6:00 am PST by
You'd expect things to be starting to wind down for the holidays by now, but that doesn't seem to be the case yet in the world of Apple news, with Apple just about ready to release iOS 26.2 and other operating system updates to the public. There was also a flurry of news this week about Apple executive departures, some expected and some not so expected, while we also learned that Apple and...
Read Full Article8 comments
ive and altman

Jony Ive's OpenAI Device Barred From Using 'io' Name

Friday December 5, 2025 6:22 am PST by
A U.S. appeals court has upheld a temporary restraining order that prevents OpenAI and Jony Ive's new hardware venture from using the name "io" for products similar to those planned by AI audio startup iyO, Bloomberg Law reports. iyO sued OpenAI earlier this year after the latter announced its partnership with Ive's new firm, arguing that OpenAI's planned "io" branding was too close to its...
Read Full Article55 comments