Security risks of Have I Been Pwned

Published:

We believe that Have I Been Pwned (HIBP) provides a sufficiently useful service to most of our customers that it outweighs the newly discovered risks. However, the risks need to be presented to customers in a way that helps them make that decision for themselves.

What you should do

  • Use strong, unique passwords. This will protect you against the kind of issue described below, and is what you should be doing anyway.

  • Be aware that by using HIBP, you may provide the service with enough information to learn some of your similar weak passwords (see details below).

About the issue

On July 10, 2019 Jack Cable published an analysis of the Have I Been Pwned (HIBP) service which shows that, despite its design intention, there are plausible scenarios for it to discover a user’s weak passwords if it were to act maliciously. The kind of attack Cable describes has no effect on strong and unique passwords.

Vulnerable HIBP users are those who have weak passwords that are very similar to each other. For example, if you have passwords like  MyS3kret and  MyS3kret1, a malicious HIBP service could correlate those lookups with each other, along with lookups for your email address, in a way that would make it feasible for the service to learn that you have those passwords.

We have absolutely no reason to suspect that the HIBP service, operated and managed by Troy Hunt, would be malicious. Indeed, we have full confidence in Troy Hunt’s integrity. However, security choices on whether to use the service may depend more on what can be done with the information sent to it than on the goodwill of the service operators.

What can be exposed

Three conditions must all apply for any of your passwords to be exposed through the mechanism Cable describes:

  1. The HIBP service would need to act maliciously (we do not believe that it does).
  2. You use the service to check your passwords and your email address.
  3. You have similar weak passwords.

Similar weak passwords are vulnerable

It’s important to clarify that only sets of similar weak passwords are vulnerable.

HIBP’s k-anonymity system is designed so that even if you query a weak password like  MyS3kret, the service can’t discover the password even if it were to act maliciously. However, Cable shows that if you queried both  MyS3kret and  MyS3kret1, the service receives enough information to determine with high probability that those are the passwords you checked.

Similar strong passwords aren’t vulnerable to the kind of attack Cable posits. If you queried both  icfix*4wZzFrTXwd and  icfix*4wZzFrTXwd1, HIBP wouldn’t receive enough information to discover anything useful about those passwords.

Background

HIBP is an extremely useful service which helps people identify weak and exposed passwords they need to change. This improves user security, particularly when combined with tools that help them create and manage strong, unique passwords.

HIBP (version 2) was launched with certain security guarantees. In particular, you can use the service to look up a password without revealing your password to the service. That remains true for isolated queries, so you don’t have to rely on the good intentions of HIBP when you look up an individual password.

Cable has shown that when queries from a single user are taken together and certain combinations of passwords queried, HIBP does receive enough information to discover some of those passwords.

Although HIBP’s design works as intended with respect to any individual query of its service, it fails to meet those design goals when queries from the same user can be correlated with each other. For a full discussion of how it fails and what a compromised or malicious HIBP server would need to do, it’s best to read Cable’s analysis.

What we’ve done

We want 1Password customers to make a genuinely informed decision when they opt in to the HIBP integration. In light of this risk, we’ve:

  • Provided information about the risks of using HIBP when you turn it on in 1Password. There is an updated message that reflects these risks.

  • Turned off the HIBP integration for everyone who turned it on, as these risks weren’t known (and therefore not presented to customers) when they first opted in. These customers were presented with clearer information and and the choice to opt in again.

Thanks

We would like to thank Jack Cable, who has worked with us to better understand the risks and possible mitigations. And, as always, we would like to thank our friends at Have I Been Pwned.