The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years later and realise that unfortunately, nothing has really changed.
The strength of most passwords is terrible. Then they get reused. Everywhere. That post was my own personal wakeup call; it was the very point where I observed that what we all needed to do was to "liberate ourselves from the tyranny of passwords", as I said at the time, and that's precisely what I did: I went and bought 1Password and I've been using it every single day since across all my devices.
Today, I'm announcing a partnership between HIBP and 1Password. This is the first of its kind for me and I've actively avoided anything of this nature until now. I want to talk about why that is, what's changed and what the new partnership looks like.
The Intent of HIBP Has to Remain Beyond Reproach
Just last week, I wrote about the legitimisation of HIBP. That blog post had been in the works for many months before this partnership was conceived of, but I ultimately decided to get it out before this announcement to help explain my thinking. The very first sentence of that blog post was this:
There's no way to sugar-coat this: HIBP only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike
In that post, I talked about more nefarious operators working in the same space as HIBP purely to cash in on the misfortune of others. As soon as there's money involved, motives are questioned; people will assume the core objective is to monetise the service and clearly with those more nefarious offerings, that was precisely the MO.
I've had many offers to sponsor HIBP, to monetarily reward me for product placement and indeed to buy the service outright. I've rejected every single one of them because I didn't want my motives to be questioned; I wanted to ensure people look at this service and genuinely feel that first and foremost, it's there to help them do good things after bad events. To that end, I think it's fair to say that the public sentiment towards HIBP has remained enormously positive.
Let me talk about why this partnership makes sense now.
Why It Makes Sense to Partner with a Password Manager Now
There are many reasons why but I'm going to start with the most practical one first: people want actionable steps once they've found themselves pwned. The vast majority of people that use HIBP are not technical like you (probably) are. HIBP has millions of unique visitors every month (sometimes spiking up to 3M per day during major security incidents), and they're all asking the same question: what do I do now? I was reminded of this on the weekend when I saw HIBP featured in the Belgian news. There's a short video clip in that piece (in Dutch, but you'll get the idea), where a journalist enters her email address and finds herself in the LinkedIn data breach. So now what? What should she and all the normal everyday people watching that piece do? (Sidenote: awesome name for the IT expert in that piece!)
Here's what the site used to say:
But "take appropriate action, such as changing passwords" doesn't really lead to the right behavioural change because people being as they are, they'd just go and change the password on the sites they could remember to the same lousy new password. I could have said "go and get a password manager", but this is barely any better as it doesn't lead them by the hand to a good one! I also could have listed just a few of the industry leaders but people being as they are and the whole paradox of choice problem (a great book, BTW!), they need more. This question I saw on Reddit just the other day is a perfect example:
People literally want to read "go here, do this". Which is why it now looks like this after searching for your email address:
This is the best place ever to be talking about password managers. This is that point at which the penny drops, the one where people come to that realisation of "ah, now I see the problem". But it's not just 1Password being highlighted here either, there's a call to go and turn on 2FA and also to subscribe to HIBP notifications because both of those things are very positive steps for improving one's security posture. This is where people are going to be the most open to the suggestion that they need a different way of doing passwords. And the reality of it is, HIBP does lead to positive changes in people's security posture:
Hi Troy, @haveibeenpwned and Pwned Passwords are probably the main reasons I eventually went over to a password manager. I spent a few hours manually updating all passwords to all sites. I even shutdown accounts I no longer wanted / needed. Thanks for all your work!— Dan Blank (@danblank000) March 20, 2018
The same messaging as above is now on the Pwned Passwords page because again, that's a point where I can have a positive influence on people's security posture. Same again when one of the 1.9M verified subscribers has an account in a data breach (albeit without the 3rd step encouraging them to subscribe to notifications, for obvious reasons).
It's not just HIBP which is the coalface of people asking for guidance on password managers though, I'm still regularly asked what I'd recommend based on my own experiences:
Any particular password manager you reccomend Troy?— Brian Ford (@BrianPFord) March 9, 2018
Which ones do you recommend?— Edward Deaver (@EdwardCDeaver) March 10, 2018
Partnering with 1Password gives me better insight into how they're tackling the password problem and it makes me more comfortable than ever in putting them forward as the answer to those aforementioned questions.
So it makes sense for users, that's the first thing. The next thing is that in terms of the timing, this comes off the back of the post I mentioned from last week regarding the legitimisation of HIBP. The service has reached a point in the mainstream where many of the concerns I've had about running it as I do are now history. In that post, I give many examples of how HIBP is recommended by major online services, gets mentioned by law enforcement on a regular basis and, of course, there's the announcement from earlier this month about UK and Aussie governments using the service for free (there's more of those to follow, too). In short, the service has now gone well beyond the point where anyone should (reasonably!) be questioning my motives for running it.
All of the above could equally be said about other password managers too, let me explain why I chose to partner specifically with 1Password.
Why 1Password Was the Partner of Choice
Working with 1Password was the obvious choice for a number of reasons, the most obvious being my long-standing history with them. This is a product I was already endorsed in by my own free volition and from the perspective of my own authenticity, that was very important. Less than 6 months ago, I wrote about how I decide what products I endorse and I said this about 1Password:
For example, I'm frequently very vocally supportive of both the 1Password password manager and Freedome VPN. I use them both daily, I've written about them both and I constantly recommend them to anyone who asks. I've never received either product for free (I've paid retail prices for both for years), and I've never been paid to endorse either of them.
And true to my word, it was only last month - before any discussion with them about this partnership - that I went and purchased their subscription service:
(Because I know people will ask, yes, irrespective of our partnership I'm very happy with their subscription service, have a read of their whitepaper if you'd like to understand the mechanics of it.) The bottom line is that nobody should ever need to question whether my using 1Password was an incentivised decision. If in any doubt, scroll back through years of mentions of my name and theirs on Twitter.
The next point that really helped make them the partner of choice goes back to these 2 tweets:
Hey, you know what would be cool? If @1Password was to integrate with my newly released Pwned Passwords k-Anonymity model so you could securely check your exposure against the service (it'd have to be opt in, of course). Oh wow - look at this! https://t.co/RCspu1kNtR— Troy Hunt (@troyhunt) February 22, 2018
I'm *so* impressed with what they've done here; I launched this service only 27 hours ago and they've already pushed this out. They had no prior knowledge I was doing this, they just got hands on tools right away and made it happen. That's awesome.— Troy Hunt (@troyhunt) February 22, 2018
They genuinely had no prior knowledge of what I was doing and they turned around in just a day and a bit and built this into their product. I was amazed at how quickly they did this, but even more amazed at how positive the feedback has been:
Very impressed at how fast @1Password has moved to integrate the V2 Pwned Passwords API @troyhunt released just this week. Much respect for both products and very glad to see them work together. Read more on Pwned Passwords: https://t.co/iyg3UaHTHa— Michael Jordan (@jordanmdtx) March 7, 2018
I am really impressed with how quickly @roustem & @dteare's teams at @AgileBits integrated the k-Anonymity model APIs of @troyhunt "Pwned Passwords" V2 service into @1Password. #happycustomer #AWSPowered https://t.co/QeXON5FA9j— Werner Vogels (@Werner) February 26, 2018
For those of you who don't know Werner, he's the CTO at Amazon so I consider this especially hearty praise. And I've seen hundreds of similar tweets too, all very happy to see Pwned Passwords integrated into 1Password and all very happy to see the relationship with HIBP.
There are many other bits and pieces that contribute to my comfort in teaming up with 1Password, including how I've found the folks there are to deal with, the strength of public goodwill I regularly see directed towards them from my followers and even their use of Bugcrowd to manage their bug bounty program (I just recorded 2 Pluralsight courses with friend and Bugcrowd founder, Casey Ellis). Oh - they're also offering a top bounty of US$100k so they're well and truly putting their money where their mouth is when it comes to security.
I also receive a lot of positive feedback from my followers about 1Password and knowing that the people who support me also support the password manager that now appears on HIBP is very reassuring:
Same here. Been using them for years because they’re so good!— Thomas Culligan (@_vw_fast_) March 10, 2018
So, you see, the decision to choose 1Password as the partner for HIBP wasn't a hard one and no, they weren't the only party I was chatting to about this. I wanted to ensure that this relationship has the highest possible chance of being received positively by the public and hopefully, that will be the case.
This Partnership Will Help Me Do What I Do
Just last weekend, I saw a tweet that was a great representation of the level of commitment this project demands:
This was a very nice thing for Bloomberg to say (the original story is online under Silicon Valley Has Failed to Protect Our Data. Here’s How to Fix It) and I'd love to think that a service like this might have $120M of value! Regardless, it has clearly become quite a valuable asset and one that I continue to enjoy providing to people for free in its current form, but that comes at a cost.
Now, I've always said I've run this on "a coffee budget" (i.e. the cost of a couple of lattes a day from a local coffee shop) and that remains the goal. Whilst I've found myself having to drink more lattes for that statement to hold true (ok, maybe not but you get the idea), it's the time commitment that I've really been feeling the sting of. I always intend to run the services I do today for free - I've absolutely no intention of changing that - but seeking out other ways to compensate the effort was important for the long-term viability.
Clearly, this is a commercial relationship - 1Password pays to get their product in front of people via HIBP. It's not quite $120M, but it's obviously a valuable proposition for them because as I mentioned earlier, this is the best possible place to get people thinking about password managers. Over the last month the site has been tracking about 100k unique people a day too so that'll be great for 1Password's exposure, great for those people who are asking "now what?" and a great partnership for me to be involved in too.
Throughout the life of HIBP, I've held onto the mantra that it must help people do good things in the wake of bad events. What pleases me most about partnering with 1Password is that the relationship furthers that objective; people going and getting themselves the very password manager that I've used myself for so many years is the single best security advice I could give, and this makes that a whole lot easier for those that have never given it any thought before. And it is a partnership too rather than just a one-way relationship where their name appears on HIBP; even just yesterday they blogged about including Pwned Passwords searches in the desktop app:
What I love about this model with 1Password is that it only contributes to the user experience, it takes nothing away from it. I do hope it's well-received and that this post sufficiently explains why I felt this was the right fit at the right time. As always, do leave your feedback below, especially if you have thoughts on how to make this experience more valuable for everyday people.
Edit: Thanks everyone for a collection of very valuable comments, there's been some great feedback both in support of the partnership and raising areas you think I should address. Rather than individually replying to the latter, I wanted to consolidate a response here so that it forms part of the original post.
On recommending other password managers (free or otherwise): There are two primary reasons why I haven't done this and the first is pretty obvious – I can't form a commercial relationship with 1Password then say "oh, and there's also this other competing product". That doesn't work in terms of the benefit they get from the partnership and as I said above, I also don't believe it works in terms of the ambiguity it leaves open to people using the service. The second is simply this: I'm personally recommending a product and I only feel comfortable doing that with something I use myself. As I said in the post above, I've used 1Password extensively and exclusively – I can't in all good faith recommend another product I'm not using myself (go back to the aforementioned post on how I choose what I endorse). It's precisely the same with Freedome VPN; I trust it, I use it extensively and I recommend it above all others because that's the product I know (and no, there’s no commercial model with F-Secure).
In terms of being clearer about 1Password appearing on HIBP as a result of a commercial relationship, enough people have raised this that I need to address it. I'm going to be spending some time with 1Password folks at a conference next week and I'll make sure I have this discussion then. I don't agree it’s in the same league as Google indicating what's an ad versus what's an organic search result, but I do think there are multiple ways that the relationship can be made clearer. My gut feel is that it should highlight both the points raised in the previous para, namely that we have a commercial relationship and that I'm personally a long time user and advocate of the product.
In summary, this agreement involves promoting 1Password as the password manager of choice and clearly that means putting them at the forefront, but I hear the feedback about being clearer on the relationship. I know that some people would like to see other alternatives represented as well, but I also know they can see why that would conflict with the nature of this partnership. As I said in the post, using 1Password has been my recommendation for the last 7 years and the advice you now see on HIBP is precisely the same as I've always provided. Those of you who've been following me for a while know that, but it bears repeating.