Please support searching for multiple compromised email addresses

XIIIXIII
edited June 25 in Lounge

I got really excited about the new email address based search for breaches:

https://blog.agilebits.com/2018/06/25/watchtower-we-shall-fight-on-the-breaches/

However, when I ran it, I noticed that it only checks the email address that I (primarily) use to login into 1Password (but not for most other services), so it's almost useless for me.

Please make it possible to check for multiple email addresses; for example by checking all saved usernames that match an email address (regular expression).

Comments

  • BenBen AWS Team

    Team Member

    Hi @XIII

    Thanks for the feedback. I ran into the same thing since I tend to use a unique email address for each service for privacy and anti-spam reasons. We’d like to expand this in the future, but we’re only able to check against verified emails. At the moment the only address we have verified is the one registered to your 1Password account. It does seem like this is a common enough situation though that we’ll want to find a way to do more here.

    Ben

  • dancodanco Senior Member Community Moderator

    I was intrested in the same thing. I suppose it is difficult to allow checking for emails without opening the system to abuse.

  • brentybrenty

    Team Member

    Indeed. More to the point, this isn't something that's allowed by haveibeenpwned.com in the first place. If you just enter any email address there, you get fairly limited information, since you could enter anyone's. In order to get all of the details, you need to sign up and verify that you have access to that email account first. It's possible that we'll offer a way to do that through 1Password.com in the future as well, but for now you can always go right to the source: https://haveibeenpwned.com

    We love working with Troy because he's as committed to security and privacy as we are; not just when we check our own stuff, but also in ensuring that others' security and privacy isn't compromised by the service as well. Cheers! :sunglasses:

  • XIIIXIII
    edited June 26

    More to the point, this isn't something that's allowed by haveibeenpwned.com in the first place.

    Ah, I was not aware of this.

    However, if I could verify a couple of email addresses I would be able to cover at least 80% of my accounts (guesstimate).

    PS: I can’t find that restriction on HIBP; where is it documented?

  • brentybrenty

    Team Member

    @XIII: There is some information about this in the FAQ (under "sensitive breach"):

    https://haveibeenpwned.com/FAQs

    But essentially it's a matter of design more than anything else: the website will not give you a full listing for everything matching the email address you enter there. That information can only be gotten by signing up and verifying your email address. Circumventing that is possible with the API, but would violate "acceptable use":

    https://haveibeenpwned.com/API/v2#AcceptableUse

    We want to stay true to the spirit of haveibeenpwned.com and not enable misuse by allowing 1Password to scan for others' email addresses. So if and when we make it possible to search on other email addresses besides the one registered on the account, it will also be necessary to verify those first, just as Troy's site does, and as you do when setting up a 1Password.com account in the first place.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • XIIIXIII
    edited June 27

    I hope this helps

    Yes, thanks.

  • brentybrenty

    Team Member

    :) :+1:

  • fpt71fpt71
    edited August 28

    Yeah, I purposely used a different email address on 1Password than the one I use for all my accounts that I am vaulting in here so that any hacks on my primary email address could not be traced to this account. But now I can't see any breach reports because this email account is brand new. It's not the primary one I use for everything. And I know I've been notified about my primary email being on the dark web, etc.. The only way I can see to get a breach report on that other email is to do an "email change" in my 1Password profile settings. If I do that I assume it will work on that other email and then I can change it back...? If not that kinda sucks. You could allow us to "add additional Breach Report Emails" with validation/confirmation. Like say allow us to add maybe 1 or 2 more email addresses and then they only become active for "Breach Reports" if you confirm them all the same way you do when you change your email address on your main 1Password Account/Profile (you send us an email and we login to our email accounts and verify it's us, etc.)?

  • brentybrenty

    Team Member

    @fpt71: It makes sense that you might want to use a different email address not used for anything else for your account. But it's definitely a trade-off since that means that 1Password won't be able to find anything associated with that address. To answer your question:

    The only way I can see to get a breach report on that other email is to do an "email change" in my 1Password profile settings. If I do that I assume it will work on that other email and then I can change it back...?

    Of course! You can change the email address on your account at any time.

    You could allow us to "add additional Breach Report Emails" with validation/confirmation. Like say allow us to add maybe 1 or 2 more email addresses and then they only become active for "Breach Reports" if you confirm them all the same way you do when you change your email address on your main 1Password Account/Profile (you send us an email and we login to our email accounts and verify it's us, etc.)?

    I'm having trouble finding the question there, but in broad strokes, as mentioned previously, it's something we can consider for the future. The problem is that 1Password accounts are tied to a single email address, and, as such, there's no process available for adding others. And of course that would sort of negate the purpose of you using a separate email address for yours, if you just end up adding your other email addresses anyway. It's something that a few folks have shown interest in though, and we'll continue to listen to everyone's feedback.

  • Maybe allows customers to add (multiple) verified email addresses and then check all those addresses in the database?

    Verification could be done by sending a unique link to an email address and requiring the customer to tap on that link to prove ownership of the email address.

  • brentybrenty

    Team Member

    Sure. As I mentioned before it's something we're considering. There is simply no mechanism in place for multiple email addresses in an account, and we need to carefully consider the implications of adding that, both from a HIBP standpoint and usability, not to mention someone would have to be diverted from working on something else. I think it's a good idea, but there just hasn't been enough interest so far to push that up our priority list. It's certainly a possibility though. :)

  • @XIII, @danco, @fpt71

    While waiting for 1Password to support (or not support, given some reasonable objections regarding email verification and potential abuse) multiple addresses you can always go over to HIBP and click on "Notify Me" to subscribe to realtime notifications of email breaches. @brenty hinted at this in a couple of previous posts but I thought I would point it out more explicitly.

  • @rlh Thanks. I already did that, but I would still like the functionality in 1Password.

  • brentybrenty

    Team Member

    @rlh: You're absolutely right. I'm sorry for not being more explicit about it. :sweat:

    Have I Been Pwned offers a great service. If you go to the site you can enter your email address not only to check known breaches, but if you click "Notify me" at the top and submit your email, it will let you know of future breaches that come to light as well:

    https://haveibeenpwned.com

    Thank you for the nudge! :blush:

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I'd like to expand on @brenty's point about the potential for abuse, as this is the primary reason that we don't do what we otherwise be a really nice feature.

    You should only be able to test your own email address and not somebody else's. Suppose Alice has an account on ISecretlyLoveNickelBack.org. Naturally she would not want Bob to know about such a shameful thing. But if the site has had a breach, and if Bob could check [email protected] in HIBP, he could learn that she did have an account there.

    Now if 1Password worked this HIBP check as asked for, then Bob could create a login item in one of his vaults that lists the email address [email protected] and the website as https://ISecretlyLoveNickelBack.org. The account wouldn't have to be real; all he would need is to create a 1Password item of that nature in one of his vaults. This way he could find out Alice's terrible secret.

    When you sign up for a 1Password membership, our signup process involves verifying that you do control the email address you sign up with. And so it is safe to check those. Bob can't create a 1Password membership under Alice's email; he can only create it under an email address that he controls. And so that is the email address that we can safely check.

  • XIIIXIII
    edited September 14

    @jpgoldberg:

    You should only be able to test your own email address and not somebody else's

    That's why I wrote this:

    Verification could be done by sending a unique link to an email address and requiring the customer to tap on that link to prove ownership of the email address.

  • brentybrenty

    Team Member

    @XIII: I don't think Goldberg's comments were directed specifically at you, but at the general discussion here.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited September 14

    Thanks @XIII. I was commenting on the question as a whole, but I must confess to having missed what you had written.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file