Please support searching for multiple compromised email addresses

XIIIXIII
edited June 2018 in Lounge

I got really excited about the new email address based search for breaches:

https://blog.agilebits.com/2018/06/25/watchtower-we-shall-fight-on-the-breaches/

However, when I ran it, I noticed that it only checks the email address that I (primarily) use to login into 1Password (but not for most other services), so it's almost useless for me.

Please make it possible to check for multiple email addresses; for example by checking all saved usernames that match an email address (regular expression).

«1

Comments

  • BenBen AWS Team

    Team Member

    Hi @XIII

    Thanks for the feedback. I ran into the same thing since I tend to use a unique email address for each service for privacy and anti-spam reasons. We’d like to expand this in the future, but we’re only able to check against verified emails. At the moment the only address we have verified is the one registered to your 1Password account. It does seem like this is a common enough situation though that we’ll want to find a way to do more here.

    Ben

  • dancodanco Senior Member Community Moderator

    I was intrested in the same thing. I suppose it is difficult to allow checking for emails without opening the system to abuse.

  • brentybrenty

    Team Member

    Indeed. More to the point, this isn't something that's allowed by haveibeenpwned.com in the first place. If you just enter any email address there, you get fairly limited information, since you could enter anyone's. In order to get all of the details, you need to sign up and verify that you have access to that email account first. It's possible that we'll offer a way to do that through 1Password.com in the future as well, but for now you can always go right to the source: https://haveibeenpwned.com

    We love working with Troy because he's as committed to security and privacy as we are; not just when we check our own stuff, but also in ensuring that others' security and privacy isn't compromised by the service as well. Cheers! :sunglasses:

  • XIIIXIII
    edited June 2018

    More to the point, this isn't something that's allowed by haveibeenpwned.com in the first place.

    Ah, I was not aware of this.

    However, if I could verify a couple of email addresses I would be able to cover at least 80% of my accounts (guesstimate).

    PS: I can’t find that restriction on HIBP; where is it documented?

  • brentybrenty

    Team Member

    @XIII: There is some information about this in the FAQ (under "sensitive breach"):

    https://haveibeenpwned.com/FAQs

    But essentially it's a matter of design more than anything else: the website will not give you a full listing for everything matching the email address you enter there. That information can only be gotten by signing up and verifying your email address. Circumventing that is possible with the API, but would violate "acceptable use":

    https://haveibeenpwned.com/API/v2#AcceptableUse

    We want to stay true to the spirit of haveibeenpwned.com and not enable misuse by allowing 1Password to scan for others' email addresses. So if and when we make it possible to search on other email addresses besides the one registered on the account, it will also be necessary to verify those first, just as Troy's site does, and as you do when setting up a 1Password.com account in the first place.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • XIIIXIII
    edited June 2018

    I hope this helps

    Yes, thanks.

  • brentybrenty

    Team Member

    :) :+1:

  • fpt71fpt71
    edited August 2018

    Yeah, I purposely used a different email address on 1Password than the one I use for all my accounts that I am vaulting in here so that any hacks on my primary email address could not be traced to this account. But now I can't see any breach reports because this email account is brand new. It's not the primary one I use for everything. And I know I've been notified about my primary email being on the dark web, etc.. The only way I can see to get a breach report on that other email is to do an "email change" in my 1Password profile settings. If I do that I assume it will work on that other email and then I can change it back...? If not that kinda sucks. You could allow us to "add additional Breach Report Emails" with validation/confirmation. Like say allow us to add maybe 1 or 2 more email addresses and then they only become active for "Breach Reports" if you confirm them all the same way you do when you change your email address on your main 1Password Account/Profile (you send us an email and we login to our email accounts and verify it's us, etc.)?

  • brentybrenty

    Team Member

    @fpt71: It makes sense that you might want to use a different email address not used for anything else for your account. But it's definitely a trade-off since that means that 1Password won't be able to find anything associated with that address. To answer your question:

    The only way I can see to get a breach report on that other email is to do an "email change" in my 1Password profile settings. If I do that I assume it will work on that other email and then I can change it back...?

    Of course! You can change the email address on your account at any time.

    You could allow us to "add additional Breach Report Emails" with validation/confirmation. Like say allow us to add maybe 1 or 2 more email addresses and then they only become active for "Breach Reports" if you confirm them all the same way you do when you change your email address on your main 1Password Account/Profile (you send us an email and we login to our email accounts and verify it's us, etc.)?

    I'm having trouble finding the question there, but in broad strokes, as mentioned previously, it's something we can consider for the future. The problem is that 1Password accounts are tied to a single email address, and, as such, there's no process available for adding others. And of course that would sort of negate the purpose of you using a separate email address for yours, if you just end up adding your other email addresses anyway. It's something that a few folks have shown interest in though, and we'll continue to listen to everyone's feedback.

  • Maybe allows customers to add (multiple) verified email addresses and then check all those addresses in the database?

    Verification could be done by sending a unique link to an email address and requiring the customer to tap on that link to prove ownership of the email address.

  • brentybrenty

    Team Member

    Sure. As I mentioned before it's something we're considering. There is simply no mechanism in place for multiple email addresses in an account, and we need to carefully consider the implications of adding that, both from a HIBP standpoint and usability, not to mention someone would have to be diverted from working on something else. I think it's a good idea, but there just hasn't been enough interest so far to push that up our priority list. It's certainly a possibility though. :)

  • @XIII, @danco, @fpt71

    While waiting for 1Password to support (or not support, given some reasonable objections regarding email verification and potential abuse) multiple addresses you can always go over to HIBP and click on "Notify Me" to subscribe to realtime notifications of email breaches. @brenty hinted at this in a couple of previous posts but I thought I would point it out more explicitly.

  • @rlh Thanks. I already did that, but I would still like the functionality in 1Password.

  • brentybrenty

    Team Member

    @rlh: You're absolutely right. I'm sorry for not being more explicit about it. :sweat:

    Have I Been Pwned offers a great service. If you go to the site you can enter your email address not only to check known breaches, but if you click "Notify me" at the top and submit your email, it will let you know of future breaches that come to light as well:

    https://haveibeenpwned.com

    Thank you for the nudge! :blush:

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I'd like to expand on @brenty's point about the potential for abuse, as this is the primary reason that we don't do what we otherwise be a really nice feature.

    You should only be able to test your own email address and not somebody else's. Suppose Alice has an account on ISecretlyLoveNickelBack.org. Naturally she would not want Bob to know about such a shameful thing. But if the site has had a breach, and if Bob could check [email protected] in HIBP, he could learn that she did have an account there.

    Now if 1Password worked this HIBP check as asked for, then Bob could create a login item in one of his vaults that lists the email address [email protected] and the website as https://ISecretlyLoveNickelBack.org. The account wouldn't have to be real; all he would need is to create a 1Password item of that nature in one of his vaults. This way he could find out Alice's terrible secret.

    When you sign up for a 1Password membership, our signup process involves verifying that you do control the email address you sign up with. And so it is safe to check those. Bob can't create a 1Password membership under Alice's email; he can only create it under an email address that he controls. And so that is the email address that we can safely check.

  • XIIIXIII
    edited September 2018

    @jpgoldberg:

    You should only be able to test your own email address and not somebody else's

    That's why I wrote this:

    Verification could be done by sending a unique link to an email address and requiring the customer to tap on that link to prove ownership of the email address.

  • brentybrenty

    Team Member

    @XIII: I don't think Goldberg's comments were directed specifically at you, but at the general discussion here.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited September 2018

    Thanks @XIII. I was commenting on the question as a whole, but I must confess to having missed what you had written.

  • I use two main e-mails, one for work, and one for personal stuff. I tried using WatchTower, and it said the accounts linked to my e-mail hadn't leaked anywhere, but it only checked my work e-mail. The accounts related to my personal e-mail however, have leaked many times, and I wouldn't know that if I didn't use HIBP myself.

    I believe what happened here is that WatchTower checked the e-mail I registered in 1Password. I suggest using the e-mails registered for website logins, so it covers everything.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Hi.

    I signed up specifically for the breach report, only to find out it works on just my 1Password account email.

    It would be much more useful to me if it scanned all the logins in my vault for usernames that are emails and checked each email it found. I'm in the situation where I have many different emails used for logins. In fact, it could be argued that best practices might be to use a different email for every different site!

    Thanks,
    John

  • brentybrenty

    Team Member

    Thanks for the feedback. Perhaps we can offer some way to do that in the future. In the mean time, Troy Hunt, whom we're partnering with, offers a way to be notified of breaches involving your email address:

    https://haveibeenpwned.com

    Cheers! :)

  • brentybrenty

    Team Member

    @JohnReel: Please see above. That's intentional. Watchtower only checks the verified email address, not any arbitrary ones entered. :)

  • Maybe you could add a way to verify all the emails used in email/password combinations. In any case, I guess people can do an export, pull out that one column and add all their emails to haveIbeenpwned one at a time. Was just hoping that would be automatic, because that could be a lot of emails.

    For example, IMO, best practices would be to setup a catchall @mydomain.com, and then when you sign up for a service, sign up with [email protected] Then when you get spam to that email, you know who the culprit is, and you never publish your "real" email, and can just send bad ones to null, to get 0 spam.

    But, then you have to go and add each one to haveIbeenpwned, which is a bit of a pain.

  • JasperJasper

    Team Member

    Hi @JohnReel,

    Have I Been Pwned has a domain search feature where you can get notifications for any email addresses part of your domain if you verify ownership: https://haveibeenpwned.com/DomainSearch

    Hope that helps in your case.

  • Cool, thanks!

  • brentybrenty

    Team Member

    :) :+1:

  • What about people who use "plus aliasing". 1password could check any email address that is a plus alias of the verified 1password account email without risk I would imagine. Any other email accounts could also be verified and added to this system in some way such as @XIII mentioned.

  • BenBen AWS Team

    Team Member

    What about people who use "plus aliasing". 1password could check any email address that is a plus alias of the verified 1password account email without risk I would imagine.

    The difficulty is that not all mail systems implement "plus aliasing," so we would need a way to keep track of which ones do or do not.

    Any other email accounts could also be verified and added to this system in some way such as @XIII mentioned.

    Indeed. That is something I think we'd like to make possible in the future.

    Ben

  • The difficulty is that not all mail systems implement "plus aliasing," so we would need a way to keep track of which ones do or do not.

    Why would you need to keep track? I am suggesting checking any derivative of the verified email address that is stored in a user's 1password account.
    For example, if a user has their 1password account under [email protected] and then has username fields on 1password items that are user+[email protected], [email protected] and [email protected] etc. that these could all be checked provided [email protected] has been verified with yourselves.

  • BenBen AWS Team

    Team Member
    edited January 24

    That's the problem. It doesn't work that way with all mail systems.

    [email protected] is not the same user as [email protected] on all systems.

    Ben

«1

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file