Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Question about Watchtower vulnerable password integration with haveibeenpwned.com.
I have been reading both the 1Password and the haveibeenpwned documentation on your integration. It is a very interesting feature.
Since the integration occurs at the client level, and because on...
GreyM1P
1Password Team
1Password TeamDifferent checks with haveibeenpwned.com are returned in different ways.
For example, if Watchtower checks a password against haveibeenpwned.com's Pwned Passwords list, it'll receive a standard HTTP response, such as 404 (not on the list) or 200 (on the list). This is pretty lightweight as it is, and again, it's only performed once per item per day, or if the item is edited. Let's say you have 1000 items – it would take approximately (1000 x 3 = 3000 bytes ≈ 3 kB) to check all of your passwords.
In the case of checking for breached domains, Watchtower sends an HTTP GET request, of the form GET https://haveibeenpwned.com/api/v3/breachedaccount/{account} hibp-api-key: [API key]. If the domain in question was breached, the response from haveibeenpwned.com is about a kilobyte in size. You can see this one about Adobe as an example of what's returned.
Let's say that we check those 1000 items for both vulnerable passwords and breached domains. Let's further assume that all 1000 of them have vulnerable passwords and breached domains. Let's further say that each HTTP GET request (2 per item) is 128 bytes in length. That's 256 kB total for all of those checks.
Now let's look at the responses. Each of the vulnerable passwords checks will return a 3-digit HTTP response, so that's about 3 kB. Then, let's assume that all the responses on the breached domains checks were also about a kilobyte in size, like the Adobe one. That's 1 MB, and that's a theoretical maximum where every single item has a breach report, which wouldn't be the case in real life.
So, in total, for a thousand items, we're sending about 256 kB each day, and receiving (as a theoretical unrealistic example) just a hair over 1 MB.
In answer to your other question, because this process is as fast and lightweight as it is, and because there might be unforeseen circumstances where your devices don't sync to each other (if one is turned off, for example), each device where you're signed in to 1Password performs these checks independently. This is to make sure you're alerted to any potential problems as soon as possible.
Even in a "worse-than-worst-case" of about a megabyte per device per day, it should be safe to assume that this won't put too much strain on devices or your connection.
— Grey
