Troy is hobbying in a really gray area, where potentially the possession of massive amounts of passwords from breaches could be a legal liability, and he's trying to do it in a way that benefits the average user and business. To do that, he needs to get and keep their trust.
I've pointed a few folks to his site and their very first question, every time, is some variation of, "you mean you want me to type my password into this dude's site?"
So haveibeenpwned is basically relying on Troy's reputation alone, which he alludes to in pretty much all of his blog posts about it.
It's hard for me to imagine him not publishing everything he learned about a 1password breach.
> I've pointed a few folks to his site and their very first question, every time, is some variation of, "you mean you want me to type my password into this dude's site?"
And this is why the v2 API design is important.[0]
Instead of sending a password to an external site, you hash the password locally with SHA1, and send in just the first five hex digits. In return you get a list of hash suffixes of known-broken passwords. You get to verify locally whether the password is known, without the password ever being transmitted.
The API is so simple to use that one of our engineers implemented and deployed a HIBP check roundtrip in less than a day. Usually a functional change in authentication path would stay in review for somewhat longer (due to people wanting to make very sure we don't mess it up), but the new API is really straightforward to reason about. It was trivial for reviewers to see that we couldn't leak information by accident.[ß]
ß: Technically it would be possible for Troy and Cloudflare to correlate the number of times a particular blob is requested and the "times found" count in the list of suffixes. But because we reject known-broken passwords, the only real information that gets exposed is the number of times users attempt to choose passwords that may have higher-than-usual incident counts.
I for one will certainly not type any real-world password in Troy's site and this has nothing to do with Troy's reputation.
Entering your password on this site effectively reduces the strength of your encryption (or whatever you use the password for) to the strength of the SSL encryption used, plus all possible side channel attacks you can mount against browsers and network protocols like DNS, plus the security or insecurity of Troy's own machines, and the guy is already a viable target for dozens of intelligence agencies. Note that a man-in-the-middle attack on this site is almost impossible to detect and there is no way for you to tell whether Troy Hunt's servers and developer machines are compromised or not.
So in a nutshell, it's a big No No. But it makes sense for a company like 1Password to cooperate with him, since these companies are in the business of storing all your passwords "in the cloud" anyway.
I would guesstimate that around 90% of all passwords these days belong to web-based services, for which everything you just said is still true, with the exception that they aren't run by Troy Hunt. There is an extraordinarily long tail of sites for which "run by Troy Hunt" would be a huge improvement.
Actually I bet my guesstimate is way too low.
Furthermore: if you're using unique random passwords anyway, then there's no sense in checking them against HIBP, and if you're not, then punching them into HIBP is how I try to convince people that they should be.
I've pointed a few folks to his site and their very first question, every time, is some variation of, "you mean you want me to type my password into this dude's site?"
So haveibeenpwned is basically relying on Troy's reputation alone, which he alludes to in pretty much all of his blog posts about it.
It's hard for me to imagine him not publishing everything he learned about a 1password breach.