Thursday, March 29, 2018

1Password nets partnership with ‘Have I Been Pwned’

A little over a month since 1Password incorporated a pwned password check feature developed by Have I Been Pwned‘s Troy Hunt, the password manager service has now netted what’s being described as “a partnership” with the popular breach monitoring service.

Essentially this boils down to a commercial arrangement between 1Password and the free-to-use breach check service, with HIBP now recommending users sign up to 1Password’s service at the point when they learn their information may have been involved in a data breach.

In a blog post explaining why he feels it’s the right time to accept a sponsor for the service, Hunt writes that one of the reasons he feels comfortable taking money in this way is that users want “actionable steps once they’ve found themselves pwned” — so being able to point them to a specific, named and, in his view, trusted password manager makes sense for him.

“I also could have listed just a few of the industry leaders but people being as they are and the whole paradox of choice problem… they need more,” he adds.

It’s a major win for 1Password of course, whose brand will now be in front of people at the point when they are likely to be most motivated to pay to tighten the security screw.

And for Hunt it’s understandable that he wants to gain a bit more financial reward for his efforts running the now popular and high profile service (he has accepted donations before), although it’s a move that will undoubtedly face some criticism — given the core issue (which he himself flags): “There’s no way to sugar-coat this: HIBP only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike.”

You can say the same for security products in general, of course. But moving from the goodwill of offering a free breach check — with the stated aim of helping raise the general standard of security among web users — to accepting money from a company to encourage people to subscribe to its (security) service is a new, more clearly commercial direction.

Hunt says he’s had lots of such offers before and rejected them — and says he picked 1Password specifically because of having a “long-standing history with them”.

“This is a product I was already endorsed in by my own free volition and from the perspective of my own authenticity, that was very important,” he writes, noting that he recommended the service in another post, last October, and signed up as a subscriber himself just last month.

He also says 1Password’s decision to integrate his pwned password check into their product last month impressed him, and that he’s found them good people to work with.

Beyond the fact the company’s product will now appear in step 1 (and step 2) of the “3 security steps” HIBP recommends to people whose emails are confirmed been involved in a breach, Hunt hasn’t provided many details about the terms of the partnership.

Nor is he saying how much money he’s getting — aside from quipping that “it’s not quite $120M”.

But he does claim it’s a “partnership” — “rather than just a one-way relationship where their name appears on HIBP”, flagging up continued product integrations (of pwned passwords) by 1Password as an example. So there looks to be more coming on that front too.

We’ve reached out to 1Password about the partnership and will update this story with any response.