"Compromised Website" warning about my 1Password support forum account
Just noticed this Compromised Website warning on my 1Password forum login:
Since I didn't receive an email about a breach nor could find anything recent in this forum, I'm wondering if this legit or just a false positive?
1Password Version: 7.4.1
Extension Version: Not Provided
OS Version: 10.14.6
Sync Type: Not Provided
Referrer: forum-search:security breach 1password
Comments
-
I should add, clicking Learn more… to open the Watchtower report for agilebits.com shows there aren't any breaches:
0 -
Its a bit odd that you have to go into Preferences > Watchtower, and manually update the database to get these notifications. It would be nice if they were Push notifications.
0 -
I guess it was for real as I was just forced to change my password:
While I'm fine with 1Password being proactive, it would've been nice to receive an email about any sort of breach. 1Password usually does well with transparency and communication so not sure why I haven't seen anything on this. 🤔
0 -
This is what I found in the forums earlier today. * I only found it because it was shown as a recent conversation not having been replied to. https://discussions.agilebits.com/discussion/109038/forum-password-reset
0 -
That's great there's a post on it, but I don't visit the forum on a daily basis looking for security breaches. 1Password should have sent an email to affected users. That would have eliminated my confusion, especially since the site warning didn't match what was on the Watchtower page (saying "No password breaches for agilebits.com have been found").
Consider this a feature request: If 1Password or its forum site has a security breach or vulnerability found, please email affected users about it (even if it's due to 3rd-party software).
Thanks!
0 -
Vanilla told us that they are going to prepare a report after the weekend. Until we hear an official reply from them, we are not going to send emails since we don't have all the information yet. It wouldn't be fair to send an incomplete email until they have completed their full investigation.
That would have eliminated my confusion, especially since the site warning didn't match what was on the Watchtower page (saying "No password breaches for agilebits.com have been found").
This is expected behavior though: Watchtower works by looking at subdomains, not at domains. There has been no breach on agilebits.com (indeed, you cannot login to anything there, so a password alert for a website where you cannot have credentials would make little sense). The forum login lives on discussions.agilebits.com, so that's where the warning appears.
We have an internal report open to make sure that the "learn more" link takes you to the correct subdomain however, so this should help in the future ;)
0 -
Okay, maybe the email would have been premature, but then 1Password shouldn't show a big red warning that there's been a security breach!
Please look at this from a customer's perspective: Here I am trusting ALL my passwords to 1Password. Then I see warning that the 1Password forum "was affected by a security breach". At first I actually did a double take…you have to admit, it's kind of ironic! I'm in the tech field so I realized the forum is a different domain, but the average person may not and become really concerned about their account!
And while the vulnerability was in 3rd-party software, the forum is still a site 1Password controls and owns so to most people, it's one and the same. I hope you can see how false positives or inconsistent messaging about 1Password-owned sites, can erode confidence.
BTW, I'm a huge fan of 1Password after switching from LastPass, who had their own real breaches in the past. So you can see how this can be a sensitive issue.
0 -
I think the Watchtower notifications are automated through the haveibeenpwned.com API. That's why we're seeing it before a report.
0 -
@Bikr - thanks for the kind words! And I completely get where you're coming from -- it is disquieting to see a site that's related to the app where you store your most important data, having experienced a vulnerability. As a more-sophisticated user, you're also aware that these two things are not "one and the same," though -- it's just unfortunate that not all 1Password users may be able to make that same distinction.
To be clear (and to address @royimous' reply), the "Vulnerable Passwords" section of Watchtower in 1Password for Mac is what uses the haveibeenpwned.com service. Right now, your password for this forum won't be on that list unless you used a password for this forum that was part of an existing breach that Have I Been Pwned was already tracking (I hope you didn't!). The "Compromised Websites" section of Watchtower is where you'd see the message in 1Password for Mac regarding this current issue with this forum, and that part of Watchtower is one we maintain ourselves, unconnected to haveibeenpwned.
When we learn of a confirmed vulnerability of any specific website (the owner of the site confirms its existence, not just a rumor in the tech press), we will post it in Watchtower, and you'll see this warning:
We could potentially have crafted an exception to our policy of notifying users via the Compromised Websites section of Watchtower by simply not adding discussions.agilebits.com to the Watchtower database...but then we'd have gotten a not-insignificant number of alert users who would have seen the password-change requirement from Vanilla and wondered if something was amiss. I definitely agree it's not ideal either way, but I'm not certain there was a solution that would've avoided all worry/confusion. We try to err on the side of privacy and caution, so we added this forum to Watchtower as soon as we were made aware of the issue. Thanks for asking -- and for listening to our response. :)
0 -
@Lars - I, as I assume many others, had the same experience as @Bikr. I understand your explanation and reasoning, Lars, but still feel this fundamentally lowers my sense that agilebits is taking security as seriously as they should be. Yes, it's just your forum for discussion that was flagged, but then again, it is the forum agilebits is responsible for, thus it's was your choice for the forum software, and implementing it properly. No one is perfect, but the one area agilebits can't afford to mess up is security breaches. The situation will leave many users confused, but far more problematic, worried about the security of their most valuable assets: their passwords.
0 -
Hi Agilebits, as I wanted to report a bug, I just noticed a minute ago, that my forum login does not work anymore. It's the same story as above. Meanwhile, apparently I reset my forum pwd.
However, I want also to express my disappointment, that "by coincidence" your customers have to find out about a security breach.
Although the forum software seems to be from a 3rd party provider (Vanilla, if I got this right?), you should take your responsibility and proactively inform your users, since you have the registration details (meaning email addresses).
Your risk communication is been lacking astonishingly, which I would not have expected from Agilebits. What is happening between you and your suppliers (here forum software vendor), should not be of any interest to your customers. It is the Agilebits/1PWD brand, your users are identifying with all your products and services, and customers should not have to deal with any intransparent 3rd party suppliers communication handled bilaterally between you and them, nor be bothered with any processes connected to it. It's Agilebits from a customers point of view who is fully accountable for the communication etc.To state it clear, as one might get it wrong:
it is not a complaint about that your forum software had a security breach/incident/you name it, that should not, but can happen.
The problem is your poor risk management in terms of risk communication procedure(s) towards your customers.0 -
I would also note as you host the forum on the same site as the vault login.
My master password is now marked as compromised. This should have been told to me as soon as any possibility of it happening.
This is very worrying as it is not easy to remember another very secure password.
No matter that you say the master password has not been compromised but your software says it has. What should I believe
This looks like a security failure perhaps the forum should not be on the same site. If you can't do that it seems a reason not to use your site with your software ie go back to how other versions of 1password were used.
0 -
I would also note as you host the forum on the same site as the vault login.
@bestlem: That is not the case.
discussions.agilebits.com
is completely separate frommy.1password.com
, etc., which is where 1Password memberships are hosted.My master password is now marked as compromised. This should have been told to me as soon as any possibility of it happening. This is very worrying as it is not easy to remember another very secure password. No matter that you say the master password has not been compromised but your software says it has. What should I believe
It depends how you've set things up. Please make sure that
- you don't mistakenly have both URLs saved in a single Login. Your credentials from one will not work on the other anyway; and
- you are not using the same password for different things, 1Password-related or not.
You don't need to remember passwords other that your Master Password since 1Password can do that for you. :+1:
This looks like a security failure perhaps the forum should not be on the same site. If you can't do that it seems a reason not to use your site with your software ie go back to how other versions of 1password were used.
As mentioned in the announcement,
Again, that potential exposure is about accounts on this discussion forum. Your 1Password data and account is entirely separate.
We've always kept the support forum separate to ensure that an issue like this has no impact on 1Password itself. Please let me know if you have any additional questions.
0 -
@piebald: I don't disagree with you, but Watchtower is not really setup to handle this sort of situation -- where there was not a breach but rather a password reset as a precaution in the case of a bug -- but we'll see if we can improve it to have more flexibility and avoid confusion in the future. Thanks for your feedback on this.
0 -
@kai1pwd: It's not a coincidence. We intentionally added make forum users aware that a password change was needed, so we added it to Watchtower. I agree that it's a bit confusing, but this is how Watchtower works currently. I think it would be good to expand on the feature, and this is a good example we can keep in mind as we develop it going forward. Thanks for taking the time to share your perspective.
But I have to disagree wholeheartedly about your "risk management" comments. This forum has always been completely separate from 1Password itself. That's, frankly, a nuisance for customers who just want to contact us here to get help and have to sign up for another account in order to do that. We get complaints about it. And I don't disagree with them. But we've always stuck to our principles on this because it ensures that exactly this sort of issue has no impact on the security of 1Password itself -- confusion and optics notwithstanding: absolutely it is not a good look...but I'd rather we do the right thing than make decisions based solely on appearances.
0 -
@brenty Ok slight confusion whuich still looks bad
I have in my logins https://agilebits.com which is marked as compromised.
I hit this and it redirects to https://support.1password.com/
and on the support page which I think is the forums It has login which is for 1password and then that passwrod is in my 1password database
So it is all seemless on one site.I hit one button on 1password app to go to one site and I diud not chnage site.
so why
is my master password in the db. The comment says "You can use this login to sign in to your account on 1password.com." There is no way I would call myself you.
It is tagged starter kit.That seems to make no sense
What effects are if I delete this record as this is the only place in the world that my master key is saved anywhere and can be made visible. I have saved the emergency kit somewhere else
0 -
Hi @brenty,
thanks for your response. It looks like that I could not explain clearly what the problem is (sorry, I'm not an English native speaker), so I will try it again:on "coincidence":
by coincidence I meant the fact that your customers respectively your discussion forum users have to find out themselves about the security incident by trying to log into the forum the first time after the incident. There is probably a better term for that situation, but all I meant is that your customers did not get a notification (email, for example), reaching out to us with the info on the incident and the subsequent call for action to change our passwords. So customers are noticing this circumstance by coincidence.
As also it was stated by other, not every user is checking on the forums frequently. Me for example I only check in when I have noticed some malfunction in 1PWD I would get solved. As long as 1PWD works, my visits to the discussion forum are zero.
on "Watchtower":
it's the first time yesterday I heard about Watchtower. Apparently I am not up-to-date, but as less as I frequent the discussion forums, I also usually don't visit your product website. I'm simply using 1PWD.
on "discussion forum + accounts":
I understand that you have to deal with a very heterogeneous group of customers with varying backgrounds. That there are some complaining about the need for an account on the discussion forum, is interesting, but hasn't been questioned from me. For me the technical distinction from your product, product website, discussion forum, etc. is (mostly) clear and that is not my concern and was not the topic of my previous post.
Thanks for reconfirming that all your web-based services and operations are strictly separated, so we can understand that - for now as a theoretical scenario: even if the discussion forum server(s) get compromised, that there is no connection to other servers and zero operational risk for all your other services (may it be out- or inbound). Is this a correct understanding?"untangling forum + 1PWD":
it was clear to me before to differentiate between 1PWD as a product and the discussion forum. Thank you on the one hand for reconfirming this, but on the other hand I see some misunderstandings on your side and let me give a better differentiation what the problem here is all about:
- responsibility / accountability
- brand
- risk management process (includes risk communication)
Yes, a breach in the discussion forum is technically not impacting the 1PWD "main service/product" as such.
Yes, the forum software is not even your software, but a customized version of a solution of "Vanilla company" (still hosted under your domain and branding).But, because you have a strong brand for password manager software in the Apple ecosystem,
- customers not necessarily can (or even have to) differentiate between the forum and your product/solutions. Your forum is operated in a customized and branded way, which makes it for many customers certainly difficult to see the difference respectively it makes it less obvious.
- customers are putting trust in Agilebits since many years, so do I, and because you operate basically in the domain of "security you-name-it domain", customers can expect a certain standard - if not actually a higher one for a company like yours - when it comes to risk management (and connected procedures).
You wrote, you (Agilebits) did the right thing. Please elaborate on what do you mean by the right thing you did, because this is quite unclear.
Risk Management & Communication
It seems to me that you seem to limit risk management down to just as a technical thing, something to solve only in a technological way and that the tool "Watchtower" seem to be sufficient to resolve this security incident story.
A company like yours, especially since you operate in the field of security, has hopefully a CISO (Chief Information Security Officer), and it would be great if you could consult that person/department and revisit your risk management process, your measures, and especially your risk communication, which is the main issue in this whole story.
IMHO, it would have been much better if you (Agilebits) would have just simply notified your customers (the ones registered on the discussion forum, as the ones without accounts apparently are not affected) with an email, explaining the situation (to whatever granularity sufficient at that moment in time), and the call for action to reset/change the forum password. That's all. That would be pro-active, and that would be a reasonable countermeasure once you and your 3rd party provider were aware of the security breach.
Me, as "forum user", I'm disappointed to only get to know about it, the first time I try to login into the discussion board after the incident. And that could have been somewhere between 1 day after the breach to never-ever-again as long as I don't face issues in the 1PWD app.
I hope I could clarify the point of my first post better and hope for a response from you with an emphasis on the main topic, which is the risk communication bit.
Thanks.
0 -
Ok slight confusion whuich still looks bad
I have in my logins https://agilebits.com which is marked as compromised.
I hit this and it redirects to https://support.1password.com/
and on the support page which I think is the forums It has login which is for 1password and then that passwrod is in my 1password database@bestlem: Thanks for clarifying. I understand completely. We're using the tools available currently in Watchtower to make people aware that their forum password needs to be updated, but we're working on some tweaks that would help.
What we did was add the "naked"
agilebits.com
was to Watchtower to accomplish this as a bit of a workaround at present, and we're working on getting that updated to make it more clear that only thediscussions.agilebits.com
is affected, and how. Thanks again for taking the time to help me understand what you were referring to!ref: dev/apple/issues#4400
Getting back to 1Password.com, the Starter Kit item with your Master Password is only accessible by unlocking 1Password. It can be useful if you forgot your Master Password but still have access to your data using, say, Touch ID. But certainly if you have made other arrangements to get into your 1Password account in an emergency, you can delete it if you wish. That's a bit off-topic, so feel free to start a new discussion if you want to talk about this in more detail. :)
0 -
@kai1pwd: Thanks for your reply. :)
not every user is checking on the forums frequently. Me for example I only check in when I have noticed some malfunction in 1PWD I would get solved. As long as 1PWD works, my visits to the discussion forum are zero.
I understand that. I think that there is still confusion about the situation. I apologize for that, and will try to clarify: if you have a 1Password support forum account, and its password has been reset, and you don't do anything with it for a year or whatever, nothing happens: your old password will not work for you or anyone else; and in order to access your forum account you or anyone else would need to create a new password through your forum account's registered email address. So while there is no connection to your 1Password data anyway, this isn't a situation where your forum account is at risk in the short term until you take action; it's simply a matter of fact that in order to login to the forum again after the password reset, you will need to create a new password. Hence the Watchtower notice, so that people will see that their password needs to be changed when viewing their Login item for the 1Password support forum.
it's the first time yesterday I heard about Watchtower. Apparently I am not up-to-date, but as less as I frequent the discussion forums, I also usually don't visit your product website. I'm simply using 1PWD.
Totally! Odds are you've been seeing and using Watchtower every day and just not been aware of it, since it lives in the sidebar in the desktop apps, and will show up in items as you use them. I think there's room for us to do more with it, though we are cautious about having it too "in your face" since annoying users may encourage them to disable it and therefore not benefit from it. It's a difficult balance to strike, and I don't think we've found it exactly, so we'll keep trying. :)
I understand that you have to deal with a very heterogeneous group of customers with varying backgrounds. That there are some complaining about the need for an account on the discussion forum, is interesting, but hasn't been questioned from me. For me the technical distinction from your product, product website, discussion forum, etc. is (mostly) clear and that is not my concern and was not the topic of my previous post.
Nevertheless, it's ours; and I offer it as an example of where we've stuck to our principles with compartmentalizing things even in the face of frustration it causes customers, because the alternative is worse for everyone. Sorry if this is not exactly what you wanted to talk about, but it is relevant. More on that below.
Thanks for reconfirming that all your web-based services and operations are strictly separated, so we can understand that - for now as a theoretical scenario: even if the discussion forum server(s) get compromised, that there is no connection to other servers and zero operational risk for all your other services (may it be out- or inbound). Is this a correct understanding?
That is correct.
customers not necessarily can (or even have to) differentiate between the forum and your product/solutions. Your forum is operated in a customized and branded way, which makes it for many customers certainly difficult to see the difference respectively it makes it less obvious.
I think that's a fair point.
customers are putting trust in Agilebits since many years, so do I, and because you operate basically in the domain of "security you-name-it domain", customers can expect a certain standard - if not actually a higher one for a company like yours - when it comes to risk management (and connected procedures).
That's why these systems are separate -- and not even on the same domain.
You wrote, you (Agilebits) did the right thing. Please elaborate on what do you mean by the right thing you did, because this is quite unclear.
What I said was this:
This forum has always been completely separate from 1Password itself. That's, frankly, a nuisance for customers who just want to contact us here to get help and have to sign up for another account in order to do that. We get complaints about it. And I don't disagree with them. But we've always stuck to our principles on this because it ensures that exactly this sort of issue has no impact on the security of 1Password itself -- confusion and optics notwithstanding: absolutely it is not a good look...but I'd rather we do the right thing than make decisions based solely on appearances.
You seem to agree that we did the right thing in that our "web-based services and operations are strictly separated". And as I mentioned we've done that at the expense of some ease of use and convenience for our customers.
IMHO, it would have been much better if you (Agilebits) would have just simply notified your customers (the ones registered on the discussion forum, as the ones without accounts apparently are not affected) with an email, explaining the situation (to whatever granularity sufficient at that moment in time), and the call for action to reset/change the forum password. That's all. That would be pro-active, and that would be a reasonable countermeasure once you and your 3rd party provider were aware of the security breach.
It isn't completely clear to me what the specific concern you have which you think this would help with is. But I believe that there may just be a misunderstanding, and my comments above may be relevant here:
this isn't a situation where your forum account is at risk in the short term until you take action; it's simply a matter of fact that in order to login to the forum again after the password reset, you will need to create a new password.
This risk has already been mitigated by Vanilla a) fixing the bug and b) resetting passwords. If that addresses your concern, then I can still agree that we could do better if that was unclear. But please let me know either way.
Me, as "forum user", I'm disappointed to only get to know about it, the first time I try to login into the discussion board after the incident. And that could have been somewhere between 1 day after the breach to never-ever-again as long as I don't face issues in the 1PWD app. I hope I could clarify the point of my first post better and hope for a response from you with an emphasis on the main topic, which is the risk communication bit. Thanks.
Likewise, thanks for taking the time to elaborate. I agree with you completely on that point: none of us really have the tools to communicate about this sort of thing well, the way we can about a DDoS or remote code execution. There aren't a lot of website security issues (well, at least not ones that we hear about) which you and I can use as a mental model where they 1) exclusively impact a peripheral site separate from the service people are actually using and 2) have been fixed and mitigated quickly and proactively.
Usually when there is password that needs to be changed/reset, there's an urgency because an attacker could access the account before you get to. Fortunately that's not the situation in this instance.
0 -
Hi @brenty,
thanks for your quick and elaborative response (it's Saturday, and I hope you get sufficiently compensated by AB for your weekend service).
Technically you (AB) seem to have it under well control and have preventive measures (separation of systems etc.) as well as taken countermeasures together with Vanilla in a timely fashion (resetting pwds etc.). That's all fine and glad to get this positive impression. So yes, I fully agree with you on the technical aspects.
When you mentioned I've been seeing and using WT (Watchtower) every day, and it is residing in the sidebar, I wasn't sure what you mean. After checking now, I see that Mac V7 1PWD features a darker colored side bar with that WT entry, as I see on the screenshot here https://support.1password.com/watchtower/, but on my V6 it looks less obvious and I've just located it under a collapsed item (since I run the German localization, the English equivalent might be labelled something like "Security Check"). Expanding it, reveals the WT item. However, it says also that the WT service is disabled. I can't remember it when I installed the software, but since I'm not a fan of having my pwd manager talking outside, it's very likely that I disabled that service from the beginning. So under the bottom line, I wasn't aware of WT (resp. apparently forgot about it) and even if, I don't run and don't plan to run this service, so I'm not a user of WT.
I understand that after resetting pwds, potentially exploited credentials are rendered useless (well, only for the people who use separate pwds per service, which interestingly is not the standard for many people in the world, instead many people use the same password for several services, that's why a breach of one service can lead to bigger issues for those kind of users).
Finally, technically it looks all fine you (AB) did, but - and that's the part, which is not completely clear to you - you (AB) should revisit your risk communication towards the "support forum customers". It is not about a tool thing. It touches on for example human psychological aspects - as you can see here from your worried customers. Would an explicit email communication change anything in your technical countermeasures? No. And it is not meant to be. The technical part seems ok and appropriate. It is simply to inform your "forum customers" to raise awareness of something happened and they take actions whatever they think they need to take.
Apart from that, how shall customers assess the likelihood of exploitation in the time window since issue identification and until the mitigation through password resets? Yes, the forum can't be accessed afterwards, true. But could potential "bad guys" have elicit any information such as profile data, etc. in that little time gap in between? What about the credentials as such? Are they compromised? If I would be (and I'm not, to state that clear ;) ) one of these users who use the same credentials for several different services, then I would be happy to be informed asap, so I can start changing passwords everywhere it might pose a risk. Without that pro-actively delivered information from AB, users of that category would not be aware of it and other accounts are at stake.
I hope I could make it clear, that while technically all seems fine on AB side, it's the last bit of risk communication you (AB) should rethink about your procedures to improve your overall risk management process(es).
You (AB) can only win, as that further increases your reputation and brand of being a credible software vendor handling such issues in a professional, state-of-the-art way. I can only recommend you to have a talk with your CISO - and your last bits of unclarity - hopefully there are not too many left by now - will be gone in best case :)
0 -
@kai1pwd: Since we don't collect user data/analytics, and I have no idea who you are, I wasn't aware that you were using an old version of 1Password. That would definitely change things as far as how Watchtower works. Sorry for causing unnecessary confusion there. And indeed, regardless of which version of 1Password you use, disabling Watchtower would prevent you from seeing any of its notices. That's a choice only you can make.
Anyway, I think we're talking past each other here. I'm not sure I understand the specific risk/threat that you have in mind, as you haven't been explicit. If you're just thinking of "potentially exploited credentials", speculation isn't productive. Everything we know at present is in the aforementioned announcement. Is it possible that someone using the same password for the forum on other sites could be affected if it were stolen? Yes. But we don't have any evidence that any passwords were actually stolen, and we of course offer a software product that people on this forum are self-selecting to possess which makes it easy for them to not reuse passwords in the first place, and to generate strong ones to change them where they are. It is not, however, possible for us to know if any user is reusing passwords, nor does it seem reasonable for us to spam all users about an issue that does not affect them, causing unnecessary anguish much greater than what we're seeing here. I don't think it's okay for us to make thousands of others feel worse to make you feel better. If someone had broken into the forum and exfiltrated data, that would be a different story, and we'd need to respond differently, but that isn't the case. So if and when someone comes to the forum and tries to sign in, much as you did, they will be told that they need to complete the password reset, and we're here to answer any questions they have about that, as we have been for you.
0 -
Hi @brenty,
I thought we were on a good way to get a common understanding of the problem you (AB) did. But apparently you seem not to be willing to understand (or is this happening on corporate order?) and accept that your (AB as a company) approached communication about this security incident was a very wrong way:
the not to inform the customers-way, is not the right thing to do, as you still insist on.Now you even start to use the word "spamming" to justify AB's communication style, which in fact is hiding security relevant information for your forum users. As I pointed out, the pro-active information would target the forum users, not all 1PWD customers, I thought that was obvious.
I don't think it's okay for us to make thousands of others feel worse to make you feel better.
Don't you think that your tone is getting condescending?
With regards to your comments:
If someone had broken into the forum and exfiltrated data, that would be a different story, and we'd need to respond differently, but that isn't the case.
and
But we don't have any evidence that any passwords were actually stolen
while it is not your business to decide how affected users (and affected users are all forum users) want to react on a security incident, but just to pro-actively inform us, which you did not - and for unknown reasons you just don't want to understand (I advise your company should get some risk management training) - your sentences would even contradict the information AB put out
here with:- "What could have been exposed"
- "If you used your forum password anywhere else, change those other passwords."
The also linked information from Vanilla says the vulnerability
existed in production for 14 days (Oct 31st - Nov 13th).If the vulnerability was exploited or not, that stays unclear as per the "official forum post", and you even just started to downplay that information, is not relevant in order to trigger an appropriate communication to your (forum-user only)-customers.
Why don't you understand this issue of communication, which AB has gotten wrong here?
In addition I noticed that, although the posts in the forum are usually ordered by timestamp, you have chosen obviously to stick this discussion thread to an older timestamp, with the effect that this discussion on security breach and its faulty handling gets pushed down, so that certainly a chunk of customers will not notice this discussion. That could be understood as a type of censorship.
Is this the new way how AB treats their customers? How it treats communication on security breaches?0 -
To clarify, Watchtower is the means by which we “take responsibility and proactively inform [our] users” about instances where website passwords need to be changed. You've chosen to use outdated software and explicitly disable a security feature -- Watchtower -- which would have made you aware of this, as it has others. That's your prerogative, but please keep in mind that there are serious website issues which you will not be aware of because of doing so (Watchtower downloads the full database periodically to be checked against locally on your device), and you've assumed responsibility to seek out this information yourself, like you have here. To be made aware of situations in the future where a website password change is needed, I'd suggest updating 1Password and using Watchtower. I appreciate that you're passionate about this, but we're just going around in circles. At the end of the day those are two very actionable things you can do (and not do, as far as not opting out of security features) to ensure that you get the message next time; and we'll keep working to improve Watchtower's flexibility and messaging as well -- and you'll benefit from all of that should you choose to do so.
0 -
@brenty,
You have not understood that it's not a tool (aka Watchtower) issue. Yes, WT seems to be generally a welcome feature, but you are deviating again.Anyway, I think we're talking past each other here.
and
but we're just going around in circles
The reason why I discuss this, is that I hope AB improves their communication in such situations. While that particular incident might be closed from your point of view, it is very much important to reflect on what AB got wrong here and to learn for the future. So, no, we are not talking past and not going around in circles, but a very important topic: AB's communication.
Do you really think I like to waste my weekend and spend energy for fun here?
I'm a customer and user of 1PWD since V3 and I'm very much interested in its well functioning.While password manager software has become a commodity, and switching costs to another competitor's solution is low, the only differentiators left for AB are their brand and the way to interact and listen to their customer base, which I appreciated for a very long time. But sad to see this "advantage buffer" is eroding more and more. Even more so, since you apparently changed the visibility of my comments, and hided them now from anyone browsing the forum without being logged in.
0 -
In general is there a way to setup notifications for Watchtower, either by mail, Android App notification or Windows App notification?
0 -
Hi @brenty,
Passion
you are right, I'm really passionate about your software product(s). I even purchased once the Windows version in 2014 for the case "if it happens that I have to use Windows", which could (unfortunately) be the case in many business environments, but the 1PW Windows copy is still waiting to be activated.. respectively I've been happy enough to not have to use extensively Windows for a very long time. :)Upgrade Path for old 1PW Windows license?
By the way, given that my Windows license version is apparently quite old, what upgrade path options would I have with the Windows version? In terms of "non-membership but regular"-license I mean.Knox
Also your retired Knox product seemed quite interesting, but you pulled it off from your shelves before I made a buy decision.
Not to forget, I absolutely like the customer support you and your team provide continuously, which is raising the bar to a level, which I haven't experienced yet elsewhere. That's certainly a big differentiator and valuable asset.B2C vs. B2B
While in B2C you have quite some competition, and the advantages of 1PW might be rather less obvious for some users, who utilize rather a small set respectively the most common features, which could be found in many other solutions too, and would rather be more easily convinced of switching away because the mileage of data migration could be relatively low for some, your B2B focus (and feature set directed towards that market segment) will certainly set you apart and with the recent growth funding a new era and hopefully great future will come for AgileBits. And while subscription is in particular more of (financial planning) advantage for businesses, please keep always the standalone licensing for (mostly private?) customers, who accompanied you all the way and can't for a plethora of different reasons go the subscription way.Apology
By that, I wanted to differentiate a bit more my comments above, and while in the initial subject I stick to my point of view about the communication bit, I wanted to apologize for my passionately-driven outage of behavior in tone and way of writing to you. I didn't intend to be and to sound offending, and as this probably can be perceived like that from you, which I understand, I'd like to say sincerely sorry.0 -
@Orado: 1Password does not use notifications for this, but you can see Watchtower notices in affected items. If we can find a nice way to do it, hopefully we have have a separate "Watchtower" section in the mobile apps in the future too, like their desktop counterparts. :+1:
0 -
@kai1pwd: Thanks for your support, and the kind words. I think Windows has improved a lot since 2014, personal preference notwithstanding. :lol: Anyway, a license for the current version of 1Password can be purchased from within the app when setting it up with a "standalone" local vault. I'd encourage you to reach out to sales@1password.com if and when you do have a need to use 1Password on Windows. :)
Ironically, I'm still using Knox, though it's definitely showing its age and has some "gotchas". At some point it will just stop working altogether as macOS continues to evolve though. For other people, it's really been superseded by more modern tools, and we found that we needed to invest more and more into our core product, 1Password, so we had to say no to Knox in the end. I have definitely gotten my money's worth out of it at this point though. ;)
Sort of in a similar vein, while it's problematic in many ways because keeping it around requires substantially more development, testing, and support, including for customers not even using "standalone", I do hope we can find a better "groove" for it to keep it around.
Anyway, no apology is really necessary, and I wasn't offended in any way. We just need to keep the support forum friendly for the wide range of people that come here for help with 1Password, so in that spirit I do really appreciate it. I think if we continue to channel our shared passion for making 1Password better, even if we don't always agree on exactly what that should look like, it will be win-win in the end. Happy holidays! :chuffed:
0