Feature: Weak Passwords

I know that yall have had posts requesting this feature before. I saw it in the MAC forum i think. I was going through updating sites on old passwords, and obviously the first thing i click on is weak passwords because even though i know what it is I cannot help myself.

Almost all of my weak passwords are are network switches that are only accessible internally.
I know the discussion has probably been if we implement this are we doing a dis-service to the users? What if they ignore one that does matter.?

All my switches direct management are accessed https://10.10.10.10(direct IP)

What if you added an option to ignore items that fall within a private IP space that aren't routable on the public internet.

This was just a morning passing thought, so by no means I have I completely thought the implications, but the good thing about having a forum is many heads could think of issues that could arise from something like this.

Anyway I would love to hear peoples thoughts on something like this.


1Password Version: 7.7
Extension Version: 810
OS Version: Windows 10 21H1 / OpenSuse
Sync Type: Cloud

Comments

  • PeterG_1PPeterG_1P

    Team Member

    Hi @xotan ,

    This is an interesting idea, and it raises questions we care a lot about!

    Regarding the network: should you be able to exclude items that fall within a private IP space? What if an organization that uses similar private IP ranges has high security requirements, or operates on a zero-trust model? My feeling is that delineating that kind of thing in Watchtower specifically might do more harm than good.

    However, I can see an argument for being able to disable Watchtower alerts for certain passwords you choose, though. For example, some websites actually (sigh) require weak passwords, and some devices require short PINs, which in all other contexts would be considered weak and something you want to change ASAP. What to do about this?

    This is very much an ongoing conversation here. Maybe the best long-term answer is to allow a user to manually specify which alerts they want to disable, and for how long. Or maybe it's better not to allow that kind of option at all, because if someone's bank requires a weak password, 1Password can help by at least reminding you that that's a point of vulnerability.

    Ultimately, we want the Watchtower alerts to be accurate, actionable, and salient - and we 100% welcome your input (and the community's) on what that might look like as we go forward.

    Thanks for opening up this discussion. I'll be very interested to hear what more you and others here have to say on the topic!

  • I work for a worldwide company, and its worldwide company intranet, running with 10.x.y.y addresses, is operated with roughly the same security policy as you would have for internet hosts. With other words: it is mandatory hosts within the intranet must be as secure as if they were directly exposed to the internet. The intranet is considered only a bit less hostile than the internet itself, it' not considered as friendly and secure.

    So passwords used within the private network range must be as strong as passwords that are used for internet hosts.
    Another thing against excluding private network ranges from password checking: 1Password cannot know if a host is accessible from the internet with NAT or port forwarding. The same host you can connect to as 10.10.10.10 might be accessible from a public IP if this is configured on some NAT router exposed to the internet, so it's ok if weak passwords are reported.

    The only viable way I see is the ability to manually flag a weak password as "risk accepted for weak password" and make it vanish from Watchtower if flagged as this. I assume such functionality has not been added until now, because some people would just flag all their weak passwords to make them going away as alert without actually realizing the risk. In my opinion, this is too much care and attempt to protect the user from himself.

  • Dayton_agDayton_ag

    Team Member

    Thanks so much for sharing your perspective, @Tertius3! You raise a really good point - 1Password doesn't know the particulars or implications of the data it has stored (beyond locally comparing URLs against a compromised website database). It's because of these varied circumstances and use-cases that something like Watchtower warnings need to be well thought-out and, as Peter put it, "accurate, actionable, and salient". Thanks again for sharing! :smile:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file