Watchtower for Password Items is Inconsistent

themord3
themord3
Community Member
in Desktop betas (Mac, Windows, and Linux)

I have a Password item (with only the password field filled) with a password that should quality as Terrible and Vulnerable. Originally, Watchtower did not include it among the Terrible password section/count or the Vulnerable password section.
However, if I fill out the URL field associated with that Password item, Watchtower will add it under both the Terrible and Vulnerable section. I think that behavior is reasonable for Vulnerable passwords since it isn't "Vulnerable" until it is associated with a website. However I don't understand why it wasn't originally included in the Terrible password section.
Furthermore, if I delete the URL field associated with that Password item (returning the item to the way it was originally with just the password field filled), Watchtower continues to flag it as Vulnerable, but no longer included in the Terrible password section/count. If anything, the opposite behavior would be expected.

I have the latest macOS beta installed - 80700041, on BETA channel

1Password Version: Mac 8.7.0
Extension Version: Not Provided
OS Version: macOS 15.4
Referrer: forum-search:vulnerable password url

Comments

  • ag_mike_d
    ag_mike_d

    Hello @themord3, please excuse the delay in response. I've taken a look at this and have been unable to reproduce this in the latest nightly. When creating a password item with a terrible password, this item is showing up in Watchtower under both categories, Vulnerable and Weak Passwords. Can you check Settings > Advanced > Release channel to ensure you are on Nightly and if needed, update to the latest version and let us know if this issue persists?

    Thanks and please let us know if you have any other questions!

  • themord3
    themord3
    Community Member

    @ag_mike_d Thanks for checking - I've just updated to the latest setting and still have this issue.
    I created a password item with password: 1234. I saved it. Watchtower does not flag that item with anything.
    But if I then add a url: a.com, Watchtower will flag it as Vulnerable and Terrible (in the password strength section of Watchtower). If I remove the URL, Watchtower will still flag it as Vulnerable but no longer flags it as Terrible (in the password strength section of Watchtower)

  • MikeT
    MikeT
    edited April 2022

    Hi @themor3,

    1Password automatically consider any password with 6 numeric digits or less as a PIN and do not include it in the Watchtower checks as long as the website is not saved. Once it has a website saved, it is checked.

    I can confirm the bug that removing the website didn't clear the Vulnerable status, we'll get that fixed.

    ref: core/14270

This discussion has been closed.