Watchtower in latest version doesn't detect new reused password entries

Digital05
Digital05
Community Member
in Desktop betas (Mac, Windows, and Linux)

Did a test on the using the latest windows 8 beta (80800104).
1. Created two separate logins, one for login.skype.com and other for onedrive.live.com.
2. Used the same password (copy/paste) for both new entries

The latest beta doesn't flag these has have a reused password on the individual entries. It also doesn't flag them as duplicates on the watchtower summary screen.
I also tested to see if it was just these two websites, so changed the login.skype.com website entry to pizza.com. The watchtower summary screen count then increased by 2 so it sees them as reused, but when opening the individual entries neither has the notice at the top the password is reused.

if I open 1password 7 on IOS it flags them both as a reused password immediately.

1Password Version: 8.8.0
Extension Version: Not Provided
OS Version: Windows 10

Comments

  • MikeT
    MikeT
    edited May 2022

    Hi @Digital05,

    Thanks for taking the time to write this.

    Live and Skype domains are not flagged as reused because they're separate domains that reuses the same authentication system owned by Microsoft. We have a list of known domains that are treated as the same by various known companies.

    To be flagged as reused, the items have to be two separate domains using different authentication systems.

    However, you are correct that 1Password 8 does not show Watchtower banners for reused passwords on the individual items nor does it flag them proactively in real time; we've stopped showing it because we no longer check all items at the same time for this when unlocking the app.

    To find your reused passwords, you have to visit Watchtower first and use the Reused Passwords card there to find these items.

    We may add the banners if you ran Watchtower, select Reused Passwords, and then select the item within there but by then, it still wouldn't help with the fact that we don't show them proactively.

    To use Watchtower more effectively, it is advised that you go to Watchtower dashboard first to find what you need.

    ref: dev/core/core#2652

  • Digital05
    Digital05
    Community Member

    @MikeT

    Thank you that makes sense...some sites use single sign-on so you don't want to flag them. I have two additional questions based on your reply.

    1. You mention you have a list of known domains that are treated the same....is this available to users so we know which sites fall under this situation?
    2. Will watchtower notify the user of all the potential sites using shared authentication when a breach occurs on one? Using my example above, assume if the microsoft skype login has a breach, watchtower tell me that live.com and all the others that are associated are also at risk. If not, this goes back to my first question...can users see the list of shared authentication sites.

    A new feature suggestion might be to add a banner at the top of entries to indicate they use a shared authentication system.

This discussion has been closed.