Feature Request: Banned password list

burrelld

Is it possible to setup a list of passwords that shouldn't be used/will alert in watchtower?

Currently I'm creating these passwords so that they show up as 'duplicates' if I do use them elsewhere but this creates noise in watchtower as these passwords are typically weak too.

---

1Password Version: latest
Extension Version: latest
OS Version: all
Browser:_ chrome

Dave_1P

Hello @burrelld! 👋

Can you clarify your question a little further? Do you mean a list of leaked passwords? Or vulnerable passwords? Or just passwords that are weak?

I look forward to hearing from you. 🙂

-Dave

burrelld

Leaked, though they’re often weak too.

It would be all the same if 1Password alerted you if any of your current passwords had been used historically on other accounts (like duplicate password alert - but across history and logins) then you just need the weak password to be in the history of one of the accounts….

Currently you get an alert if 2 or more logins have the same current password, but it’s just as bad if you change one and forget to change the other.

To illustrate an alert might say “Twitter: Your current twitter password was also used previously on Facebook”

GreyM1P

@burrelld

From what I understand, Watchtower will already warn you about this in one (or more) of two ways:

Compromised Websites are logins for websites where a security breach has been reported, and you haven’t changed your password since the breach.

☞ This warning would appear on an item if its website appears on haveibeenpwned.com

Vulnerable Passwords are items with passwords that have been exposed in a data breach. An attacker may not know that you have used that password, but you should still change it.

☞ This warning would appear if you use a password that has appeared in a data breach, regardless of the username or website.

So, to use your example, if your Facebook password was leaked, and you then later tried to use the same password in your Twitter item in 1Password, Watchtower would flag it as a Vulnerable Password, even though the website is different.

I hope that clears that up, but please let me know if you have any questions. :)

— Grey

burrelld

That works really well for passwords that are in those lists, but a password at work might be rotated out of caution, so you shouldn’t use it again.

Reuse of passwords both within the history of, and across websites, isn’t flagged by watchtower.

So if on twitter I use password A, then B, then A again, the re-use of password A won’t be flagged.

If I use password A on twitter then B, then create a Facebook account with password A, the reuse of old twitter password A for Facebook isn’t flagged either.

Hope the examples are clear.

XIII

What’s the chance that a strong random (and thus generated) password is equal to a previous one?

(Or are you asking for manually created less secure passwords? No longer doing that might be better than the suggested feature?)

burrelld

Yeah I don’t buy that reductive argument.

“Even with the best intentions, x happens”
“So stop doing x”

The same can be said of leaked passwords; you know the password has been leaked, so stop using it.

Short passwords are weak, so stop using them.

No need for watchtower at all.

The point of watchtower is to catch when I do something silly and flag it. That it doesn’t flag internal reuse across sites gives a false sense of security that everything is fine and is in my view a shortcoming, even lastpass checked for historic re-use; just not between different websites.

I still come across websites where I’ve hurriedly typed a manual password because 1Password has signed me out and I need to “do the thing”/“buy the tickets” now rather than shave a yak. “Sorry dear, I didn’t get the tickets, I was busy installing a password manager plugin and finding my secret key”