Vulnerable Passwords setting is default off - big risk

ClarionDPO

I have recently noticed that across our entire tenant, most users are seeing that the Settings>Privacy>check for vulnerable passwords setting is defaulted to off.

With over 1000 users this is a significant risk to me as a business as I can't manually ask all users to go check this setting on all their devices and turn it on.

Why is this defaulted to off? is there a way to force all users settings to change to on without having to get the individual users to change the setting themselves?

---

1Password Version: 1Password for Windows 8.10.35 (81035003)
Extension Version: 1Password browser extension version 2.25.1
OS Version: Window and Mac
Browser: Chrome and Edge

david.m_1P

Hi @ClarionDPO, thanks for reaching out!

The "Check for vulnerable passwords" setting under Settings > Privacy in the 1Password desktop app is disabled by default since it relies on sending some hashed data to the Pwned Passwords service provided by Have I Been Pwned. This presents a risk where when using similar weak passwords, Have I Been Pwned could learn the passwords if they acted maliciously. You can find more info about this in the following article:

• About Watchtower privacy in 1Password

With that said, the passwords are never sent to us or the Pwned Passwords service. Additionally, any strong and unique passwords created with the 1Password password generator aren't at risk. I should also mention that with a 1Password Business account, owners and members of the business' Security group can access reports on security issues and gain insight into weak passwords:

• Create reports in 1Password Business

If you're using a 1Password business account, there's currently no policy available to control the "Check for vulnerable passwords" option for team members, but I've gone ahead and submitted a feature request for this to our Product team for further consideration.

Let me know if you have any questions!

-David

ref: PB-40889805