Feature Request: Heartbleed "change your password" audit tool
Hi
Can we have something like what they did for LastPass
http://lifehacker.com/lastpass-now-tells-you-which-heartbleed-affected-passwo-1561522244
so we can know which passwords to change?
It would help a lot!
thanks
Comments
-
Thirded (at least?)
0 -
Please! First thing I did when I saw the LastPass tool was to check and see if Agile Bits had one for 1Password. Disappointed.
0 -
Thank you all for letting us know you are interested in this. We’re certainly looking into it. :)
0 -
What Mary Ann said!
0 -
Absolutely +1! Actually, what I'd love to see is an audit tool and alert system in 1password that would not only notify us about sites affected with Heartbleed, but any future flaws as well. Is there an open source database for these kinds of disclosures? If not, there's an opportunity for Agile to back such a project and integrate that database directly into 1password. In the light of Heartbleed, I'm seeing a lot of different websites collecting their own data (including a list on Github), so I'm assuming such a database doesn't exist yet. If the past months have been any indication (NSA, goto fail, heartbleed), there is a rising need to create a centralized, openly audited alert system. I think companies like Agile, in collaboration with others, could be a driving force in this effort. There must be a good way to monetize it, too. Start a B-Corp, who knows. I'm not sure how the anti-virus industry operates in terms of sharing virus definitions but it might be worth having a look over there.
0 -
One password per site is always the best policy. And as we all know, with hundreds of different site logins that makes password safes like 1Password essential.. nobody can keep track of all that on their own. However, after events like Heartbleed and the recent GnuTLS bug changing all those passwords can also be a massive pain. It would be great if 1Password could help manage that process.
I'm thinking of a "change this password" flag that I can set on arbitrary groups (or all) of my stored Logins. When I use the browser plugin to use a flagged Login, 1Password could remind me that password needs updating. When I update the Login changing the password, 1Password would unflag the Login.
For the purposes of Heartbleed that could be as simple as allowing me to select all my Logins and use a menu item to flag them. But you could possibly also expand it into a more general reminder system, and allow 1Password users to set default lifetimes for their passwords, getting 1Password to remind them when that timer has run out.
0 -
I would like to see AgileBits come up with something along the lines of LastPass in the wake of HeartBleed:
LastPass Now Checks If Your Sites Are Affected by Heartbleed0 -
Yes, right now for the 100+ sites I have pws saved for in 1Password, I have no idea when their certificate is updated, which would then trigger me to change my password. So vote #2 for something similar to what LastPass is doing.
0 -
Hi @parasight
Thanks so much for adding your thoughts here! As @JasperP said above, this is most definitely something that is on our radar, and creating a tool that would be useful in identifying future flaws as well is a great idea. Of course I can't say much more than that right now, but your feedback is much appreciated. :)
0 -
Me too! Fortunately, I'm just switching from LastPass, so my vaults are roughly equal. I'm using their tool to check, then 1Password to change them, It would be great to do it all in the same place!
0 -
Fifthed.
0 -
My 2¢.
There are some things that a first-class device-based password manager like 1Password excels at. And there are some things that a first-class cloud- and browser-based password manager like LastPass excels at. That’s why I use both of them. My shorthand version is that 1Password is my “home” password manager, and LastPass is my “away” password manager.
I would never underestimate AgileBits’s ability to come up with a great tool for coping with Heartbleed. I also would never advise anyone to wait for AgileBits to come up with its solution for a pressing need when another good solution is available. A bird in the hand …
0 -
+1. A big 1.
0 -
BRILLANT!!! Thanks for the suggestion!!!
0 -
I'm in full agreement. We need a tool to help us change all those passwords, please.
0 -
1PW is in ONLY source for password support/security. Rightly or wrongly, ALL my eggs are in this basket. At this point, I am especially concerned about Dropbox as Dropbox is the 1PW recommended method for syncing and I use it. Please comment ASAP on whether we should be responding to the Dropbox issue.
The suggestion of this thread would encompass my request and I support it.
0 -
Hi @mattyf and @curiousbadger,
Thanks for adding your votes here! We're listening. :)
0 -
As I mentioned in another thread:
Yes, a Heartbleed checker tool for my 1Password vaults would be very welcome. As it is, I'm considering exporting my data from 1Password and importing to LastPass, solely to use the checker they have developed...0 -
+1
I'm surprised and a little disappointed that LastPass was able to scramble together a useful tool for their users, but 1Password folks can't even say "we're working on this as fast as we can," but rather the generic "we listen to your requests and are considering it."
An integrated tool/plugin/update to help with this sort of massive security issue is not your run-of-the-mill feature request.
0 -
+1 here as well.
0 -
Thank you all so much for letting us know you are interested in this. As always, we never pre-announce features or products, but this is something that everyone can obviously benefit from, and we’re definitely looking into it.
0 -
I am very glad that AgileBits is looking into this feature. +1 +1 +1 (can I vote often here). :)
0 -
Another vote from me.
In the meanwhile, there is a great open source tool for checking a site status for heartbleed http://filippo.io/Heartbleed/
0 -
Lists like those on Mashable and filippo.io are good, but integration into 1Password is SO much better. Yes, we know you are working on it, just another vote here. :-] Hope it comes out quickly. Thanks.
0 -
I feel like everyone on this thread is setting their sights far too low. I don't want a tool to tell me when to go change one of my >100 passwords - what a nightmare. I want a tool that will automatically change my passwords for me! A tool like this likely would never be perfect, due to the different mechanisms that sites choose to allow password changes, but 80% accuracy (or heck, even 50%) would still be of huge benefit.
As the need to do something like this is very infrequent, and the cost to develop such a tool probably fairly high, I would be very willing to pay extra for this feature and would also be quite open to different monetization schemes. For example, perhaps a "per-use" fee could be charged every time a user wants to perform a bulk reset of passwords.
0 -
Would it be possible for AgileBits to do a little work for us in figuring out which sites we ought to change passwords for? Ideally, whenever a certain website is ready for us to change our passwords, it would be great to have that show up when I click the "security audit" button in 1Password. 1Password seems like it should be capable of comparing the list of sites we have saved with a list of sites known to be ready for a password change.
Is this feasible? Thanks!
0 -
Yes, I would love this feature, if it's possible to build into 1Password.
0 -
It would be great to see an addition to the 1Password 'Audit' section, where a cross-referenced list of websites that have or have had the security issue and your password age for that website, mean that you should take action for that site by changing your password. It might require 1Password to parse a known list of sites and the OpenSSL versions & dates that they were updated to a fixed version, but I am sure for the clever Agile Bits folks this shouldn't pose much of a problem...
0
