Feature Request: Heartbleed "change your password" audit tool
Comments
-
Thanks so much for all the feedback, guys! We’re definitely looking into it. :)
0 -
Plus 1
0 -
@JasperP, what could possibly be a higher priority than this? Almost EVERY PASSWORD needs to be changed by EVERY CUSTOMER. It has been over a week since the news broke. A simple, and totally valuable, "copy-LastPass" approach should have been do-able within one day, at most a few days. I just cannot imagine what the conversations within AB were like as this effort got de facto pushed down the priority list, instead of being the #1 all-hands effort that it should be, given the threat and the degree of difficulty in manually fixing it. What could still be above it? "develop assets for 50% off sale"? "fix installation bug on linux"? "improve lock-opening animation"? This is actually a seminal moment when a really serious threat arises, and business-nearly-as-usual is not the appropriate response. Sorry for the rant, but it's hard to understand how a company whose business is helping people secure data is not bringing all guns to bear, with a time-is-critical mindset, to combat the threat.
0 -
I have to admit I am a little disappointed too. It's been a week and there is nothing out yet. This was such a big impact that I expected more blurbs about the impact about it on the Blog front, and a tool to help people out.
0 -
I completely understand where you're coming from folks. That's why we have a tool in beta testing. We've asked beta testers not to share the link publicly for now while we work out some kinks. However, this is one case where time is not necessarily of the essence. In fact, there are still many sites where you should not change passwords because the vulnerability was either
- not patched right away or
- the site still hasn't updated their certificate.
Heartbleed is an unusual case and is almost the opposite advice of a typical password breach where you are told to change your password immediately. With Heartbleed you want to be sure that those two criteria above are met before changing passwords.
The tool we are testing is very good. We wanted to make sure to get it right rather than throw something together that wasn't going to offer useful and actionable advice along with accurate assessments of the sites. It will see a wide release soon at a very appropriate time for this particular issue.
We're excited to get it into your hands once testing is complete. If we can be of further assistance in the meantime, please let us know. We are always here to help!
0 -
Bravo @khad. Appreciate you guys keeping the lines of communication open here.
Look forward to this feature rolling out. As tech support to many of my family members, most have resisted using a password manager, but now are suddenly interested with Heartbleed in the news. Adding a tool to help identify potential Heartbleed compromised passwords/sites, a system for managing the timely update (once their SSL is patched) and then help generated robust passwords to replace them, will be such an easy sell.
Please make sure, as many may be importing passwords from a browser's integrated password managers or from other competitive products, that these imported passwords are treated as potentially compromised as well. Actually, now that I think about it, do you even support importing passwords from Firefox, Safari, etc? I see CSV, and some other products, but no mention of browsers.
Thanks!
0 -
Thanks, looking forward to it.
0 -
http://blog.agilebits.com/2014/04/16/1password-watchtower-heartbleed-beyond/
Tool is available now.
0 -
Umm, I'm confused. Are you sure @thightower? This appears to be just a manual search tool, like others available, not integrated into 1P in any way. I was under the impression they were developing something that would automate the process and help guide users from within 1P.
0 -
As to it being internal, I have no clue. I am just like you, I get the details as I find them. Everything I have seen including emails asking us beta testers to check seem to indicate this. Thats not to say it may not someday be bundled. But as far as I can tell personally this is it.
None of the current betas have anything in them involving this type of feature.
*now you know as soon as I post this a new beta may go up and ill have egg splatting on me. :P
0 -
ps This last line may indicate something else in the future.
From the blog page.
this initial version of 1Password Watchtower
0 -
Well if this is it, that's nice and all, but they'd've missed an opportunity. I'm no software designer, and can't even begin to speak for how feasible it even is, but adding an audit feature to 1P, especially now, would not only A) provide peace of mind to its existing customer base, but B) it might significantly increase its customer base. Know what I mean?
0 -
OK so the information on the watchtower page is informative... but... I cannot see how this is a practical tool for anyone that does not store more than say 10-20 passwords. I have over 500 and while I've addressed the major sites it's those unknowns that are at question. Where is the integration into 1P itself? I mean I understand the QC process as I worked in software development in the past but this indeed is a missed opportunity.
As a IT Director I was about to make a large purchase of 1P for our users as a courtesy and to get them focused on good security practices. However I really am going to have to evaluate LastPass instead and see if for new users their heartbleed tool is practical.
0 -
For what its worth I have to say that this "new tool" is pretty disappointing. Not integrated in 1P at all.
There are a number of web sites that do the same thing (and have done for about a week now). While checking one domain at a time manually is hopeless (especially for hundreds of domains) I could have used one of these web sites rather than wait on this from Agilebits.
I would have expected that Agilebits could incorporate a checker in the 1Password application so that it checks all the domains for which a user has logins set.
It has been said that neither Agilebits nor the 1Password browser extension has a list of what sites are in your 1Password data (part of overall security architecture etc etc) ... fair enough ...So such an analysis tool needs to be built into the application itself, and can't just be added to the browser extension.......... in regards to this I am empathetic (OK, it takes work, skill and a little time) but there are limits to my patience.
A competing product was able to offer this capability almost immediately after Heatbleed was found - gosh how could they do this so quickly? .... I am disappointed that Agilebits cannot too.
It might be good for Agilbits to tell its customers if this integrated capability is going to be provided .... or not.... and if it is.... by what date.... And perhaps consider avoiding statements like "I can't reveal anything right now" - this is not a marketing opportunity about some secret new feature.
0 -
Extremely disappointing.
To echo other comments in a short list:
- Same as tools available elsewhere.
- Not integrated into 1P.
- Not helpful for anyone with lots of passwords.
- Not as good as LastPass, which released a far superior feature immediately after the news broke.
- Opportunity missed.
Bummer for the AB team members that wasted their time on this, and especially 1P users.
Maybe something /will/ get integrated into 1P. I'll hold out a little hope.0 -
As a side note, I briefly used LastPass to import my logins and check against the list. I only had 3 other sites I had to be concerned about. I changed them and deleted the LastPass account for now.
For AgileBits credit, 1P appears to be a better overall password management tool than LastPass. I still hope that they come out with something that is integrated for the next wave of big password issues. Something tells me these occurrences are about to get far more frequent and nefarious outcomes will result.
0 -
Since 1Password does not store your information online it takes quite a bit more effort to provide this feature in a way where your personal information is not revealed to a third party.
However, we are pretty close:
0 -
So what's new?
At this point, it may not be clear that Watchtower offers much new to the sophisticated user (like most people posting here), but there are some things that it does bring together that other tools may not have all in one place.
A (semi-)live test
You aren't just reading a list published on some news site. I do say semi-live because we do cache results and will not actually probe a domain more than once an hour.
Actual advise on what the results mean for you.
This may not seem to be so valuable to y'all in our forums, as you understand (to the extent possible) what Heartbleed means for you.
But you are not typical users.Tests that go beyond just checking for presence or absence of Heartbleed vulnerability
There really shouldn't be many sites left are actively vulnerable to Heartbleed. But we are not just checking that. We report on certificate
validity, and we try to make guess about key status based on validity dates and other information.Curation
At the moment, most of what you encounter is the result of automated testing, but we are also set up to curate the list. This may not be
particularly useful for Heartbleed itself, but [we don't disclose plans for the future]
But it's not in the app!
We have not been as quick as others to get something like this built into the 1Password application itself. One reason for this is that applications
take more time to update than browser extensions. Neither we nor the 1Password browser extension have access to the list of the websites you use. So any analysis that is done of your Logins must take place either within the app itself or on exported data.One of the lesser sung security improvements in 1Password 4 is that we have removed most of the crypto and almost all of your secrets from (encrypted or otherwise) from the browser extension. Web browsers present an enormous attack surface, and so we wanted to give the 1Password browser extension as few secrets as possible. For the most part, it just talks to 1Password Mini; and the extension focuses on those things that should be done within the browser, such as analyzing a web page to figure out whether it is a change password form or the like.
Also keep in mind that our browser extension doesn't talk to any database on our servers. This is why we don't know which web sites you use. (It only talks to our servers when seeing if it needs to update itself to a new version).So this security architecture, keeping your secrets only within the 1Password app (and Mini), does mean that there is less that we can with the extension. We could put all of the testing tools within the extension (not really wise for a number of reasons) or we could include an enormous database within the extension (not wise either).
I think that our choice of security architecture is best for your security and privacy, but it does mean that we have tied our hands when it comes to analyzing your data. It doesn't make more useful tools impossible, but it does make them slower to deploy, so [we don't talk about future features until they are deployed]
0 -
That looks nice!
I hope this gets out soon (and that includes the Mac App Store!).Cheers,
Caveman
0 -
Kudos. I do wish the updates were more frequent but this seems quite promising.
0 -
Thanks folks! We're excited to get the update to you and appreciate your patience. :)
0 -
Watchtower seems based on current status, from my quick look at it. One of the key bits of information is that because many websites have already been patched and new/replacement certs issued, the current information doesn't indicate whether the site was once compromised by this bug (and my data already exposed, if not currently). Does Watchtower consider this? If not, will the in-app tool consider this? To me, this is key.
0 -
Watchtower does indicate whether a site was previously compromised (provided AgileBits has been able to ascertain that information). I've seen that information for some sites I've tested on Watchtower.
Stephen
0 -
Thank you @Stephen_C for your answer to @lscline.
We do not (yet) have a lot of historical data built into the system, and so while we attempt to do things like distinguish between "never vulnerable" and "patched", we cannot always do so reliably. We try to warn people about this.
Likewise, we can't always reliability distinguish between "has a new certificate (with an old start date)" and "needs a new certificate". We make our best guess, and we update based on what site administrators tell us and what we can glean from historical data.
So yes, we do try to distinguish among those, and when we can't we try to let people know.
0 -
Is there a way for us to upload a text file of just the top level URLs that agilebits.com can verify is/isn't effected by Heartbleed, so we can address? I mean, a way to export just the URLs from our 1Password database, obviously without passwords. ;)
0 -
We've got something even better on the way. Don't miss Roustem's post above:
http://discussions.agilebits.com/discussion/comment/118440/#Comment_118440
:)
0 -
We published 1Password 4.3.1.BETA-1 a few minutes ago: https://app-updates.agilebits.com/product_history/OPM4#beta
This new build adds integration with 1Password Watchtower service.
Please give it a try and let us know how it works for you.
Thank you!
0 -
What does it do?
I see an empty "WatchTower" group under "Security Audit"
Will it just take time to populate?0 -
Hi @slvstn,
Depending on your internet speed, it may take a few minutes because it needs to download a database file from our server. It shouldn't take more than a few minutes.
We have found some bugs where if you enable Watchtower, it doesn't stay enabled, this will be fixed in the next beta update soon.
Here's a screenshot of what it looks like currently in beta 1, there will be further improvements coming:
- The Watchtower service, along with counts of affected items
- Showing the status categories such as Not vulnerable, Change Password, and so on. It's sorted by default from most vulnerable to least as well.
0
![[Deleted User]](https://wa.vanillicon.com/v2/aa551b5e3bb9d35655a15cf30ed1e3f1.svg)
