Suggestions for Watchtower: Inform if SSL hasn't changed [We do], password change date [We do]

mranest
mranest
Community Member
edited May 2014 in Mac

Hey all,

Release of Watchtower finally made me go over my list of saved credentials and use password generator to create truly random passwords, so kudos for that. I'd kindly suggest a few ideas though, to make the service even better:

  • Better alert the user of the fact that the site has not changed the SSL certificate. If one follows the "Learn more..." link on the vulnerability alert this information is shown, but it is cumbersome to follow that link for each and every flagged Login credential. The info message popping up on the vulnerability alert should also not prompt the user to change the password right away in this case, as the site should first replace the (potentially compromised) SSL certificate.
  • Take into account the date when the password was last changed. If I'm not mistaken there was a case where I'd change a password after the site in question fixed Heartbleed and replaced their SSL certificate, but Watchtower still flagged the Login as vulnerable.

Kind regards,
Anestis

Comments

  • MikeT
    MikeT

    Hi @mranest,

    Better alert the user of the fact that the site has not changed the SSL certificate. If one follows the "Learn more..." link on the vulnerability alert this information is shown, but it is cumbersome to follow that link for each and every flagged Login credential.

    If the site has not changed its SSL certificate, the message would say Avoid instead. We only do Change Password alert if the site has changed it SSL certificate.

    Take into account the date when the password was last changed. If I'm not mistaken there was a case where I'd change a password after the site in question fixed Heartbleed and replaced their SSL certificate, but Watchtower still flagged the Login as vulnerable.

    We do. We store the vulnerability dates for each site we have in the database, which is usually based on the new SSL certificate's creation date (assuming the server is already patched). 1Password will then compare that date against your last password change. If the change was made after the vulnerability date, than it will not show up on the list. If it was made before, than it'll stay until you change the password.

    If one of your Logins is still marked as Vulnerable, can you look at its last password change date via Show Previously Used Password in the item details, and then compare it on the website, was it made after or before the SSL certificate change?

This discussion has been closed.