Watchtower Vulnerability Alert For 32-Character Alphanumeric Username

BZZZZZ

I’m getting "Vulnerability Alert — Change Password…” for a investment company login site even though the site is not vulnerable to Heartbleed and has a good SSL certificate.

This site has an enter-your-login-username page and a separate enter-your-password page. I have two separate 1Password cards to get into this site — one for the username login and one for the password.

I changed the password on the password card, and the Heartbleed warning on the password card disappeared. However, there’s still a “Vulnerability Alert” at the top of my username login card.

For my login ID, I’m using a 32-character alphanumeric username that I generated with the 1Password password generator. I changed that alphanumeric username but I’m still getting a Watchtower vulnerability alert.

I have no difficulty getting into the investment company's site, using my two card approach.

I use the same two card approach to log in to several bank sites and to several other investment sites that all use separate login ID and password pages. The technique works fine. No other two-card sites are showing a “Vulnerability Alert”.

Can anyone suggest a fix for this problem?

hawkmoth

When I have conflicts with Watchtower (in the sense that I don't think the alert is relevant) I manually change the password in the record in question by adding a few special characters at the end and save it. That results in its removal from the alert list. Then I edit it again to remove the extra characters and forget about it. Obviously, this isn't good practice if there is good reason to change the password, but it keeps me from being reminded about it when I'm confident.

BZZZZZ

Thanks hawkmoth.

AgileBits support just sent me this suggestion: "I believe this problem is going to be universal with any multi-page login process. What you may have to do to work around it is edit the [login] item and add a bogus password to it, save it, edit it again, and delete the bogus password."

I wrote back:

'I followed your suggested steps but ran into a problem with the last step. As soon as I deleted the bogus password the “Vulnerability Alert” returned.

Here’s my work-around. I edited again, this time copying and saving my actual password from my password card. Once I did that the “Vulnerability Alert” disappeared from my login card.

Adding my PW to my login card didn’t affect my ability to do a two-stage login. I can still login to the investment company website, using my edited login card to enter my 32-character username and my password card to enter my password.

Because it was previously tagged by Watchtower, my login card now seems to need to a permanent password.

It may be that only websites with the Heartbleed vulnerability will trigger this problem. The problem didn’t arise at my other two-stage, separate-login-and-password bank and investment company sites that weren’t affected by Heartbleed."

Megan

Hi @BZZZZZ‌

Thanks so much for sharing your workaround here! I apologize for the trouble - our developers are working to improve the Watchtower service to ensure that it is as helpful and accurate as possible. Your patience as we develop this service is much appreciated.