Watchtower and "passwords" for security questions
I'm trying to understand how important it is to change "passwords" that I've created not as regular login credentials, but as answers to "security questions" that many sites have you answer as a way to verify your identity. I think I'm doing this the way 1Passwords recommends, by simply creating a new login and saving the answer to the security question (which is not a real answer but a 30-character string of gobbledygook) in the password field (usually with no username).
When Watchtower flags a site, it flags not just the regular login, but also the security question "logins," which of course are linked with that domain. In a case where there's a real vulnerability, how important is it to change the security question "logins"? Obviously the login credentials should be updated, but do the answers to security questions really need to be as well?
What prompted my remarks is that eBay just showed up in Watchtower. I know I changed it post-Heartbleed and that the current password is fine, but I'll change it again to get it off Watchtower's list. But I'll also need to update the security question "password" as well so it can get pulled off the list too. I feel like the maintenance work involved in using Watchtower properly keeps compounding. What happens when Watchtower flags my bank account login? At that point I'll have to update it—and the three security questions that go with it! I worry that this will just get ever more complicated.
Also: am I managing these security questions correctly? Is there a way to create just a single login for a site that would contain both the real login credentials, as well as any security question answers? Perhaps that way, in the hypothetical example of my bank account above, I might only need to update one login.
I really like Watchtower, but I feel—and some other threads in this forum suggest the same—that it's getting cumbersome to manage. That's the nature of passwords, of course, but does it really need so much maintenance?
Thanks in advance for any advice!
Comments
-
Hi @pinakion
Thanks for taking the time to write in to us about 1Password!
What prompted my remarks is that eBay just showed up in Watchtower. I know I changed it post-Heartbleed and that the current password is fine, but I'll change it again to get it off Watchtower's list.
Please note that eBay showed up in Watchtower again because they were the victims of a recent attack and are advising their users to update their passwords. As the Heartbleed bug is slowly being dealt with, we hope to expand Watchtower's capabilities to warn users of other potential breaches such as this.
Also: am I managing these security questions correctly? Is there a way to create just a single login for a site that would contain both the real login credentials, as well as any security question answers?
There is no 'right' or 'wrong' way to manage security questions here. However, you might find it simpler to store the security questions and answers within your existing Login in a custom section. This ensures that these questions do not get flagged by Watchtower, or our other Security Audit features. You can still mark the answers as password fields to have them concealed, and there is a one-click copy which will allow you quick access to them when needed.
*demo data shown*I hope this helps, but we're here if you have any further questions!
0 -
Thanks. That method makes a lot of sense and I think would be more useful for me.
0 -
Hi @pinakion
I'm glad I was able to help! It took me a while to figure out the most useful way to manage security questions as well. Please do let us know if you have any other questions or concerns, we're happy to help :)
0 -
I'll tackle subsuming my current security question logins under their respective site logins over the next couple weeks. But here's a thought, and I have no idea whether or not it's feasible. With things set up as I've had them so far, it was nice when you were on a site that had the usual login credentials plus several security questions to be able to hit ⌘-\ and then use the arrow and return keys to quickly select which item you wanted to pop into whatever box the cursor was in on that page.
Now it seems that 1P allows just a single true password (whatever thing has the key icon next to it when you view the form details section) for any given site's login record. But what if in the example above you could designate the 3 "A"s to your security questions as "passwords," or password-like things. In other words, you could have just one BofA login record like the one above, but when you visited the site and hit ⌘-\, a menu appeared listing that site's various "passwords" from which you could quickly select the one you wanted entered. The regular login password might be selected by default, so you could just hit return, or you could use the arrow keys to pick whatever you wanted. Basically, from a user perspective it works pretty much the same as a setup with unique "logins" for each security question. But tidier, much easier to deal with when Watchtower flags the site, and (I think) just more sensible.
Just a suggestion, perhaps there are a slew of technical issues that make that unrealistic.
0 -
Hi @pinakion,
What you are suggesting is already almost possible. First of all, each custom field has the option to be saved as 'Text' or 'Password'. With the password option, these fields will be concealed behind dots (as mine are in the image above).
Secondly, all these fields are easily accessible via the details in the 1Password Mini. When presented with a security question, you can use ⌘\ to open 1Password Mini, then use the arrow keys to navigate to the appropriate answer and hit 'Enter' to copy. It's not quite the same as you are suggesting, but I think it requires a similar amount of effort. (Of course, please let me know if I'm completely misunderstanding what you're suggesting here!)
0 -
@pinakion, one big technical issue is that the security question fields don't have unique IDs so 1P doesn't know which answer goes to the question being shown. For example, you log into a site where it shows 3 out of the 6 questions, you press ⌘\ and 1P would fill in the answer to your dog's name into the fields for your mother's city of birth and your sister's favorite color.
0 -
hi @Smudge— I don't think that's quite what I had in mind. After Heartbleed was announced, I spent a weekend purging and pruning 1P; it had accumulated a lot of junk, and for months I had wanted to delete whatever accounts I could and reset the passwords for the others. So that was as good a time as ever. As it turned out one firm, which used to be called W-2 eXpress (and now called W-2 Management or some such thing), a company that basically manages the distribution of tax withholding statements on behalf of employers (if you're in the U.S., you know exactly what that is), anyway this company required me to configure/answer 6 (yes, six!) security questions…
[Hilarious sidenote: it turns out this operation is actually part of Equifax, one of the big 3 U.S. credit reporting agencies. So with all the information they have about me on their servers, it stands to reason that they might be extra cautious with the security hoops you have to jump through. But here's the best part: Forget the 6 security questions for the moment. What you're actually expected to provide at login are 2 items: (a) a 5-digit numerical employer code, and (b) a 4-digit numerical “PIN number.” As far as I can tell that was it! They set up this massive second line of security defense, but the first line depends on a string of 5 numbers followed by a string of 4 numbers… I am far from any kind of expert on these things. But does this not seem completely asinine to any reasonable person?!?]
Anyway, before I changed everything I looked through the Agile Web site and came away with the notion that the best way to deal with these security questions was to simply set them up as unique logins (even if that isn't what they really are). So in this case, if I were to try to retrieve a W-2 form from these jokers and for whatever reason asked to answer security questions, I'd just respond to the first one with ⌘. It wouldn't auto-submit, however, because I identified the same domain for both the real login and all the security questions. Instead a drop-down would appear, with each of the the various security question answers that I had set up, per Agile's recommendation, with the content of the security question included as part of its name/title. So if I was asked for the middle name of the person who bought the 2nd puppy from my dog's 3rd litter, I'd just hit the down arrow until the right question was highlighted in the menu and hit return. And voilà, I was in. (BTW all the answers were 30 character nonsense strings.)
So my idea was not for ⌘\ to somehow understand the question and submit the right answer, but to drop down a menu of options for the given web site and give me the opportunity to select the appropriate one and hit return.
Having said all that, the comments of @Megan above are pretty damn close to what I was thinking of. That set up will do just fine.
0 -
Sidenote #2: Anyone with doubts as to the kind of havoc these credit agencies can wreak through carelessness, pay attention to this must-read:
https://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/
Unbelievable.
0
