Does Watchtower also warn at hacked sites?

OLLI_S
OLLI_S
Community Member

Today I created a demo password vault and I saw that in the category "Watchtower" there is a warning for Ars Technica.
I think this is really an excellent feature.
Does this feature also warn me when websites/forums get hacked?

I remember that LastPass.com had "suspicious activity on our network" in 2015:
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
After that I convinced some friends to leave LastPass.
To test this, I went to LastPass.com, typed "test" in the username and also in the password and LastPass created an entry for me.
But this entry is not reported by Watchtower.

In my inbox I have an email from Trillian (a chat client I used in the past) telling me:
"On July 4th, 2016, a security breach and data disclosure related to a single server that powered the now-retired Trillian blog and forums occurred."
https://www.trillian.im/help/trillian-blog-and-forums-security-incident/?utm_campaign=website&utm_source=sendgrid.com&utm_medium=email
I 1Password I created a password for the URL http://forums.ceruleanstudios.com/
But 1Password does not warn me too.

Does Watchtower warn me when websites get hacked (and I should change my password)?
Why are the two issues reported above not reported?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • OLLI_S
    OLLI_S
    Community Member

    I started using 1Pasword some days ago, so I still have all my passwords in my old password manager.
    Today I created a demo password vault and I saw that in the category "Watchtower" there is a warning for "Ars Technica".
    I think this is really an excellent feature, when 1Password warns me when any website was hacked.

    In my email inbox I have an email from Trillian (a chat client I used in the past) telling me:
    "On July 4th, 2016, a security breach and data disclosure related to a single server that powered the now-retired Trillian blog and forums occurred."
    https://www.trillian.im/help/trillian-blog-and-forums-security-incident/?utm_campaign=website&utm_source=sendgrid.com&utm_medium=email

    In 1Password I created a new password for the URL http://forums.ceruleanstudios.com/
    Remember: in 1Password I have only 10 entries yet.
    After creating this entry I did not get a warning in Watchtower.

    If I understood this feature correctly then Watchtower warns me when websites get hacked or are compromised and suggests that I should change my password.
    So I expected that I get a warning for my Trillian Forums?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • AGAlumB
    AGAlumB
    1Password Alumni

    @OLLI_S: What Watchtower does is check the date of modification and compare it to the database with URLs of known website breaches (or in the case of Heartbleed, known vulnerable periods). So if you've updated your login information (or created it) since then, 1Password has no way of knowing the correct timeframe.

    It won't notify you when websites are hacked; rather, it adds it to the Security Audit section in the sidebar so it's easy to see all of the Logins you have for which a password change is recommended in one place. So if you look at that and there are new items added there, you'll know you need to take action.

    You can also search the database yourself and find more details at our Watchtower site. I hope this helps! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @OLLI_S: I've moved your other post here since it pertains to Watchtower in general. I hope my explanation above helps. If you just created a new login in 1Password today for a site which was compromised months ago, 1Password has no way of knowing that your password predates that. If we make that assumption, then anyone with a new vault will be told that all of the sites they have logins for which have ever been compromised are vulnerable and need to be changed, and that's not necessarily the case.

  • OLLI_S
    OLLI_S
    Community Member

    A colleague of mine told me today that Yahoo was also compromised:
    http://www.heise.de/security/meldung/Login-Daten-von-200-Millionen-Yahoo-Nutzern-im-Netz-3285330.html
    https://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web

    In my OLD password manager (KeePass) my Yahoo account was added in April 2014.
    So I am definitely affected but will also definitely don't get a warning in 1Password.

    I decided to add all my data from KeePass manually in 1Password by letting KeePass log me in and 1Password store the new login.
    This way I have the information about the login fields.
    But this way all passwords will be stored with current date.

    Is there a way to change the modification date in 1Password?
    So I get a warning in 1Password.

  • @OLLI_S,

    Unfortunately there is not at present. I'll pass the feedback along to our developers though to see if we can come up with a solution for this situation in the future.

    Ben

  • OLLI_S
    OLLI_S
    Community Member

    I saw in the internet two security issues, that may be interesting for you (for Watchtower).
    Please check if they are relevant for you.

    Trillian Forums and Trillian Blog
    "On July 4th, 2016, a security breach and data disclosure related to a single server that powered the now-retired Trillian blog and forums occurred."
    https://www.trillian.im/help/trillian-blog-and-forums-security-incident/?utm_campaign=website&utm_source=sendgrid.com&utm_medium=email
    Affected URLs:

    Yahoo
    "Hacker Is Advertising 200 Million Supposed Accounts on Dark Web"
    https://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web
    Affected URLs:

    I hope this information is useful for you


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Andrew_AG
    Andrew_AG
    1Password Alumni

    The Trillian leak didn't include any passwords. We only update Watchtower with password leaks, which is why we haven't updated it with this one.

    As far as Yahoo goes, we also only update Watchtower if a breach or leak has been confirmed by the company who owns the site. In this case, Yahoo hasn't confirmed anything, although we'll be keeping an eye on it.

    Thanks.

  • OLLI_S
    OLLI_S
    Community Member

    I really love Watchtower so I sent these two issues.
    And I am glad that you are aware of this.

  • Andrew_AG
    Andrew_AG
    1Password Alumni

    No problem. :)

  • dszp
    dszp
    Community Member

    I would really like a way to either edit the modification date, or (better, since I have a lot of passwords) have a way to "show all matches regardless of date" for Watchtower, since the way it works now makes it basically not useful for quite a while for users who come from another password manager by way of importing (depending on the import method), unless there are future breaches.

  • OLLI_S
    OLLI_S
    Community Member

    I also support the "show all matches regardless of date" suggestion :+1:
    Excellent idea!

  • Andrew_AG
    Andrew_AG
    1Password Alumni

    That is an interesting idea. I'll be happy to suggest it to our developers.

  • OLLI_S
    OLLI_S
    Community Member

    I have an additional question (maybe a new suggestion):
    Does the browser extension warn me when I visit a website where I would see a warning in 1Password?
    Do I get a warning when I visit a website that listed in the "Watchtower" section in 1Password (where a password change is recommended) or that is listed in the "Heartbleed" section in 1Password?

    It would increase the security a lot when I get a warning while I surf normally in the web that the website I am visiting had a breach and I should change my password.
    Or when I get a warning when some other vulnerabilities (Heartbleed) are existing on the website.

  • Does the browser extension warn me when I visit a website where I would see a warning in 1Password?

    If you edit the login in question through the browser extension you will see a warning, yes. But otherwise, no, not currently.

    Do I get a warning when I visit a website that listed in the "Watchtower" section in 1Password (where a password change is recommended) or that is listed in the "Heartbleed" section in 1Password?

    Simply visiting a page does not provide a warning, no, and that seems overly intrusive to me, personally. I certainly don't want 1Password popping up every time I visit a site that has been flagged.

    I could see perhaps offering a one time warning when filling a login that has been flagged. Would that help? I'd be happy to pass that suggestion along to our development team. :)

    Ben

  • OLLI_S
    OLLI_S
    Community Member

    @Ben A one time warning is better than nothing (it increases the security) so I would be very happy when you forward this suggestion to the developers.

  • :+1: :)

    Ben

  • OLLI_S
    OLLI_S
    Community Member

    @Andrew_AG

    As far as Yahoo goes, we also only update Watchtower if a breach or leak has been confirmed by the company who owns the site. In this case, Yahoo hasn't confirmed anything, although we'll be keeping an eye on it.

    Here is the official confirmation:
    https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security

  • Andrew_AG
    Andrew_AG
    1Password Alumni

    @OLLI_S

    I already added it earlier this afternoon: https://watchtower.agilebits.com/check?h=yahoo.com&port=443

    Thanks for the heads up, though. :)

  • alvaro87
    alvaro87
    Community Member

    I already added it earlier this afternoon: https://watchtower.agilebits.com/check?h=yahoo.com&port=443

    Hello,

    I think you should change how Watchtower works in this cases. I mean: I created my Yahoo! login items after the date you show on the website: 2015-01-01 (I created the login items in May). And that's why I think 1P is not alerting me about my Yahoo! passwords despite I have never changed them since I created my accounts more than 10 years ago.

    I know you have to establish a date from which 1P users will be alerted but this way Watchtower works does not work on scenarios like mine.

    Couldn't Watchtower show a message like: "On 22nd Sep. 2016 Yahoo! reported their systems were hacked. We recommend you to change your password if you haven't changed it since XXXXX"?

    I know this case is different because the data leak was 2 years ago and you have to make a decision about the date you send to Watchtower but I hadn't read the news I wouldn't have known that I should change my Yahoo! passwords.

    Regards.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @alvaro87: As far as how Watchtower works currently, we add the date of the breach if available or, in this case, use a placeholder date that covers it if an exact date isn't available: a "late 2014" breach means that anyone changing their passwords in 2015 or later is in the clear. 1Password, however, can only act on the data it has, so it cannot know that a password you've saved in it is actually many years older.

    And I'm not sure how we can make something like that actionable. It would be unnecessarily alarming, unhelpful, and annoying to have 1Password tell everyone who updated their Yahoo account with a long, strong, unique, randomly generate password yesterday that they need to change it again today just because a years-old breach was announced yesterday.

    I can't speak for you, but from my own experience I can say that any passwords I used 10 years ago were pretty weak and often reused... That's why I got 1Password in the first place! So when I started using 1Password, I started on my journey of changing my existing passwords to make them stronger, and also using awesome passwords for each new login going forward.

    And given Yahoo's (and the internet's) history, I think it's safe to say that you could stand to use a stronger password even if the one you chose 10 years ago was pretty good by the standards of the day, since their password criteria were pretty limiting, and even now the maximum is 32 characters.

    I guess what I'm saying is that this probably isn't a problem that 1Password can solve elegantly (the intersection of bad website practices and outdated passwords which predate 1Password's use), but rather one that each of us needs to address individually when we run into these edge cases, since this knowledge (of a 10 year old password, for example) is outside of the scope of 1Password's knowledge. But you're aware of it already, so you can do something about it.

    I'm not entirely sure if that's what you're suggesting, so I'd appreciate it if you can clarify that for me, in case I've misunderstood. We definitely want to make 1Password easy to use, and also help people see ways they can protect and improve their security wherever possible. :)

  • alvaro87
    alvaro87
    Community Member

    I've already changed the passwords though my Yahoo! accounts area used like disposable emails.

    I just wanted to "show" how the way watchtower currently works is not perfect.

    I know you don't want to alert users who actually wouldn't need to change their passwords but maybe a button like "don't warn me again until next data leak" could be fine.

    This is just an opinion ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. Watchtower certainly isn't perfect. While I don't understand why you'd need to do this if you've already changed it, perhaps we can add a way to dismiss the notifications in a future version. Thanks for the suggestion! :)

  • alvaro87
    alvaro87
    Community Member

    As I said before, I knew about the stolen data because I read the news. If I had relied on Watchtower only, due to how it works, I wouldn't have known about this case.

    I'm just saying that maybe 1P Watchtower could be improved in a way that users like me with these particular situations are not left without Watchtower warnings ;)

    Regards.

  • OLLI_S
    OLLI_S
    Community Member
    edited September 2016

    I know that 1Password looks up each of my password entries in the Watchtower database if the URL is affected.
    If yes, then 1Password looks when the password was changed last time (either the creation date of the entry or when I have really changed the password, other changes like comments or tags are not counting).

    I started using 1Password 2 months ago, so each password I add has the current creation date.
    But in my old password manager I have the real modification date that is older.
    So I have exactly the same problem (that Watchtower is not warning me).

    But as @brenty mentioned before: the password rules have changed.
    5 years ago many websites did not allow passwords longer than 15 characters.
    And some symbols like "#" were also not allowed.

    So for me I found a solution that is safe but that means a lot of work: change each password.
    I was lucky that I just had 20 entries in 1Password (trial version) so I changed these 20 entries and updated the passwords in 1Password (they now have in 1Password the real change date).

    For each password I "import" from my old password manager I do the following:
    Log into the website with the old password, so 1Password asks if the new login should be stored.
    Here I click "Yes".
    Then I change the password on the website with a new generated password and store the new password in 1Password.
    So I changed the password on the website and 1Password has the correct "modification" date.

    I know that this means a lot of work (especially when I have 400+ entries in my old password manager).
    But this is the most secure way, because I generate a new, more secure password this way and Watchtower has the correct "modification" date.

    Did you know...?
    In 1Password I see at the preview pane (below the password list) an preview of the selected item.
    Here I also see a "Password History" that shows me when the password was last changed in 1Password.
    So if I have no password history, I have not yet changed my password since I am using 1Password.

    Suggestion
    Maybe you add a column "Password Modified" so I can sort my elements by this column.
    Maybe this is also helpful?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2016

    @alvaro87: I'm sorry to belabour the point, but I'm still not understanding why 1Password would need to tell you about a breach from 2014 if your password was changed more recently than that. I think that makes a big difference. It sounds like you're suggesting that Watchtower simply notify all 1Password users of any website breach, even if it does not affect them. I don't mean to hassle you about this, but I'm trying to understand exactly what you'd like 1Password to do which would be both helpful to you and others and also actionable. Thanks for being patient with me on this! :blush:

    @OLLI_S brings up a really important point: While changing every password isn't something I'd wish on anyone (and isn't something we recommend without good reason — hence Watchtower), in cases where 1Password cannot know the true origin of a password, I don't think it should be giving advice. And where 1Password doesn't have all the required information, it's useful to sort the list by "Modified" in 1Password for Windows (or select "Date Modified" under the search box in 1Password for Mac). Then we have a good human-friendly overview at least.

    This is sort of like a doctor who gives presumptive medical advice without knowing your medical (and family) history or running tests to determine your current condition. Similarly, this is kind of a black box that 1Password cannot penetrate, so we don't want it prescribing things that are either unnecessary or insufficient, giving the user an impression of authority that 1Password hasn't earned in those circumstances due to lack of evidence.

    This is similar to password strength. If 1Password itself has generated the password, it can make a reasonable assessment of its strength. However, when you enter the password yourself, even by generating it randomly using another piece of software, 1Password does not know this, so we don't want it to assume that something that looks random actually is random. It could just as easily be the first letter/number of multiple family members' names and birthdates — not very random!

    I may be completely misapprehending what you're suggesting though, so I'd appreciate the specifics on the change you propose to discuss with the rest of the team.

  • ariTech
    ariTech
    Community Member

    @brenty I didnt get a 1password notification on my iOS or Mac for yahoo data breach. Not sure if its because I recently added yahoo to my 1password. Thing is what I feel when a user adds a login to 1password, that doesnt mean the login is new. The password can be years old. I am not sure does 1password takes into consideration of a password was "updated" on the app recently or "added" recently. Just wanted to check that with you. Personally as a long time 1password user I think if a password is updated recently no point of any notification but if something is just created and not modified, giving a signal may be helpful.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ariTech: You're right. If your login was created or modified after the date of the breach, 1Password does not know if it in fact predates that. 1Password only has the data you've saved in it to go on.

    I'm not sure it's helpful (or appropriate) for 1Password to simply tell everyone who saves a new Yahoo login (in this example) that they need to change their password though. For most people, this will simply be false, and therefore confusing and rather annoying. If 1Password "cried wolf" like this to me, I wouldn't believe it the rest of the time it told me I needed to change my password for an account I'd only just signed up for.

    But I'm sure there are other solutions we can consider for this particular problem. Definitely a discussion worth having!

  • mohit01
    mohit01
    Community Member

    I am not sure if Watchtower works perfectly. It never alerted me during LinkedIn, Yahoo or Dropbox breach though my password was old during those breaches.

    Also website for Watchtower says that "1Password Watchtower is a service that identifies websites that are vulnerable to Heartbleed, and will suggest which sites need to have their passwords changed."
    https://watchtower.agilebits.com/

  • Hi @mohit01,

    The website certainly needs to have that text updated. Watchtower was originally born out of Heartbleed but has become about more than that. I can't think of a reason that it wouldn't have told you in the app about the breach in those sites. It's difficult to say retroactively what happened in a case like that. If you see something like that in the future can you let us know so that we can poke at it with you and figure out what's going on? If there's a bug, we'd certainly like to fix it.

    Rick

This discussion has been closed.