Watchtower after migration

Ruyven

After reading through your blog and discussion forums, I finally took the plunge, got a 1Password subscription and moved all my passwords and secure notes there! They're chuffed to have found their final destination :chuffed:

One question: Watchtower seems like a great feature, but I wonder if it could help me get a list of potentially breached passwords without knowing the change date.
All my passwords show last week as last modified date since that's when I migrated them, so of course there's no way for Watchtower to know when I really changed them. But if I could somehow see a list of the last breach of every website in my list, I could just change passwords for every website with a known breach since the date I'm likely to have made the account.

Barring that, can you recommend any other resources for known password breaches? Or am I best off just changing all the passwords that previously lived in a different password manager?

---

1Password Version: 6.8.4
Extension Version: 4.6.12
OS Version: macOS 10.13.2 Beta
Sync Type: 1Password.com

AGAlumB

After reading through your blog and discussion forums, I finally took the plunge, got a 1Password subscription and moved all my passwords and secure notes there! They're chuffed to have found their final destination :chuffed:

@Ruyven: That's so great to hear! I'm glad that you're enjoying 1Password! :chuffed:

One question: Watchtower seems like a great feature, but I wonder if it could help me get a list of potentially breached passwords without knowing the change date. All my passwords show last week as last modified date since that's when I migrated them, so of course there's no way for Watchtower to know when I really changed them. But if I could somehow see a list of the last breach of every website in my list, I could just change passwords for every website with a known breach since the date I'm likely to have made the account.

Ah, I see your point. Unfortunately it isn't really feasible for 1Password to compare all of your actual passwords to breach data. There are certainly ways of doing this, but one of our cornerstones is privacy — knowing as little about our customers as possible — and that precludes us doing the hard work for something like this on our server. It's definitely something we'd like to do in the future: have 1Password download a database to compare to your actual passwords locally on your own machine, but the necessary performance and bandwidth to make that a smooth experience are just not there yet.

Barring that, can you recommend any other resources for known password breaches? Or am I best off just changing all the passwords that previously lived in a different password manager?

Hmm. Good questions. I'd say that if your passwords are weak or duplicate (1Password for Mac can help you easily identify these) then changing them is the best thing you can do, even if they haven't been pwnd — or if you don't know...and I suppose none of us really do: you can't prove a negative.

But in that spirit, Troy Hunt has a fantastic website which aggregates and makes searchable data dumps from website breaches, so you can easily search to see if a particular password (among other things) has been compromised:

https://haveibeenpwned.com

I have to say that it is always a risk entering passwords into a website like this, but Troy is well-respected.

And I also recognize that this is exactly the thing I said we wouldn't do ourselves...but when you purchase 1Password we at least know a little bit about who you are, so it's extra important that we don't have information about which sites you visit or have accounts for, or what your passwords are. Even if we had no intention of using that information for evil, someone could steal it from us. So our plan is to not have it in the first place.

So in that sense it's "safer" to enter some information on Troy's site since it is not associated in any way with you personally as far as he knows – you're just another visitor trying to check to see if you've been affected by one of the breaches in his exhaustive database.

I hope this helps. Be sure to let me know if you have any other questions! :)

Ruyven

Wow, that's even better! I was thinking of searching by website URL, but haveibeenpwned actually let me find a couple of pwned accounts by email address.
While I'm iffy about sending them my passwords, they actually offer their hashed password database for download, so I can compare them locally! Awesome!
I agree that downloading 6 GB of password data in 1Password would be a bit much :)

My plan is of course to change all weak and reused passwords as well, but now I can make sure to start with the ones that have potentially been leaked. Thank you so much!

Lars

@Ruyven - I'm glad brenty was able to help you! Troy's site is an excellent resource. For us, it's a bit tougher -- there's a lot more we could do if we didn't limit ourselves to knowing as close to zero about you as possible...but down that road lurk some serious dangers as well. Thanks for stopping by and come back anytime if you have questions or issues! :)