Watchtower --> Vulnerable passwords doesn't refresh when password changed?

TheDave
TheDave
Community Member
edited April 2023 in 1Password 7 for Windows

I discovered one site in my list was known to have been compromised. I went over to Vulnerable Passwords, enabled the feature and there it was, my password was compromised as expected. Went to the site, changed both my username (for reasons) and password (for security). Saved the new info into 1Password.

The item still appears in the Vulnerable Passwords list. On a lark I checked against @haveibeenpwned directly and my new password was not in the list.

It seems that this is a bit misleading, the item should immediately be removed from this view when the item's password is changed, or better, check the password and popup a big fat "Your new password is also compromised" modal warning if listed or remove it if not listed.

It also isn't obvious to me how I would recheck an item, or otherwise refresh the Vulnerable Passwords list so that I can move through this list like a todo list.


1Password Version: 7.1.566
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1Password.com

Comments

  • MikeT
    edited June 2018

    Hi @TheDave,

    Thanks for reporting this.

    I've just changed the password to one item that was vulnerable and it was immediately removed off the item list. It can take a few extra seconds for the app to finish syncing your item first and then checking with the third party service to see if it is still vulnerable. Although, we do have a separate issue where it throws you to the Logins category but that'l be addressed in a future update.

    1Password automatically rechecks the password every time you edit it and it does a whole database check once a week. There is no action needed on your part to recheck.

    If you exit 1Password and restart, does it still show it as vulnerable?

  • TheDave
    TheDave
    Community Member

    Yes actually, still there both before and after a restart (I don't know if it restarted in the last couple days). I checked again and my current password is not showing as vulnerable with haveibeenpwned.com.

    It's 16 characters, upper/lower/numeric with symbols, randomly generated by 1Password, so the odds of it being already in any database...

  • Hi @TheDave,

    If you create a new Login item with that same password, is it still showing up as vulnerable? I'm not able to reproduce this yet.

  • TheDave
    TheDave
    Community Member

    No. But I created two tests, one with the same password as the item I'm having trouble with, and another with the password Passw0rd! (which is definitely listed at haveibeenpwned.com/Passwords so I would expect it to show as a Vulnerable Password? And it did, (after a time, I'd guess a minute). Great. However, the original item still shows in the Vulnerable Password list.

    I compared against the web version and I do see what I would expect, the original site is no longer listed, nor is the first test item I created, but the test with Passw0rd! is listed. This confirms my expectations.

    Could it be that 1Password for Windows tried to check the new password, failed for some reason and doesn't retry?

  • Hi @TheDave,

    Could it be that 1Password for Windows tried to check the new password, failed for some reason and doesn't retry?

    That is possible. If you change the password twice for that item (a > b > a), did it fix itself?

  • MikeT
    edited June 2018

    Hi @TheDave,

    Before you update anything, please try this: select that specific item, then press F12 on it and scroll down to vulnerability check in the 1Password developer window that pops up.

    Can you tell me what it says at the end?

  • TheDave
    TheDave
    Community Member

    I haven't used this machine in a few days, but I checked today and the vulnerable password warning has now disappeared. "vulnerability check": "1529207826 (2018-06-16 21:57)".

    No changes to the item itself though: "updated": "1528579155 = 2018-06-09 15:19"

  • Hi @TheDave,

    Thanks for these details. That would most likely be the default weekly vulnerable check, so it updated properly.

    I am guessing your suspicion about it failing to connect and not retrying is the cause of it being stubborn, we'll double check that code and make sure it'd retry once or twice more with a delay.

This discussion has been closed.