1Password shows false haveibeenpwned.com report
Hi,
I am an old 1P 6 user and today I installed 1P7.
I tried the vulnerable passwords features, but it seems, that the reports are wrong.
I get several messages, that I haveibeenpwned.com...but if I check the site directly, then I get the message "Good news - no pwnage found!".
Any idea, what goes wrong?
Kindest regards,
Oliver
1Password Version: 7.1.567
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: 1password.eu
Referrer: forum-search:1Password shows false haveibeenpwned.com report
Comments
-
You went to haveibeenpwned.com and entered an email address? In that case, the site is reporting whether that email address has been involved in a breach and if so, which sites.
If I'm guessing correctly, what you are seeing in 1Password Watchtower is that your password (regardless of site, email address, etc.) is a password that is found in haveibeenpwned.com. In other words, someone else on this big planet has managed to create the same identical password, however unlikely (it's generally more likely that one would think). Of course, the reason you care, even if that password was not associated with one of your accounts, is that bad guys will use lists of known passwords to brute force attack other sites. So now, your previously safe password will be on everyone's, "let's try this" list.
I got confused by this initially too. The wording in Watchtower could be clearer, emphasizing that the password is "out in the wild" not that your login for that site has been compromised.
0 -
@Doctor: I'm sorry for the confusion. Unless I'm misunderstanding you though, it sounds like you're just running into an intentional limitation of the website. To protect from abuse with regard to privacy, it does not give all information unless you sign up and verify your email address. The website will not give you a full listing for everything matching the email address you enter there. Does that help?
0 -
The wording in Watchtower could be clearer, emphasizing that the password is "out in the wild" not that your login for that site has been compromised.
@rlh: While you're not wrong, I don't see the benefit of changing this. Sure it would be more semantically correct, but ultimately isn't an "out in the wild" password one that should be considered "compromised"? As you said yourself,
So now, your previously safe password will be on everyone's, "let's try this" list.
For that reason, I think it's important that it be presented this way. But let me know if there's a different angle I'm overlooking.
0 -
@brenty, I can't speak for @Doctor's interpretation but the first time I read,
"Vulnerable Password
This password has been compromised in a data breach according to haveibeenpwned.com. Change your password."I translated "password has been compromised" to "account on this site has been compromised" in my mind. I know it's not what the words say. It made me panic a little bit until I figured it out. And I only think I figured it out because I was already very familiar with haveibeenpwned.com; if I wasn't I'm not sure how long it would have taken.
"Compromised" is definitely a call to action and that's what we all want here. But you can see that what your words literally say and what I (for a short while) took them to mean are dramatically different. Certainly the fault is mine.
However, there is a mixed message here. The title of the message says "Vulnerable" but the body says "compromised". The latter is FAR worse. The former is more accurate.
I just wish there was some brief, clear, unambiguous way to transmit the more subtle message of:
"This password you used for this Login is present in a list of compromised passwords associated with some other known data breach according to haveibeenpwned.com. It is no longer safe to use at ANY site now, and it Vulnerable to attack on this site. Change your password."
But that's clearly too long! :) Hopefully, I'm the only customer who will ever be confused on this...
Maybe a broader suggestion for all the Watchtower items would be in include a pop-up help link of "What does this mean?" at the end of each message. There you could have a more detailed description of the risk and the steps you should take. (This is all pretty straightforward to those of us who have used 1Password for a long time and who are security minded but I just added my mother to our 1Password Families account so am looking at everything through her eyes now.)
0 -
Haha too long indeed! I agree with you that there's room for improvement, but since I haven't yet personally been able to think of something that's a good fit I'll leave it up to the real wordsmiths. I do like the ideal of a "more info" link. :)
0