1Password on Mastodon

1Password shows false haveibeenpwned.com report

Community Member


I am an old 1P 6 user and today I installed 1P7.
I tried the vulnerable passwords features, but it seems, that the reports are wrong.
I get several messages, that I haveibeenpwned.com...but if I check the site directly, then I get the message "Good news - no pwnage found!".

Any idea, what goes wrong?

Kindest regards,

1Password Version: 7.1.567
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: 1password.eu
Referrer: forum-search:1Password shows false haveibeenpwned.com report


  • rlhrlh
    Community Member

    You went to haveibeenpwned.com and entered an email address? In that case, the site is reporting whether that email address has been involved in a breach and if so, which sites.

    If I'm guessing correctly, what you are seeing in 1Password Watchtower is that your password (regardless of site, email address, etc.) is a password that is found in haveibeenpwned.com. In other words, someone else on this big planet has managed to create the same identical password, however unlikely (it's generally more likely that one would think). Of course, the reason you care, even if that password was not associated with one of your accounts, is that bad guys will use lists of known passwords to brute force attack other sites. So now, your previously safe password will be on everyone's, "let's try this" list.

    I got confused by this initially too. The wording in Watchtower could be clearer, emphasizing that the password is "out in the wild" not that your login for that site has been compromised.

  • AGAlumBAGAlumB
    1Password Alumni

    @Doctor: I'm sorry for the confusion. Unless I'm misunderstanding you though, it sounds like you're just running into an intentional limitation of the website. To protect from abuse with regard to privacy, it does not give all information unless you sign up and verify your email address. The website will not give you a full listing for everything matching the email address you enter there. Does that help?

  • AGAlumBAGAlumB
    1Password Alumni

    The wording in Watchtower could be clearer, emphasizing that the password is "out in the wild" not that your login for that site has been compromised.

    @rlh: While you're not wrong, I don't see the benefit of changing this. Sure it would be more semantically correct, but ultimately isn't an "out in the wild" password one that should be considered "compromised"? As you said yourself,

    So now, your previously safe password will be on everyone's, "let's try this" list.

    For that reason, I think it's important that it be presented this way. But let me know if there's a different angle I'm overlooking.

  • rlhrlh
    Community Member

    @brenty, I can't speak for @Doctor's interpretation but the first time I read,

    "Vulnerable Password
    This password has been compromised in a data breach according to haveibeenpwned.com. Change your password."

    I translated "password has been compromised" to "account on this site has been compromised" in my mind. I know it's not what the words say. It made me panic a little bit until I figured it out. And I only think I figured it out because I was already very familiar with haveibeenpwned.com; if I wasn't I'm not sure how long it would have taken.

    "Compromised" is definitely a call to action and that's what we all want here. But you can see that what your words literally say and what I (for a short while) took them to mean are dramatically different. Certainly the fault is mine.

    However, there is a mixed message here. The title of the message says "Vulnerable" but the body says "compromised". The latter is FAR worse. The former is more accurate.

    I just wish there was some brief, clear, unambiguous way to transmit the more subtle message of:

    "This password you used for this Login is present in a list of compromised passwords associated with some other known data breach according to haveibeenpwned.com. It is no longer safe to use at ANY site now, and it Vulnerable to attack on this site. Change your password."

    But that's clearly too long! :) Hopefully, I'm the only customer who will ever be confused on this...

    Maybe a broader suggestion for all the Watchtower items would be in include a pop-up help link of "What does this mean?" at the end of each message. There you could have a more detailed description of the risk and the steps you should take. (This is all pretty straightforward to those of us who have used 1Password for a long time and who are security minded but I just added my mother to our 1Password Families account so am looking at everything through her eyes now.)

  • AGAlumBAGAlumB
    1Password Alumni

    Haha too long indeed! I agree with you that there's room for improvement, but since I haven't yet personally been able to think of something that's a good fit I'll leave it up to the real wordsmiths. I do like the ideal of a "more info" link. :)

This discussion has been closed.