Check for vulnerable passwords for only one vault?

Is it possible to run the new Watchtower check for vulnerable passwords against only one vault? I'd consider checking my home passwords, but I don't want to send even the first 5 characters of the SHA1 hash of my work passwords. The way I see it, those passwords don't belong to me and I should share anything about them with a third party API. As it is, I'm a little skeptical of the K-anonymity security model...

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • MikeT
    edited June 2018

    Hi @johngraybosch,

    Thanks for writing in.

    No, there isn't a way to enable Watchtower selectively, it is one for all model.

    You bring up good points but if the passwords doesn't belong to you, then you wouldn't have access to it. Not to mention, your passwords shouldn't be reused with anyone else and if it is, then it's already a security problem.

    As it is, I'm a little skeptical of the K-anonymity security model...

    What parts are you concerned about, we'd love to talk about it. Note that no passwords are ever sent, 1Password only checks a list of several passwords sent by the HaveIBeenPassword service that matches the 5-char hash. In other words, even if someone capture what list was sent back, they have no way of knowing what password you have and what it is for, all they see is a list of password that matches 5-char hash. There is not enough information to do anything useful with it.

This discussion has been closed.