Feature Request: Add an option to exclude passwords in watchtower

Watchtower defeats its own purpose.
I found that there is no way to exclude the passwords from the Watchtower. There will be some cases where I shouldn't need a strong password, doesn't matter if that password has been pwned, and for some accounts, I can only enter 4 digits numeric code. If the Watchtower doesn't allow me to exclude such kind of passwords and always shows some numbers next to vulnerable passwords, weak passwords. I wouldn't notice even if my password is compromised since it always shows some numbers.


1Password Version: 7.1.567
Extension Version: 1.8.1 (1Password X)
OS Version: Windows 10
Sync Type: 1Password default

«1

Comments

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 2018

    Hi @mr_nethead,

    Thanks for reporting this.

    We do have a known bug where we're not excluding PINs only for Weak Passwords and Reusable Passwords on Windows. As long as as the item doesn't have a website, a 6 digit-only or less password should not be checked and is treated as PIN. This will be fixed in an update soon. In addition, we will be adding automatic cleanup tools where you may have redundant password items that was generated for a Login item that was saved.

    You can tag certain items like 2FA to remove it from Watchtower if it already has 2FA enabled outside of 1Password, and http if the site cannot be secured. We plan to do more in the future.

    Watchtower will continuously be iterated to improve its feature and to avoid noise as much as possible.

  • edited July 2018

    @MikeT Not just PINS (without websites), please add "exclude selected items from watchtower" option. As mentioned earlier some websites only allow 4 digit numeric passwords and not all of my accounts need complicated passwords like wifi passwords, it's easier to me to copy and paste a complex wifi password but not to my guests.

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 2018

    Hi @mr_nethead,

    That option is being considered but nothing is confirmed for now.

  • +1 on this.
    My use case is when I'm storing WiFi passwords that I don't control. For example, a local restaurant who uses a weak password. I can't control what they use, and I want to store it, but I don't want to "dilute" the value of what WatchTower shows me by having something in the list I'm going to ignore forever.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @sevoff,

    Thanks for letting us know that. We do understand why there's a need for excluding certain items in various situations and we're looking for a way to do this that's sustainable for us.

  • +1 for this feature for the wifi password use case sevoff mentions above. How about another tag like pwneddontcare? :)

  • GregGreg

    Team Member

    @fergie: Thank you for chipping in!

    If we make ignoring that warning easy, it will encourage people to use weak passwords. We don't want to do that. It is a complicated feature to add and, as Mike mentioned above, we are looking for a way to do this. Thanks!

    Cheers,
    Greg

  • midknight32midknight32 Junior Member

    File me under yetanotherguy who needs to tell watchtower to exclude entries on a case-by-case basis.

    Between default passwords for routers and switches and copiers and other various entries, there are going to be passwords that are compromised, "re-used", old, or weak.

    I get it.

    Here's the thing - I want to fix the ones that are bad website logins, etc., but don't need to wade through a bunch of stuff that I already looked at and said "meh, can't change it."

    So I don't mind going through the list once to see what's legit, and what needs to be ignored, but then when I go through and watchtower is showing me "x" number of bad entries, I now have to go back through and figure it all out all over again.

    I could of course rename them all with "ignore" in the title so I know the second time but that's even more cumbersome than tagging and since I've got over 1000 logins that I already have a naming scheme for context, etc., screws that all up.

  • brentybrenty

    Team Member

    Yep. Those are certainly good examples, and something we're considering as we evaluate what solution would be best before implementing it across more than half a dozen apps. Thank you for the feedback! :)

  • +1 for this request. I don't think not wanting to encourage people to use weak passwords is a valid reason. You're talking about users with a hightened sense of privacy and security who have made a conscious decision to invest time and effort into a secure password routine. Someone who activates the watchtower feature is likely to want to use it, not ignore it - except in certain cases when they have good reasons to do so. Grant your users the freedom to make that decision please. Right now, you're patronizing us and making that decision on our behalf.

  • MikeTMikeT Agile Samurai

    Team Member
    edited February 2019

    Hi @thejabok,

    As Brenty mentioned, we will improve this but we do not want to rush through this. We need to make sure adding more features to Watchtower does not confuse people, especially our customers that are using 1Password as the first password manager.

    We're not trying to patronize anyone nor make that decision for everyone but we're starting with the first iteration that helps everyone at the same time and then we will iterate on top of it when we hear about every edge case as to why certain items can't be fixed; but such iterations take time to do it right.

    Here's why this is very difficult to fix quickly, flagging an item as excluded requires all 1Password apps to be updated to know what the flag is and then we have to add more flags in time and maintaining support for various flags can be complex if we don't do it right.

    We did release 1Password 7.3 update that already ignores all items with password that is 6 digits or less, as long as it doesn't contain a saved website, which means if you have items that's just holding PINs, it will not be monitored by Watchtower and thus, less work for you to try to exclude them. As we continue to cover each edge case, we'll look at better solutions.

  • jimthingjimthing
    edited February 2019

    I suppose one idea is a separate "Ignored" list in Watchtower, so those items the user has selected to ignore can still appear and be actioned upon in the future by the user within WT under that section, but they don't appear clogging-up the other WT sections – and the banner is removed/hidden somehow.

    Partially like how Apple allow you to hide previously downloaded iOS apps you don't want to see as available for re-download anymore. Until you go into the settings to re-enable them. But obviously it's more complicated.

    This gives 1P the 'we've told you' proviso, then leaving it up to the user from that moment to decide if they want to sort said item out or not.

    But the complication is when/if the conditions on said item change. I suppose they could reappear with a "Refresh"-type badge in their relevant warning section or similar, or perhaps some other smarter system. For sure, it's a hard problem to solve.

  • MikeTMikeT Agile Samurai

    Team Member
    edited February 2019

    Hi @jimthing,

    Yep, that's a great idea but that would require the same thing I mentioned before; a flag to be added to the item and all 1Password apps to be updated as well. So, your idea could end up being the better option because at least you get visibility without clogging them up with any banners or in other Watchtower categories.

    Thanks for your suggestions!

  • RyanERyanE
    edited February 2019

    +1 for an ignore tag. I understand you dont want to lower the security but I actually think this is the opposite. When Watchtower is full of things I dont care about or cant change it becomes meaningless and I will ignore it. If i get used to always seeing 5 flagged by Watchtower I might not notice when it comes 6 or 7 but if it were cleaned up and then one is flagged then I will definitely jump on it.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @RyanE,

    It's not about lowering the security or anything like that, it's about not making it too complex or confusing to use. Including everything is easier than excluding some and syncing these exclusions, so that you don't get confused as to why it still shows up on other devices. We'll improve this in the future once we figure out how we want to sync them.

  • I'll add a +1 for this feature as well. Not to add pressure or anything (no need to reply explaining why it's taking a while to implement; I get it), just wanted to give another use case. In my case it's because I have friends and family members for whom I'm de facto tech support, so I have some of their logins saved, and they reuse passwords. It'd be nice not to have them show up in Watchtower as I'm not going to pressure them to change their passwords.

  • brentybrenty

    Team Member
    edited April 2019

    That's a good point. I'd say you're more than welcome to pressure us so long as you pressure them a bit too to stop reusing passwords. There's an app for that! :)

  • I have a question about this. When I create I new login with the password generator, it creates 2 entries: The password in the Password category and the login in the Login category. Watchtower flags these as a reused password which doesn't seem to make any sense. Obviously the created password is the same in the associated login. Is this intended behavior or am I missing something?

  • GregGreg

    Team Member

    Hi @gamma6,

    This is normal and intentional for the moment: when you generate a password with the help of a password generator in 1Password extension, it is automatically saved as an item in the Passwords category of your vault. It works as a backup plan, if you happen not to save a Login item you generated a password for. If you saved all of your needed passwords as Logins, it is safe to delete the passwords in Passwords category.

    In the future, 1Password for Windows we want to add add an automatic cleanup function to remove any redundant password items after you create a new Login item with the same website/password combination as the password item.

    Let me know if it answers your question. Thank you! :+1:

    ++
    Greg

  • Hello! Is there any update on this? can I now add a "knownbad" tag to exclude certain passwords (device defaults, wifi, etc) from watchtower? I really only want to see new things in watchtower.

  • BlakeBlake

    Team Member

    We don't have anything new to announce on this at this point in time, @j_son 😊

  • Bump, any updates? My AirMiles Canada account is flagged as weak because they will only allow 4-digit PINs. Not a critical feature, just annoying the developers a bit more. :)

  • bundtkatebundtkate

    Team Member

    None at the moment, @spthomas. It's a bit of a tough problem because we do live in the real world where sites and services make some questionable decisions about passwords and there's nothing you, I or 1Password can do about it. On the other hand, there's still a very real danger to having such a weak password, even if it's not your fault and not by choice. In an ideal universe, sites would understand why this is a Bad Idea (tm) and thus not do it, but that is not the universe we live in and we need to decide how best to cope.

    The jury is still out on that best possible path forward, I believe, but I've personally found that I've come to appreciate those flags, even when I can't fix them. They remind me that this is a password in need of particular care and attention because it's at greater risk than others. I tend to check in on that account often and make sure nothing looks fishy when I see it in my weak passwords list. That said, I still think I'd prefer at least a snooze button so I know I've checked in recently so I wouldn't say you can fix everything with creative thinking.

    Anyway, as I said no news now, but it's something on our minds and we'll be sure to keep y'all in the loop if we are considering any changes more seriously. :+1:

  • laugherlaugher
    edited August 25

    I'm going to chime in and offer a slightly different perspective as a user. I am going to assume this is a vote for a "Ignore Weak Password" category.

    While I appreciate that people do look in the Watchtower and notice "numbers" next to some password entries, I've learnt from the very beginning to ignore the "Weak passwords" category as all my passwords created since then are "fantastic".

    The ones left in that "Weak passwords" category are all from sites or services that I have no control over. It may be because the site itself only allows 6 character passwords or it's a 4 digit PIN to a video conferencing meeting. It may be sites that still use PINs when they really shouldn't to authenticate users. FWIW, I've written to those site owners more than once to ask them to change their behavior. This list includes an online banking site and an airline site which is simply astonishing given the times we live in.

    So while I am living with the weak password situation, I generally do not review it very often because I do not need to or I cannot control the outcome. I'm not entirely sure why that's difficult to manage given I have over 1000 records in 1Password and only 40 of them are weak passwords. If anything, if you find yourself with a lot more than 40-50 count in weak passwords, then I suggest you start to lobby people to fix the situation where they can.

    From a technology perspective, I can fully sympathize with AgileBits decision to slowly approach this problem with forethought. Introducing another parameter or field in the database may be simple on a user interface level but there may be implementation complications involved not to mention, architectural changes to how AgileBits want to take 1Password as well as any legal risks that may arise because of this change. For example, I can just imagine someone coming up very publicly after being compromised and blaming AgileBits for allowing her to mark something as ignore when they should be promoting better password practices in the first place. A core value in the 1Password product.

    I don't mind AgileBits marking PINs as what they are and create a new "PIN field" instead of having us store PINs in passwords but apart from that, I am not entirely convinced of the arguments being raised for this. I will continue to store that annoying airline company who continues to want to use PINs in the password field so it will continue to be flagged to me as a weak password. Afterall, its the only secret that a hacker needs to figure out to get into that Airline profile or that bank account and see my credit history, passport numbers, travel history and the ability to transfer funds to payees without my authorization.

    I for one am going to -1 on this one if the notion is to allow us to mark any weak password to be "ignored".

  • GregGreg

    Team Member

    Hi @laugher,

    Thank you for chipping in!

    Indeed, we tread carefully in this area and do not want to add features to 1Password just for the sake of it. On the other hand, we do not want people to get used to ignoring Watchtower notifications, so it is a tough balance we need to strike here.

    Anyway, your point of view is really appreciated and we will continue looking at ways to improve 1Password. It is not always easy, but we want 1Password to get better every day. Thanks again! :+1:

    ++
    Greg

  • laugherlaugher
    edited August 25

    Perhaps I should clarify. I’m not ignoring it. I review it on a regular basis (fortnightly but to me that’s not often enough) as a to do to get people who do not understand the risks they expose users to when their sites don’t impose a more stringent password. I have sites in there that are from discussion forums and some gamer sites that I do not really care much for. But I do use the weak password list to review the personal profile information I have stored on them. It’s a really good compliance tool and it gives reminders regularly to ask myself these questions:

    1. Do I still use the site/service?
    2. If I do, what is stored on them that someone might want to steal?
    3. Do I need to remove sensitive data or request it to be deleted?
    4. Did I use my honeypot password on there to see what will bite? Or do I need to regularly change the 6 character password?
    5. Do I need to insert my honeypot email address on there so all phishing and spear phishing attempts end up in a heavily filtered inbox?
    6. Do I need to remind the site/service operators and owners of government or regional privacy policies they need to adhere to and the risks it carries if they do not introduce stronger passwords?
    7. Etc.

    So yes, on a day to day basis, I don’t look at it but on a regular basis I do review it and love finding out which sites and services I still have which do not understand security whatsoever.

  • bundtkatebundtkate

    Team Member

    It sounds like you take my strategy a fair leap farther, @laugher, so my kudos for taking such an interest and a proactive approach towards these things. I like to think that if more folks stepped in as you are here and provided feedback to companies that make these sorts of choices, we might be a better position today, but given how long passwords have been around and the very real threat to companies' reputations and bottom lines that come from poor password policies, there's another part of me that suspects I'm being overly optimistic. Regardless, doing something is better than doing nothing no matter how futile it might feel at times, so I definitely appreciate your outreach efforts.

    It's also awesome to learn about your approach. As I mentioned earlier, I do tend to keep a closer eye on these accounts (and get rid of any I don't need, even if that means swapping services), but there are those I simply have no control over and trying to remove personal information (where possible) is an amazing idea. It's one I'll need to adopt myself and it's great that you shared that approach with the folks here as well. :chuffed:

  • laugherlaugher
    edited August 25

    @bundtkate - I guess that's why AgileBits set up these communities. To bring like-minded people like myself together but also facilitate discussion from those who are not versed or who have a differing opinion to chime in.

    I agree and can understand no one outside of AgileBits reads through all the messages here. I was here in these discussion forums because I needed to verify whether its safe to delete some redundant 1Password vaults but just happen to scan through the recent discussions and noticed this thread. By pure chance.

    I'm more than happy for you to tag me from time to time if there is a fundamental shift in the 1Password architecture however, I suspect people like Mr Goldberg will ensure the right architectural decisions are made within AgileBits.

    The other idea you folks may want to explore is to setup a panel for these sorts of discussions but a balance of time/effort needs to be made to ensure all parties can make the right levels of investment to topics. :)

  • GregGreg

    Team Member

    Hi @laugher,

    This is a public forum and everyone can join the existing discussions or start their own. :) We monitor them on a daily basis and answer all questions that our customers have. If the question requires attention from our security team, we surely reach out to them.

    If you have any other questions or ideas, please feel free to share them with us. Your feedback and 1Password experience is appreciated. :+1:

    ++
    Greg

  • Thanks Greg and understood. Cheers.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file