Feature Request: Add an option to exclude passwords in watchtower

2»

Comments

  • GregGreg

    Team Member
  • Hi - I'm reviving this thread to vote for this feature as well. While I appreciate that the 1password team has to make judgement calls, I'm taking a firm stance by saying this: the inability for the user to manage WatchTower (WT) warnings significantly erodes the value of WT. I am an avid 1password fan (I've used it almost daily since 2010) and as such, I have LOTs of saved passwords. As my passwords have grown, I've stopped using watchtower altogether because I can't keep track of and manage the number of "weak" passwords. Regarding Greg's point to "not have users ignore watchtower warnings," I'm doing just that because I have so many false positive WT warnings.

    I offer 2 proposals for compromise as alternatives to a straight "ignore WT warnings":
    1) Add the ability to flag passwords in different manners. Here's an example, I have a Windows NT login that I use for multiple services (5 in my case) that show up in WT as reused passwords. These all use a shared OATH, but I want to autofill at different urls so these passwords will be track as "reused" forever. I'd be happy if I could mark these as "intentional duplicates" and remove them from WT. This is one example, but I have a total of 209 WT warnings. I would guess 90% of them are passwords that I don't want to change even though I am aware of WT's intentions. Allowing the user to tag them as "pins" & "intentional duplicates" & "forced weak password", etc. forces an intention from the user that warrants the feature.

    2) Add ability to "ignore WT warnings for X (12?) months." This still keeps the user savvy, and again, to Greg's concerns, it affords 1Password an excellent opportunity to "re-warn" the user about a potential bad password. I would be a happier 1Password customer if I could realistically check all of my WT warnings and I'd actually use it if I had the power to make the number go to zero. At 209, I'm helpless. I used to check WT monthly and now I've given up.

    In the end, I love 1Password and will likely use it forever, but I hope to see 1Password achieve world domination one day and this is a feature that will help get it there. Thus I urge the team to consider adding the ability to manage watchtower warnings.

  • ag_anaag_ana

    Team Member

    @nedbrush:

    Thank you so much for the feedback and for the kind words! :) I have also added your thoughts to the internal issue we are using to track this :+1:

    ref: dev/projects/customer-feature-requests#130

  • @nedbrush just FYI, you can add multiple urls to a single login item and it will fill at any of them. That way you can have a single login item rather than several.

  • ag_anaag_ana

    Team Member

    You are absolutely right @zchrykng, thank you for the tip :+1::)

  • So I am guessing, an ignore method hasn't been added for 6 digit and under items (which are all pwned)?

  • BlakeBlake

    Team Member
    edited December 2020

    Not at the moment, @Shawzborne -- our team is still tracking this internally, though.

    We will definitely relay things here once there are any changes made to this particular request, though!

  • shamiaoshamiao
    edited March 23

    I wonder is it a good idea to group unimportant items in the watchtower, instead of ignoring them?

    for example: create a tag (like not-watched, less-concerned) to mark them, and show in a group named 'Less concerned items'.

    This simply make the rest important items (which we have to clear the number ASAP) obvious, and without compromising of overall security.

  • ag_anaag_ana

    Team Member

    Thank you for the suggestion @shamiao!

  • Hi all, new user here but already loving 1Password. I would also like to upvote this comment, because would be really usefully to have a way to remove some passwords from monitoring. Can be a new field like "non-monitored password" or other solution, but would definitely reduce the noise.

  • ag_tommyag_tommy

    Team Member
  • john925john925
    edited May 24

    Hi, I'm also a new user and the problem of weak passwords I have no control over immediately made me think why isn't there a way to exclude these. I understand you don't want to encourage weak passwords but giving no control over this risks the opposite problem, people ignoring the weak password list. Even worse, non-technical people with a low tolerance for computer frustration are likely to decide this is too hard or tedious and go back to using the same password everywhere and scrap using a password manager at all. I worked in IT support at a university for 25 years and applications need to be both easy to use and never leave the end user feeling "I hate this." The "I hate this" feeling is especially bad if it looks like the UI could easily do what they want whether or not "doing what they want" is actually easy to implement.

    I really like @shamiao's suggestion to let end users move entries with weak passwords that can't be changed for whatever reason into a separate group. They would still be visible but wouldn't get in the way of seeing weak passwords that could be changed. I think the same could be applied to URLs with duplicate passwords that are really logging in to the same server and account. @zchrykng pointing out that it's possible to have more than one URL in a single entry helps, but I like having the name of the entry make it clear which URL I'm using. You could add an "are you sure" warning when someone moves an entry into the "acknowledged weak password" or "acknowledged duplicate password" group.

    This thread is close to three years old. I understand wanting to go slow enough to get it right, but that's a long time. I do appreciate that you pay attention to and respond to comments, so thank you for that.

    Edit: Thought I'd mention that I'm looking at password managers right now in order to recommend one to a friend who has a very low tolerance for computer frustration. Keepass was my first password manager and I've been happy with it for a very long time, but I know my friend would think it's terrible. I'm impressed enough with 1password to keep using it as my primary password manager past the trial period. I won't stop using Keepass but it'll be my backup.

  • I've tried using multiple URLs for a single login entry and it's awesome! Please disregard my suggestions about multiple entries for the same server/account combination in my previous comment.

    Thanks!
    John 8)

  • ag_anaag_ana

    Team Member

    Thank you for the update @john925 :)

  • How about a new password type field for weak passwords? Give the users the ability to change the type of a password field from "Password" to "Weak password", and items with weak passwords are not subject to weak password Watchtower alerts.
    This way users are always aware this is a weak password, but they are not annoyed by the meaningless Watchtower alert.

    I also have a bunch of weak passwords I have no control over, because these are set by a 3rd party. I cannot get rid of the Watchtower alerts, so this important feature has become meaningless for me - it weakens my awareness of weak passwords for passwords I myself have control over.

  • ag_anaag_ana

    Team Member

    @Tertius3:

    Thank you for the suggestion @Tertius3, noted! Although I think ideally we would find a way to do this without even having to ask you to use a separate password field.

  • Although I think ideally we would find a way to do this without even having to ask you to use a separate password field.

    A setting would be nice to disable checking the password against Watchtower. ;)

  • ag_anaag_ana

    Team Member

    :+1::)

  • Just came here to give my +1 to a feature like "exclude selected items from watchtower".
    And not only limited to passwords but also to exclude 2 factor authentication or Unsecured websites.
    For example I have my develop/company passwords in a vault which I have no control over.
    If i cannot disable these from the watchtower I am never aware of a new/really compromised watchtower problem.
    Hope you guys are activally looking into it because it feels like a must feature for Watchtower as it increased the awareness where needed.

  • BlakeBlake

    Team Member

    Thanks for sharing your use-case here @joeydriessen! 😊

  • Hi @joeydriessen, you can currently exclude 2 factor authentication sites by applying the 2FA tag and also exclude unsecured websites (http) from watchtower by applying the http tag. Hope this helps!

  • ag_anaag_ana

    Team Member

    Indeed @jdubar, thank you for the suggestion!

  • @jdubar Thanks this helps a lot! Are there also any tags for Vulnerable,Weak, Reused password ?

  • ag_anaag_ana

    Team Member

    I am afraid that there aren't other tags like that @joeydriessen at the moment, sorry.

  • Using an HTTP Tag to exclude items from Unsecured Websites really works well for me. The Tag is always in the navigation bar to remind me some items are excluded and I can just click it to view the excluded items. Could we have Tags to mark items to exclude from the other WatchTower checks? Be really nice if users could define the Tags but predefined would be OK.

  • BlakeBlake

    Team Member

    That's definitely something we've had folks show an interest in, in the past, but I can't quite guarantee this will be something that'll be added moving forward.

    That said, I'll definitely be adding your suggestions to our internal issue to make sure your voice is being heard. :smile:

  • You know what is frustrating? When people keep saying 'your voice is being heard' for years and years and then not actually doing anything. Which means one of three things:
    1. Your voice is not actually being heard, and the staff is lying to you, or;
    2. You are being heard, but completely ignored, or;
    3. You have been heard, but the decision has been made to never implement this feature. But the staff doesn't want to tell you this...

    So which is it?

  • BlakeBlake

    Team Member

    @donblanco

    While I do understand where your frustration comes from, changes to intentionally-designed features such as not being able to exclude Watchtower warnings isn't something we undertake lightly.

    While there have been multiple threads here in forums over the years regarding this particular feature request, admittedly, it's not something that's high on our priority list at this point in time. That said, just because it's not something that's on the top of our priority list right now doesn't mean that we're not listening to feedback, or are ignoring folks writing in to request this functionality.

    Part of the purpose for opening a feature request is to help us gauge interest. As additional people express their thoughts on the topic we'll add those voices to the request which will help us better understand if and when this is something we should be spending additional time on.

This discussion has been closed.