False warnings about password breaches

For many of my records, I get a warning stating:

VULNERABLE PASSWORD
This password has been compromised in a data breach....change your password

The problem is that many of these records are for passwords to local applications that aren't even connected to the internet. Why is 1Password telling me I've been breached and to immediately change the password? Is it just looking to see if whatever local password I'm using matches the "haveibeenpwned.com" database? If so, that's causing panic for no reason. Please advise, thanks very much.


1Password Version: 7
Extension Version: .2.576
OS Version: Windows 10
Sync Type: N/A

Comments

  • @FuriousFan: This is, indeed, checking against the Pwned Passwords database, but I wouldn't say it's causing undue alarm. That password has been breached. It may be a smaller risk to us such passwords purely locally, but if anyone were to access your device (unlikely as that may be), that password would be more vulnerable than one not previously exposed. This doesn't mean you specifically have been breached, of course, but it does mean that someone using that same password somewhere was and that the password is out in the world. That inherently makes the password weaker, regardless of where it's used.

  • FuriousFan
    FuriousFan
    Community Member

    I'm afraid I don't agree. There are millions and millions of passwords out there in the open. Trying one of these passwords against a website using my exact username is not a significant vulnerability. I spent several hours last night changing passwords only to eventually realize that a random user somewhere happened by chance to use the same "77TTvbv##!" password as me. That's not a vulnerability, just a coincidence. Your service should advise when there's a public match against the website+username+password. Anything else is just a false alarm. Thanks

  • Greg
    Greg
    1Password Alumni

    Hi @FuriousFan,

    1Password integrates with Pwned Passwords database, so if one of your existing passwords has been leaked during one of the known breaches, we will show that warning. It is not safe to use that password, even if your username or email address is different.

    I would strongly recommend you to use unique passwords for each of your items in 1Password. Luckily, password generator in 1Password can help you with that. Here is how:

    Change your passwords and make them stronger

    If you have any other questions, we are always here for you. Thank you!

    Cheers,
    Greg

  • FuriousFan
    FuriousFan
    Community Member

    Yeah, I do but I can't help it if someone else just happens by chance to use the same password. That's why I'm saying it's not a risk. Anyway, I know you folks won't agree so I'm just going to turn off Watchtower. Cheers

  • I can’t recommend that, but it is of course your choice. Cheers. :)

    Ben

  • FuriousFan
    FuriousFan
    Community Member

    Yeah, I've turned it off. The warning isn't helpful to me as I can't tell if my account's been breached or some random person somewhere has happened to use the same password on a completely different service. Cheers

  • AGAlumB
    AGAlumB
    1Password Alumni

    @FuriousFan: I think there may be some confusion over semantics here. I will be the first to admit it's confusing: translating this kind of thing is a pain! :lol:

    It's a fine line to walk linguistically, but there's a big difference between "Vulnerable Password" and "Compromised Login". The terms "vulnerable" and "compromised" are often used interchangeably in the media when talking about online security, so it gets a bit muddied. So we stick with "Vulnerable Password" and "Compromised Login" intentionally to try to make it clearer. We just don't have better words for these things in English (and many other languages), so we work with what we have. ;)

    The difference is that a password that is vulnerable isn't necessarily associated with a specific website that was compromised. A compromised login, on the other hand, is a known breach of a specific account at a specific website. And those are listed at the top with a ⚠️ warning notice because they're a bigger problem. That's how you can tell if your account has potentially been breached. But often lists of just the passwords themselves are passed around the internet, and used to great effect by malicious parties to try to break into people's accounts and data. 1Password shouldn't ignore these. That they do not know in advance where an account is that could be accessed using one of these known password — therefore vulnerable, as opposed to a unique password that is secret, like it should be — but that doesn't matter: often it's just a matter of going through the list one by one and trying them, with the aid of computer automation. So while perhaps less concerning than an actual account breach, there's definitely still risk to using a known password.

    I'm sure you know that, but I think it's important to put this in context: 1Password doesn't have any way of knowing that a vulnerable password — one that was used elsewhere, stolen, and now known by all — is used for something you care about deeply, something of less concern, or for something largely irrelevant to you, security-wise, such as the password to a secondary wireless network you use only for IoT devices, to separate them from the rest of your home or business network to maintain good security hygiene. Similarly, it doesn't make judgement calls about your login for an internet cooking forum versus your bank's website. It simply tells you when a password you are using is unsafe to use because it's known to the bad guys. It also doesn't tell you how to prioritize addressing these issues — or whether to at all. Since it's your digital life, that's your call. Its job is to inform.

    So while you may not be using a particular vulnerable password for something that makes it a concern for you, it's a risk nevertheless, only a matter of degree. It's not a "false alarm", but it's your prerogative to treat it as such if that makes sense for you. After all, you could have a password saved in 1Password that proves to be vulnerable, but you may not even use that password for anything any more and simply have neglected removing it. Rather than panic, it's best to evaluate each of these on a case-by-case basis. After all, there may be something much more critical to you that needs to be addressed, and then it would be best to address that first. We would like to give people more tools to manage this sort of thing in the future though, so thank you for bringing it up. :)

  • FuriousFan
    FuriousFan
    Community Member

    Yup, you get it. For now, I'll keep the service off. I don't re-use passwords and keep a close watch on the industry alerts. Thanks

  • AGAlumB
    AGAlumB
    1Password Alumni

    Sounds reasonable. Cheers! :)

This discussion has been closed.