Feature: Weak Passwords

I know that yall have had posts requesting this feature before. I saw it in the MAC forum i think. I was going through updating sites on old passwords, and obviously the first thing i click on is weak passwords because even though i know what it is I cannot help myself.

Almost all of my weak passwords are are network switches that are only accessible internally.
I know the discussion has probably been if we implement this are we doing a dis-service to the users? What if they ignore one that does matter.?

All my switches direct management are accessed https://10.10.10.10(direct IP)

What if you added an option to ignore items that fall within a private IP space that aren't routable on the public internet.

This was just a morning passing thought, so by no means I have I completely thought the implications, but the good thing about having a forum is many heads could think of issues that could arise from something like this.

Anyway I would love to hear peoples thoughts on something like this.


1Password Version: 7.7
Extension Version: 810
OS Version: Windows 10 21H1 / OpenSuse
Sync Type: Cloud

Comments

  • Hi @xotan ,

    This is an interesting idea, and it raises questions we care a lot about!

    Regarding the network: should you be able to exclude items that fall within a private IP space? What if an organization that uses similar private IP ranges has high security requirements, or operates on a zero-trust model? My feeling is that delineating that kind of thing in Watchtower specifically might do more harm than good.

    However, I can see an argument for being able to disable Watchtower alerts for certain passwords you choose, though. For example, some websites actually (sigh) require weak passwords, and some devices require short PINs, which in all other contexts would be considered weak and something you want to change ASAP. What to do about this?

    This is very much an ongoing conversation here. Maybe the best long-term answer is to allow a user to manually specify which alerts they want to disable, and for how long. Or maybe it's better not to allow that kind of option at all, because if someone's bank requires a weak password, 1Password can help by at least reminding you that that's a point of vulnerability.

    Ultimately, we want the Watchtower alerts to be accurate, actionable, and salient - and we 100% welcome your input (and the community's) on what that might look like as we go forward.

    Thanks for opening up this discussion. I'll be very interested to hear what more you and others here have to say on the topic!

  • Tertius3
    Tertius3
    Community Member

    I work for a worldwide company, and its worldwide company intranet, running with 10.x.y.y addresses, is operated with roughly the same security policy as you would have for internet hosts. With other words: it is mandatory hosts within the intranet must be as secure as if they were directly exposed to the internet. The intranet is considered only a bit less hostile than the internet itself, it' not considered as friendly and secure.

    So passwords used within the private network range must be as strong as passwords that are used for internet hosts.
    Another thing against excluding private network ranges from password checking: 1Password cannot know if a host is accessible from the internet with NAT or port forwarding. The same host you can connect to as 10.10.10.10 might be accessible from a public IP if this is configured on some NAT router exposed to the internet, so it's ok if weak passwords are reported.

    The only viable way I see is the ability to manually flag a weak password as "risk accepted for weak password" and make it vanish from Watchtower if flagged as this. I assume such functionality has not been added until now, because some people would just flag all their weak passwords to make them going away as alert without actually realizing the risk. In my opinion, this is too much care and attempt to protect the user from himself.

  • Thanks so much for sharing your perspective, @Tertius3! You raise a really good point - 1Password doesn't know the particulars or implications of the data it has stored (beyond locally comparing URLs against a compromised website database). It's because of these varied circumstances and use-cases that something like Watchtower warnings need to be well thought-out and, as Peter put it, "accurate, actionable, and salient". Thanks again for sharing! :smile:

  • palpie
    palpie
    Community Member

    I have the garage code at my work as a warning, and some other places where I can't change the password.

    It's possible to hide 2FA notice by tagging with "2fa". The same method could be used to hide warnings for weak passwords.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the suggestion @palpie :+1:

  • GHB
    GHB
    Community Member

    Hi, I'd just to add to the desire to be able to exclude Watchtower warnings related for weak passwords, indeed I've some where I'm not able to use something as strong as I would like but if these populate the list in Watchtower it makes me kind a skip the list and that way I might miss an unintentionally weak password. So it would be very welcome to have the option as suggested above by @Tertius3: "The only viable way I see is the ability to manually flag a weak password as "risk accepted for weak password" and make it vanish from Watchtower if flagged as this. "

  • Thanks for taking the time to add your voice to this issue @GHB 💌

  • anthony0030
    anthony0030
    Community Member

    I have the same problem.
    Our ISP's routers here in Greece fail easily.
    Our ISP ships us a new one and the username and password is underneath you plug them in and they get the settings automatically.
    It is hard to guess the password on them. I want a way to ignore them, so when I see there is a problem with the watchtower I know it is something serious and not my router passwords because over time I have become blind to the warnings. Also, some passwords that are for PPPoE get set by the ISP and can't be changed by the end-user.

  • Hi @anthony0030:

    Thanks for your input! I've added your feedback to the discussions my colleagues mentioned above. We wouldn't be here without feedback from customers like you, so thank you again!

    Jack

This discussion has been closed.