Feature Request: Password Change Advisory [added: Watchtower]
Heartbleed has affected us all and while 1Password has been a great help in keeping track of which passwords we've changed it was not helpful in knowing which passwords needed to be changed. First the site had to be using the right version of OpenSSL to be affected but you had to wait until they updated their SSL before it was worth changing.
I would b awesome is if 1Password 5 could keep a public database of sites that have 1) been hacked (like Target a few months ago) and 2)where a major security hole was found (like Heartbleed).
1Password could then periodically or at your request grab that DB file and then cross reference it (locally) to your login items that match the list of URLs. Any matches then get two dates checked. One in your 1Password DB to see the last time you changed the password and the other being the date the hole was plugged. If the date of your 1P DB login is older than the date of the DB file it downloaded then you get a request to change that password.
This would mean someone who has a Target account would know to change their password even if they didn't hear about the intrusion via the media. Or if xyz.com has finally plugged their Heartbleed issue two weeks after it was discovered will notify customer they should change their password.
I think this could be a value added service for 1Password to maintain their lead over the competition as well as be a public service to others that don't quite understand why they need a password manager in the first place which I think would lead to increased sales.
Thank you for your time.
Comments
-
Hi @Solipsism,
Our new 1Password Watchtower service will be integrated into 1Password soon (hopefully version 4.3.1). It will do almost exactly what you described. :)
The integration is currently available in the beta version. It'll look something like this:
0 -
Thanks for the quick reply, JasperP.
0 -
You're welcome! Please let us know if you have any other questions. We're always here to help! :)
0 -
Hi guys, I am not even sure if this is possible, but will we then be able to change the passwords from within the 1Password App? This would be a killer feature!
For example, I have loads of duplicate passwords. And I know I have to change them all. It would be so convenient if this could be done from within 1P.
And maybe for a future-future-feature request: auto update passwords on set intervals would be awesome ;)
Love to hear your ideas!
0 -
1) Each site has its own location and protocols for changing a password (which can change without notice) so I don't think that would be possible. I think the best you could hope for would be a WebView in the app, like they have with the iOS app, but that's not really a convenience on the Mac app when you can simply click the Open and Fill button.
2) 1Password did feel a little overwhelming when I first started using it because I did have an excessive number of duplicate, weak, and old passwords to convert. I just did a handful a day (which I set up as a daily calendar reminder) until they were all changed. It took no more than a couple minutes every day and soon enough all my passwords were strong and unique.
0 -
Hi @JasperP
I really do not like the trend of 1pw making more and more direct connections to the net...
When you do "integrate" watchtower into 1pw you will essentially know all the websites I have passwords on and the IP where I live. It really feels more and more like you are becoming the "google of passwords" (rich pw icons, watchtower, etc. Give me an option outside my vault/1pw to achieve these things). Yes you claim to not do any evil (so did google), but 'features' like this continue down that path. Further, you enable such 'features' by default.
Sigh...may need to go back to keypass!
PLEASE think carefully about the types of features you integrate and be open about them and make the defaults cater to the more security minded.
0 -
Hi guys,
When you do "integrate" watchtower into 1pw you will essentially know all the websites I have passwords on and the IP where I live.
No, we won't know all of your websites because of Watchtower. 1Password only needs a connection to download the vulnerability database file into the app's data folders. Once the database is extracted, 1Password uses that to compare your data with and show you the matches. For an example, the database would say something like google.com|cert updated|password change required. 1Password then scans your local database for all items with google.com, and then put them in the Watchtower service.
Again, this is optional and you don't have to turn it on, it is actually turned off by default. When you click on the Watchtower on the sidebar, it should then show you a message to enable it if you want. Here's the message we show in the Preferences:
Note the highlighted area, we explained your database is not uploaded to us at all. I'll check with the team to make sure we don't turn this on by default unless we prompt the user first like in the Welcome Tour.
Hi guys, I am not even sure if this is possible, but will we then be able to change the passwords from within the 1Password App? This would be a killer feature!:
Unfortunately, this isn't feasible, and not to mention, it could be easily mistaken as a security attack on the websites to see an app changing the password automatically and randomly.
There are no internet standards to let apps change the site's password, each site has its own unique method of doing this, so this wouldn't work too well.
0 -
Loving Watchtower!
I hadn't realized I had so many passwords that needed changing.
0 -
Awesome! I’m glad to hear you like our new Watchtower integration! :)
0
