[Feature Request] - Ability to exclude weak passwords from WatchTower

bradpinkston
bradpinkston
Community Member
in Mac

Please provide the ability exclude weak passwords from WatchTower tests with tags the same way that you can exclude 2FA and https logins.

1Password Version: 7.2.4
Extension Version: 4.7.3.90
OS Version: 10.14.2
Sync Type: my.1password.com

Comments

  • Ben
    Ben

    Hi @bradpinkston,

    We are looking at how we can best address the exclusion of certain items from certain aspects of Watchtower. Thanks for the feedback.

    Ben

  • bradpinkston
    bradpinkston
    Community Member

    Thanks Ben. I just converted from LastPass and finished randomizing my passwords last night, so I have quite a few observations I'm posting about today. Really happy with the conversion.

  • Ben
    Ben

    That's great to hear, thanks @bradpinkston. :) Some of the use cases we've heard for such exclusions would be:

    1. Passwords that are owned / controlled by someone else (i.e. you can't change them)
    2. Password fields that are used to store things like PIN codes, which are always going to be rated weak

    If you have others we'd be interested to hear them. Better understanding why folks want the ability to do this may help in formulating a solution.

    Ben

  • staze
    staze
    Community Member

    Just wasted to chime in that yes, both 1 and 2 are the issues I'm having. One is a vendor login to their support site that's intentially easy "letmein". The other is a master pin to my door lock. it's 8 digits, so 1password doesn't see it as a PIN, so it just says it's weak. =(

  • Lars
    Lars
    1Password Alumni

    @staze - thanks for letting us know. We'll add your use-cases to what we've already collected. :+1:

  • TSzabo
    TSzabo
    Community Member

    I was thinking about this problem; I have a few scenarios where passwords fall under this category:

    • Passwords I don't control (public wifi passwords, other 3rd party managed, etc.)
    • Passwords with severe restrictions (pins, lock combinations, etc.)
    • Passwords are duplicate (some auto-fill edge cases with related accounts, also occurs with some weak 3rd party credentials)

    It occurs to me that there's still value in knowing they have an issue, so I don't want to suppress Watchtower altogether - but I would like to acknowledge that particular case so I can Watchtower's indicators to track things I to respond to.

    For 2FA that is handled outside of 1Password an entry can be given the tag "2FA" to suppress the "Inactive 2FA" warning. At this point it looks like there's need to allow this to be scaled slightly.

    I propose an ability to configure suppressed tags for Watchtower such that I can suppress "Weak Passwords" and "Reused Passwords" for anything tagged (for example) "3rd Party Issued", "Known Weak", "Publicly Known", etc. as my use case requires. This also allows for auditing to be done from looking at the tags. It'd be particularly handy to have each Watchtower category suppress independently.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @TSzabo: Those are some really thoughtful points. Indeed, we haven't done something like this yet because the is value in being notified in those instances, but also because something like using a tag does not scale well in the long term and we don't want to abuse that feature further, but rather come up with a solution that will allow for flexibility for this specific case but also others, across all of the apps. Thanks for taking the time to comment here.

  • jsnt
    jsnt
    Community Member

    What is the status update on this request? Is it closer to being added?

    I understand that adding tags is not ideal and prone to user error, but the use cases are strong and most of us have some accounts or devices that have to have weak passwords.

    Alternative options to simply using tags:
    1. Add a switch to bypass the warning. It would require a switch per condition: weak, 2FA, repeat, etc.
    2. Add a category (like Passwords or Logins) that is clearly limited to weak passwords, or that it will ignore the weak password warning. The downside is that it won't deal with repeats, 2FA, and other warnings.
    3. Use tags to bypass the warning in the Watchtower, but leave the warning on the detail of the object to remind the user of the condition. (preferred)

    If it has not been stated before, the main purpose for someone to want to turn off the weak password warning is to get rid of the ones you can't touch so you can focus on the ones you can fix. I would like to leave my weak password list empty for the items I control. If I also have the ones I can't control in that list, the number of outstanding weak passwords becomes meaningless and prone to be ignored, therefore defeating the purpose of promoting the use of complex passwords.

  • Ben
    Ben

    @jsnt

    We don't publish a roadmap or have a public bug tracker, so there isn't really a way to say when any given feature might be worked on or included in the offering. I realize that may not be a very satisfying answer, but it has always been our policy that we'd prefer to under promise and over deliver than the opposite. Pre-announcing features has definitely bit us before. We've gotten to the point where we're about ready to release something and find some game changing bug or the landscape shifts and we're unable to ship it. As such, we keep all such plans very close to the chest. Even within the company we don't always know exactly what is being worked on.

    If it has not been stated before, the main purpose for someone to want to turn off the weak password warning is to get rid of the ones you can't touch so you can focus on the ones you can fix.

    And we do certainly understand that. We'd prefer to have Watchtower provide customers with actionable feedback, otherwise it can easily become "the boy who cried wolf" or similar.

    Ben

This discussion has been closed.