Possible Watchtower problem

LarryMcJLarryMcJ Senior Member

While I've never encountered a problem with Watchtower, I think I just found one. For many years I've had a patient portal account with a local health and hospital venue and their IT department is fully managed by cernerhealth.com. I recently setup another patient portal with an additional health and hospital system also managed by cernerhealth.com. While they provide different login URLs for each health venues, they DEMAND using the same login credentials.

I have two separate Login items in 1Password, both using the same username and password. Yet Watchtower doesn't flag these in "Reused Passwords". Shouldn't it?


1Password Version: 1Password 7 Version 7.6 (70600005) 1Password Store
Extension Version: 7.6
OS Version: 10.15.6
Sync Type: 1Password

Comments

  • ag_anaag_ana

    Team Member

    Hi @LarryMcJ!

    I have two separate Login items in 1Password, both using the same username and password. Yet Watchtower doesn't flag these in "Reused Passwords". Shouldn't it?

    If you have two separate login items with the same password then yes, Watchtower should include these logins to the list. Are you able to reproduce this issue with other test logins?

    A bit unrelated: I was also wondering if you could just add a second website field to this login item. If the login information is the same, you can avoid duplicating logins. Having multiple URLs in the same item seems perfect in this case.

  • LarryMcJLarryMcJ Senior Member

    Yes. A good example is TurboTax and Mint, both owned by Intuit and users are required to use the same Intuit login credentials on both products. These are both identified in Watchtower. I also changed the login credentials to two other sites so they were identical and Watchtower identified both. But it won’t find these two I reported.

  • ag_anaag_ana

    Team Member

    @LarryMcJ:

    Thank you for the additional information. I would like to ask you to send us step by step instructions to reproduce this, I would be curious to test this and see if I see the same behavior. If you cannot share certain information here on a public forum, please feel free to send it to us via email at [email protected] :+1:

  • LarryMcJLarryMcJ Senior Member

    My original post shows this, but I'll try to be more specific below

    1. CernerHealth.com is a remote health care IT company that provides patient portals for hundreds of hospitals and doctors nationwide. In my city alone they service two hospital and dozens of doctor offices.

    2. If a patient belongs to multiple patient portals serviced by Cerner Health, they MUST use the SAME login credentials (email and password) to access the differing patient portals. The only thing differentiating these logins are the login URL itself, which resolves to the corresponding health facility.

    3. I belong to two of their patient portals so I am forced use my email address and the exact same password to login to both portals. This works just fine and completely isolates the two portals, but using identical usernames and passwords on both SHOULD trigger Watchtower...it does not. The 1Password logins for both these portals have the EXACT same email address and password yet Watchtower does not warn me in "Reused Passwords" section.

    4. I have four other logins (by design) that use the same login credentials and with these, Watchtower correctly identifies duplicate passwords, but these are done intentionally. It does demonstrate that Watchtower is working...in some instances, but not others.

    If you need further information I'll be happy to provide it, but please request specifically what you need. Thanks.

  • ag_anaag_ana

    Team Member

    @LarryMcJ:

    If you need further information I'll be happy to provide it, but please request specifically what you need.

    I have tried creating two different logins, and assigned the same password to both of them. Watchtower told me that I am reusing passwords, which means that you are following a different process. Therefore, I need your help to understand how you are making this happen :)

    If you can consistently reproduce this, I would like to ask you for step by step instructions on what process you followed to make this happen, from the moment you unlock 1Password to the moment Watchtower does not alert you of this.

    Here is a great example of step by step instructions (those are to reproduce an issue with a website, rather than in the app, but you will get the idea ;) ).

    Thank you!

  • LarryMcJLarryMcJ Senior Member

    I've tried both ways and no matter how I create the two logins, Watchtower does not report the logins as "reused". The only difference in the two logins is the URL. Both patient portals are managed by Cerner Health but the two logins are different. Below are the two login URLs I use for the two patient portals (there is nothing sensitive here...each resolves to a clean login page. If you are able to create a test login using each of these you should get the same results as me. I have checked at least four times and I have the exact same username and password for each of these two logins.

    Covenant Health

    https://cernerhealth.com/oauth/authenticate?redirect_uri=https://cernerhealth.com/saml/sso/response?message_id=_c6ff9ac7-1dc1-406e-8d48-80df72c623ff&issuer=https%3A%2F%2Fmycovenanthealth.iqhealth.com%2Fsession-api%2Fprotocol%2Fsaml2%2Fmetadata&sign_in_only=on&client_id=fd429e8db07a4711a52a50e51f6c478a

    UT Medical Center

    https://cernerhealth.com/oauth/authenticate?redirect_uri=https://cernerhealth.com/saml/sso/response?message_id=_0e02639f-17b1-454c-8e2f-d8e99b32d319&issuer=https%3A%2F%2Futmc.iqhealth.com%2Fsession-api%2Fprotocol%2Fsaml2%2Fmetadata&sign_in_only=on&client_id=b30dd640647a4baea94ee48b5d90f79a

  • LarryMcJLarryMcJ Senior Member
    edited July 28

    FWIW, I entered both logins into iOS 14 (beta) passwords, which has a basic, but similar feature to Watchtower, and it didn't identify these two identical logins as reused passwords. I tried two other sites I have that intentionally use identical logins and iOS 14 did see them.

    Next, I just now tried this with a competitor app to 1Password and experienced the same thing. Their security breach monitor tool did not identify these two logins as reused passwords, but it did on other logins.

    So two password managers and iOS 14 all demonstrate the very same behavior...I think it's not something I'm doing, but rather something in those two logins that is keeping them from being identified in Watchtower and the other app and iOS 14.

    Let me know if you want me to try anything else. Thanks.

  • LarryMcJLarryMcJ Senior Member

    @ag_ana - Any further info on this? Thanks.

  • ag_anaag_ana

    Team Member

    @LarryMcJ:

    Thank you for the additional information and for your patience while I was off for my weekend! I managed to reproduce the same behavior here with those 2 URLs, and I think this is happening because the domain is the same. Indeed, if you try replacing those URLs with something else (like google.com in both URLs), Watchtower won't flag you those items either, so it doesn't just happen with that website.

    If the domain is the same, and you are using two different login items with same username and same password, I think Watchtower sees those as similar enough that it considers them the same login.

    In this case, I encourage you to try my suggestion above: I recommend adding two website fields to the same login item in 1Password. Since the username, password and domain are the same, I don't think it's necessary to split them into multiple logins.

  • LarryMcJLarryMcJ Senior Member
    edited July 31

    I understand your recommended solution. And while it is a solution, it's also a workaround because the two logins are not related at all, so I just wouldn't want to use two login URLs in the same login to solve this. An analogy would be having both my Facebook login and Twitter login in one unified 1Password login only because (hypothetically) a third party IT department was contracted by both Facebook and Twitter. I wouldn't even be a able to assign a proper login name since the two agencies are totally different.

    If Watchtower (and other similar services) can't differentiate between the two diverse logins, then it's obviously not a shortcoming of Watchtower. I only wanted to bring it to your attention as something Watchtower might eventually be changed to address. I'll just live with the issue for now. But thanks for your help.

  • DanielPDanielP

    Team Member
    edited July 31

    @LarryMcJ:

    the two logins are not related at all

    They are hosted on the same domain, that is a pretty strong relation. They might be different websites from our perspective, but if they share the username, the password, and the domain name, from a technical perspective (in other words, from the perspective of a machine) they are the same website.

    An analogy would be having both my Facebook login and Twitter login in one unified 1Password login only because (hypothetically) a third party IT department was contracted by both Facebook and Twitter

    I am afraid that this is not a correct analogy. Facebook and Twitter are hosted on two separate domains, facebook.com and twitter.com respectively. The two logins that you mentioned are on the same domain instead: cernerhealth.com. An analogy would be if you could access Twitter on facebook.com/twitter, or if you could access Facebook on twitter.com/facebook ;)

    I wouldn't even be a able to assign a proper login name since the two agencies are totally different.

    Personally, this is the first time where I see a portal designed like this. I have seen multiple login portals on the same domain, but with different credentials. I can't recall remembering a case where multiple login portals used the same credentials and also used the same domain for hosting. In every other case, using multiple website fields, as Ana suggested, is the way to address it.

    So I have to thank you for bringing this up, it's good to know that this sort of design exists. If other users stumble upon a similar scenario in the future, we will have this discussion to point them to.

    If Watchtower (and other similar services) can't differentiate between the two diverse logins, then it's obviously not a shortcoming of Watchtower. I only wanted to bring it to your attention as something Watchtower might eventually be changed to address.

    I agree with Ana here, in that I believe Watchtower is doing the expected thing here. I wonder however if there is any way we can instruct Watchtower to look out for edge cases such as this one. My concern is breaking existing alerting while trying to account for such a weird scenario, so I will have to think about this and see if I can come up with a solution that makes sense (assuming, for the moment, that this is possible). And I need to also consider whether diverting effort away from other projects is even worth it to address this edge case. Certainly a fun security exercise to think about though ;)

    ===
    Daniel
    1Password Security Team

  • LarryMcJLarryMcJ Senior Member

    Daniel, I never accused Watchtower of not doing its job. In fact I mentioned that it, and similar other services in other password managers do the same thing WRT to these two logins.

    Regarding my Facebook - Twitter analogy, I mentioned this was HYPOTHETICAL. But "IF" both companies contracted the same 3rd party IT-in-a-box solution (which they obviously don't) then it would be a valid analogy, and that is what's happening with my patient portals here locally.

    The local IT company that provides this patient portal service does so for over 200 doctor offices, dentist offices, hospitals and other medical agencies just here in my city alone, let alone nationally. So having my dentist patient portal and my cardiologist patient portal in the same 1Password login is simply not an option...they're apples and oranges. It can't be justified simply because the same company provides the contracted patient portal services to both.

    Regardless, as I already mentioned, I'll deal with the issue on my end. It's neither your fault nor your problem...I simply wanted 1Password to be aware of it. I prefer to keep the logins separate and not be notified of a reused password situation. Thanks for your help.

  • DanielPDanielP

    Team Member

    @LarryMcJ:

    Daniel, I never accused Watchtower of not doing its job.

    I never thought that you did, so no worries on that front :)

    It can't be justified simply because the same company provides the contracted patient portal services to both.

    This is the part that I am struggling to understand: they offer two separate services on the same domain, which is understandable if they offer multiple services. However, all services can be accessed with the same credentials, as you said. So what is keeping you from using one single Login item with two separate website fields?

    For sure those two services are apples and oranges because they refer to different doctors, but it's also true that they are the same credentials.

    If it's a matter of personal preference to keep them separate, then I would certainly understand though.

    Regardless, as I already mentioned, I'll deal with the issue on my end. It's neither your fault nor your problem...

    Still doesn't mean that we should not try to find a solution that addresses these scenarios, if possible and if it makes sense to do so ;) If you take the time to bring up something, you deserve a thoughtful reply.

    ===
    Daniel
    1Password Security Team

  • LarryMcJLarryMcJ Senior Member

    Daniel, you probably just hit on the underlying reason...personal preference. In my mind, the difference between logging into my dentist's patient portal and my cardiologist's patient portal is as diverse as logging into Gmail and Netflix because I want to start out with a separate visual UI entry for each. To justify this even more, when you're my age you have a lot more doctors...so in total I have five different patient portals to keep track of and I want each one to have a separate 1Password login. The other three don't use this particular portal provider so they're not a problem.

    Not to bore you, but I'm perfectly fine with how Keychain handles this. If I want to use Keychain (I don't...it's a backup)...I have separate Safari logins for each of these patient portals. One has the name of one doctor, the other has the other, so on the front end (the part I see) they appear as two different logins...that's all that matters to me.. Behind the UI, Keychain sees only one URL but it's not part of what I see so I don't care.

    I hope this better clarifies my concern in wanting separate logins. I doubt this issue warrants you folks spending time on it at all. 1Password support has always been superb ever since I've been a customer...somewhere over 14 years now, so thanks again for your help and explanations.

  • ag_anaag_ana

    Team Member

    @LarryMcJ:

    Thank you for the kind words! It's great to have you with us :)

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • LarryMcJLarryMcJ Senior Member

    You, too, @ag_ana...and stay safe! :)

  • ag_anaag_ana

    Team Member

    :+1::)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file