Watchtower: different result on Windows and macOS

XIIIXIII
edited July 2 in Lounge

Much to my surprise I have different results in Watchtower, depending on which version of 1Password I use...

  • Vulnerable passwords: Windows 0, macOS 1
  • Reused passwords: Windows 4, macOS 0
  • Weak passwords: Windows 11, macOS 0

(Unsecured websites, Inactive 2FA, and Expiring have the same count on both platforms)

Can you please fix this?

It's hard to trust Watchtower liker this :(

Comments

  • brentybrenty

    Team Member

    @XIII: Thanks for getting in touch! Can you give me the specifics? The 1Password.com web interface is the standard for Watchtower, so if you could let me know the URLs and how the results you're getting differ from that we should be able to address this in the native apps. Are you using only a single 1Password.com account in each case? Do you have any vaults hidden? Thanks in advance! :)

  • XIIIXIII

    The 1Password.com web interface is the standard for Watchtower

    I did not try that one. Now I feel sorry I did, because the results there differ from both Windows and Mac...

    • Vulnerable passwords: Windows 0, macOS 1, web 0
    • Reused passwords: Windows 4, macOS 0, web 0
    • Weak passwords: Windows 11, macOS 0, web 0

    (Unsecured websites, Inactive 2FA, and Expiring have the same count on all 3 variants)

    Is there a difference in how PIN codes are handled? Most of these weak "passwords" are actually PIN codes... The vulnerable password however is definitely not a PIN code.

    There are no URLs to share; all these "passwords" are for Apple devices, SIM cards, or other non web related stuff.

    I'm using only 1 account on all platforms and I'm checking for my personal vault only.

  • rudyrudy

    Team Member

    @XIII,

    macOS excludes PIN codes from the weak password test, and windows has a bug filed to address that. As a Mac dev I'm curious about that vulnerable password entry...

  • brentybrenty

    Team Member

    @XIII: Thanks for following up. I'm not quite sure what to ask for at this point, but without more details it's hard to determine where the problem lies. The different counts on different devices don't really tell us which is wrong, or if they all are.

    For example, when you refer to reused passwords, are you saying that you don't have 4 and that the Windows app is wrong, or that you do have 4 and the other apps are not picking that up?

    If you disable Watchtower in the apps and then enable it again, do you get different results after it updates?

    If you go to haveibeenpwned.com and check the vulnerable password listed in 1Password for Mac there, is it showing as breached?

    It sounds like the weak passwords on Windows will be covered by the change we'll be making there to ignore PINs, but if there are others let me know.

  • XIIIXIII

    I'll wait for the ignore PINs functionality to re-check the PIN related issues.

    So the one entry that is still debatable is the vulnerable password. This is a (real, but weak) password in a secure note, which is indeed found on the Pwnd Passwords section of Have I Been Pwned.

    So the macOS App is right in showing it as vulnerable, but why don't the web and Windows version?

    (And why does the macOS version not list it as weak as well?)

  • XIIIXIII
    edited July 5

    Maybe you can try to reproduce my issue with a Secure Note with 1 item of type password in the default section? (I can)

    Use the super weak password: monkey.

    Results:

    • Vulnerable in macOS App, not vulnerable in Windows App, and not compromised in Web App
    • Weak in Windows App, not weak in macOS/Web App

    Hope this helps.

  • brentybrenty

    Team Member

    @XIII: Hmm. I've tried this in the following places:

    Searching "monkey" at https://haveibeenpwned.com/Passwords shows it as compromised in data breaches.

    Saving a login with the password "monkey" in the 1Password.com web interface shows it as a compromised password.

    Saving a login with the password "monkey" in 1Password for Mac shows it as a compromised password.

    Saving a login with the password "monkey" in 1Password for Windows shows it as a compromised password.

    It's also listed under "Weak Passwords" and "Vulnerable Passwords" in each app. Can you tell me the specific OS and 1Password versions you're using in each case? I wonder if it isn't able to download updated data for some reason. Otherwise, if you create a new login with this password, do you get a different result? I wonder if the one you're referring to is damaged for some reason. Do you know when and where it was created?

  • XIIIXIII

    I created that one just before posting here.

    Don’t have access to my PC/Mac right now, so will need to post version numbers later.

  • XIIIXIII

    Can you please copy my setup?

    No Login, but a Secure Note with a password custom field.

  • XIIIXIII
    • Windows version: 7.1.567
    • macOS version: 7.0.7
  • brentybrenty

    Team Member
    edited July 9

    @XIII: You're right. I misunderstood what you were saying. I got a bit confused since you mentioned that it didn't show as "compromised". Only logins can be compromised, since otherwise there's no website associated with it. The Secure Note does show up as "vulnerable", but not "weak". I agree that's a bit confusing, but frankly I'm not sure of the benefit of any of that for a non-login item.

    It seems to me that the concern with weak, vulnerable, reused, or compromised passwords is that an attacker could know/guess them and use them to access an account on a website. For something offline, I guess I am dubious of the purpose of calling attention to these. I'd be interested to hear your take though. I was just operating under the assumption that we were talking about something relevant to website breaches, which is why Watchtower (and HIBP) exist.

  • XIIIXIII

    The Secure Note does show up as "vulnerable", but not "weak".

    On all platforms? For me the results are different per platform and that's why I started this topic.

  • brentybrenty

    Team Member

    @XIII: I'm less concerned about the specific platforms at this point, as it seems like a philosophical issue needs to be hashed out first. Making them consistent doesn't offer a real solution otherwise. If you can give me a better sense of your expectations, I can include that when filing issues. But it isn't clear to me what is "right" and "wrong" when it comes to Watchtower and non-login passwords. Should Watchtower just ignore these? I could argue either way.

  • XIIIXIII

    Making them consistent doesn't offer a real solution otherwise. If you can give me a better sense of your expectations

    My expectation: the same (consistent) result on all platforms; (at least) reported as a weak password on all platforms.

  • brentybrenty

    Team Member

    @XIII: Thanks! I think we still need to discuss the intention here more internally (with regard to non-logins and Watchtower), but that's a good starting point I can agree with as far as making it more consistent in the mean time. Cheers! :)

    ref: b5b-880

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file