Vunerable password warning doesn't disappear after changing
One of my accounts has been flagged as vulnerable according to haveibeenpwned however even after changing it the warning hasn't gone away. I have restarted the app and also tried changing the password again but the warning remains.
1Password Version: 7.2.576
Extension Version: 4.7.3.90
OS Version: Windows 10.0.17134 Build 17134
Sync Type: Subscription
Referrer: forum-search:vunerable passwords
Comments
-
Hi @nathanieloffer,
Thank you for getting in touch!
If you generated a new password for your Login item using our password generator, it is quite strange that this Login item still shows up in Vulnerable passwords list.
Have you tried disabling that check in Settings > Watchtower and then enabling it back again? Does the issue remain after that?
Please let me know. Thanks! :+1:
Cheers,
Greg0 -
Thanks for the reply. No that hasn't fixed it. I've even tried entering totally random, meaningless passwords and it's not gone away. For clarification though it's a four digit pin not a complex password and the site in question uses a Membership number (10 digit), Last name and the four digit pin to log in. So maybe the length of it has something to do with it? I don't know.
0 -
@nathanieloffer: You've likely got it pegged there. There are so few 4-digit combinations of numbers in the universe that likelihood is nearly all of them are vulnerable. If the 4-digit PIN is the only thing that goes into the password field, Watchtower is likely to complain about it no matter what you do. This isn't your fault, of course. The onus is on the site in question to allow more secure passwords, something some sites are sadly reluctant to do.
Chances are the PIN you changed it to remains compromised and that's why it isn't clearing the warning. Compromised Logins are based upon a specific breach of a site you use and will clear as soon as you change your password, no matter what you change it to. Vulnerable Passwords, on the other hand, is checking the first 5 characters of your hashed password against a database of hashes from HaveIBeenPwned. All password hashes that match the first 5 characters of yours are sent to 1Password and it comes the complete hashes locally. If a match is found, your item is flagged until you change it to something that returns no exact matches. In the case of a 4-digit PIN, it would not be surprising if all possible passwords are vulnerable. There are just too few options with a length of 4 and only numeric characters available. :frown:
0
