Google password changed but Watchtower still showing

jd007jd007

Hi, changed my Google password on 24th April. Watchtower still showing it needs to be changed?

«1

Comments

  • JasperJasper

    Team Member

    Hi @jd007,

    As you'll see on the Watchtower website, if your Google password has not been changed since May 7, 2014 then you should change it now.

    http://watchtower.agilebits.com/check?h=google.com&port=443

    It is important that you update your password after a new SSL certificate has been issued. An attacker could have stolen the private key from the server before Heartbleed was fixed, therefore a new certificate needs to be issued for the site (and the old one revoked) to be considered fully Secure. And Google updated their SSL certificate on May 7. :)

  • We get it.

    But I think what the original poster might have been trying to communicate is that Watchtower keeps telling us to change our Google passwords. The same thing has happened to me. Watchtower flags Google logins, I change them so they get off my Watchtower list, then a couple weeks later they're back on it.

    Why were Google passwords "cleared" a few weeks ago when I changed them the first time, and then re-flagged as potentially insecure again? Can you be more specific about what made Google logins insecure all over again…?

    If you have multiple Google logins (as I do) and use 2-factor authentication and several app-specific passwords for each (as I do), this becomes a royal pain in the keester.

    Frustrating.

  • OK, I've now changed my Google passwords 3 times: first shortly after the Heartbleed bug was discovered, then to get them removed from my Watchtower list the first time, and just now to pull them off the Watchtower list again. I think they're pretty safe; hopefully they won't get flagged as potentially insecure again. Moving forward, what sort of circumstances would land them in trouble again with Watchtower?

  • Thanks JasperP, got it, have changed again and it has disappeared from WatchTower. :-)

  • amockoamocko Junior Member

    This is happening to me as well. I've changed mine several times now and they disappear after I change them and return later.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hmm. Let me see if I can figure out what is going on with this ... hmm. I don't see anything obvious.

    Can those of you who are seeing this problem please post the exactly google domain that Login in for as well as the date of your password change as seen by selecting "Previously used passwords". Thanks.

  • Thank you for looking into this! Here's my info.:

    Google domain I use is: accounts.google.com. I use it for all 7 Google logins that I need to manage.

    I use this because it seems to give me the quickest access to the security settings (password changes, app-specific password options, etc.) when I log in.

    Previous password change by date (all 2014):

    1. April 12 (self-initiated password changes post-Heartbleed, if I remember correctly)
    2. May 5 (first removal from Watchtower list, I believe)
    3. May 20 (second removal from Watchtower list)

    If you need any more info., feel free to post it here, send me a PM, or whatever.

    Thanks again for taking a look at this!

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thank you @pinakion‌!

    Your password change on April 12 was all that was needed, but it turns out that Google also updated some certificates on May 7. The didn't need to, at least not for Heartbleed, but for some reason they did. Watchtower noticed that May 7 update and decided that this meant that passwords that hadn't been changed after May 7 need a change.

    Anyway, Google's systems were safest the longest. It was a Google team that first discovered Heartbleed; so they had actually patched their systems early. Google and the OpenSSL team had wanted to release the information about Heartbleed carefully. They wanted to give system administrators the chance to fix things before the whole thing was made public. But things didn't work out that way.

    Our Watchtower detector is actually built with the knowledge that a few domains may have fixed things before April 7, but as you see in this case, it isn't all that bright about cases where there appears to have been a "later" fix. So it sees what looks like a fix on May 7 and reports that as the new "change password after" date. Until we know exactly why Google changed some of there certificates on May 7, I'm reluctant to manually override what Watchtower reports in this case.

    I realize that, like Watchtower, I am giving you a mixed message. I don't think that you really need to do a password change after May 7, but I can't entirely rule out the advice that Watchtower is giving here. I wish I could be more definitive, but we can only work with the information we've got.

    Cheers, -j

  • So how do you deactivate the vulnerability alarm for google without resetting the password? Maybe one of the guys can look at the Watchtower code and give us a definitive answer. My experience with Google is that they change certificates frequently..

  • MeganMegan

    Team Member

    Hi @bjornga‌,

    At this time there is no way to deactivate the vulnerability alert without changing the password. This is a feature we are considering adding this in the future and I'd be happy to add your vote to the request in our issue tracker. :)

    As far as your question about sites that may change their certificates frequently, for now, you will see a new alert when certificates are updated, even if the Heartbleed vulnerability has already been fully dealt with, but our developers are looking into how to make Watchtower smarter so that it can differentiate more clearly here. Thanks for bringing it to our attention!

    .

  • If Watchtower can evolve to a point where it can distinguish real risks from certificate updates, my vote would probably be against a deactivation feature. But as it stands now I kind of wish there was one.

  • MeganMegan

    Team Member

    Hi @pinakion,

    Thanks so much for adding your thoughts here! Watchtower is still a brand-new service, so there is definitely room to evolve. Our developers are working to make this service as informative and user-friendly as possible. :)

  • dancodanco Senior Member Community Moderator

    I would definitely like an option to deactivate Watchtower and weak password warnings on individual sites. There are quite a few sites where the login details are fixed and a true password is needed only at a later stage. Having warnings for these only clutters up the list.

  • MeganMegan

    Team Member

    Hi @danco,

    We certainly don't want to clutter things up for you! Thanks for the feedback :)

  • Hi folks. Watchtower is alerting again for Google. The interesting thing is that it has only started alerting again today, but the website reports that the new certificate (presumably the cause of watchtower insisting that Google is vulnerable) was generated on May 22nd. Why would that be?

    The issue we sen to have is that Google keeps reissuing short lived certificates. Presumably the heartbleed issue only related to their original certificate, so this is, as discussed above, not likely to be a security issue any longer. I'd rather not have it showing up in watchtower so regularly though. It could feasibly be a Google policy to only use short lived certs, they may have their own security reasons for doing so.

    Can you clarify - is Watchtower a heartbleed only feature, or will it live long and become a risk alert mechanism for other types of risk?

  • I don't think Google's alone. As I feared above, my bank just showed up in Watchtower again, and I'm pretty sure that Heartbleed vulnerability isn't an issue. I will subsume all the security questions under a single login for my bank from now on, although I haven't gotten around to it yet. It is nice to be able to just hit Cmd-\ to answer them, but now that I think about it, creating unique logins for each security question is kind of a hack. Oh, and Quora showed up again today, too.

  • MeganMegan

    Team Member

    Hi @smallcheese‌ and @pinakion‌

    Watchtower is not a limited feature. We hope to improve this feature and build on it to be useful for future breaches (as we have already begun with recent eBay and AOL breaches.) We are aware of the frequency with which Google seems to acquire new certificates and are working on ensuring that it does not continually show up as a fresh vulnerability.

    Thanks for bringing these sites to our attention, we're working to make Watchtower as useful as possible for you all!

  • You're welcome, and thanks for your help. I think Watchtower is a fantastic innovation that really removes a lot of anxiety about passwords over time. As the teething problems we're experiencing now get addressed, I can see it being very painless and easy to use. In any case it's still great that you rolled it out as quickly as you did, as Heartbleed was a disaster. So thanks!

  • MeganMegan

    Team Member

    Hi @pinakion,

    Thanks so much for the kind words! Keep being awesome. :)

  • Hi Megan,

    This looks to have been resolved today, with Google disappearing from the list of accounts I need to be worried about. Out of interest, are you able to spell out the logic used for determining if the site should show up there? For my own part after thinking about this there is a chain of events which could lead you to thinking Google is "safe" (or any other site).

    • Google is vulnerable.
    • Google fixes vulnerability
    • Google re-issues cert(s)
    • MILESTONE - No longer vulnerable. Any password changed since this date should not flag for attention - just because Google re-issues a cert doesn't need to be any cause for concern.

    A final question I had before and I realised wasn't answered - Watchtower showed the vulnerability as being since the date of the cert re-issue (in the most recent case June 2nd) but I wasn't notified until many days later, possibly two weeks. Why would that be?

    I lied, one more question! What is the frequency at which Watchtower updates? Are there plans to make this configurable or more regular? As I am fascinated with the service and 1P in general I click in several times a day to update it but I have as an experiment left it longer than 24 hours between updates to see if it did so on its own and it reported last updated yesterday.

    Thanks!
    Tom

  • JasperJasper

    Team Member
    edited June 2014

    Hi @smallcheese‌,

    Similar to what @jpgoldberg‌ said in another discussion:

    One of the huge difficulties with Heartbleed advice is that there are so many uncertainties in drawing conclusions from the information we could readily test. As we see with the Google case, Watchtower certainly could be smarter than it actually is.

    But our development focus on Watchtower is toward the future, and away from Heartbleed. The kind of database we need to build and maintain for Heartbleed is very different than the kind of database we need to build and maintain for providing the most helpful advice and user experience.

    The short answer is that sites replace certificates all of the time, and in general it should not be considered an indication of any problem. It's routine, and signifies little.

    In the weeks following Heartbleed a replaced certificate is taken to mean replacing a potentially compromised certificate. But outside of the context of Heartbleed, replacing compromised certificates only one of many reasons why a certificate might be replaced.

    In the other direction, a replaced certificate can be part of an attack. If we look at the MITM attack against Iranians talking to Google a few years ago, the attackers (presumably the government of Iran) acquired a valid, but bogus certificate for gmail. It was first discovered because the Chrome browser actually hardcodes a list of Google certificates instead of trusting the whole certificate trust mechanism.

    The overwhelming majority of certificate replacements will be innocuous. Some might be to replace a potentially compromised certificate. Some might even be part of an attack by a network operator who was able to obtain a bogus certificate. Even if we were to make Watchtower much much smarter, I doubt we could build up heuristics that would be able to distinguish among those. So once we move past Heartbleed, I expect that we will not be looking at certificate replacement times.

    Watchtower showed the vulnerability as being since the date of the cert re-issue (in the most recent case June 2nd) but I wasn't notified until many days later, possibly two weeks. Why would that be?

    First, Watchtower needs to check the website and update the database. Then, the updated database must be published to our content delivery network, and finally downloaded by the app to your local file system. The Watchtower alert will then display on the login (and you will need to notice that alert).

    What is the frequency at which Watchtower updates? Are there plans to make this configurable or more regular?

    Daily. And no, there are not currently any plans to make the updates more frequent.

  • After updating all Loggings passwords that appear in Watchtower , a few weeks passed , I've update again the 1Password's Watchtower
    and I see new alerts ( Only regards to Google ... )
    Is there any issue with the Watchtower Update ?
    Thanks

  • sjksjk oversoul

    Team Member

    Hi @ronen,

    Google/Gmail updated certificates again on June 4, 2014. At the moment, Watchtower only sees the most recent update so any Google/Gmail passwords that were changed before June 4 will be (re)listed in 1Password's Watchtower group.

  • Thanks.
    So do I need to update my password again ?

  • JasperJasper

    Team Member

    Hi @jd007,

    It's a good idea to update your password again, just in case. My post above (#22) gives more details about what another updated SSL certificate could mean.

  • Thank you !!!

  • MeganMegan

    Team Member
    edited June 2014

    Hi @ronen,

    I'm glad to hear that @JasperP's advice helped! As always, we're here for you if you have any other questions. :)

  • dale.gjcodale.gjco Junior Member

    I'm not sure if you have answered my issue or not. So I will ask. I changed my Google/Gmail password on 6/12, 8 days after Google issued new Certs on 6/4, but I still have a Vulnerability indication. I have 2 Mac computers and three IOS devices using this very strong password, and I certainly don't want to change all of them again. BTW, I am not using their 2-step process, since it seemed buggy to me.

  • sjksjk oversoul

    Team Member
    edited July 2014

    Hi dale.gjco,

    Watchtower is aware that Google's security certificate has been reissued (again) but doesn't know why. Some of the possible reasons for reissued certificates are explained in post #22, which mentions:

    So once we move past Heartbleed, I expect that we will not be looking at certificate replacement times.

    As @JasperP says in post #26:

    It's a good idea to update your password again, just in case.

    And I concur. :)

    However… if you do want to remove the Vulnerability Alert from a Login item and retain its current password, one method is to temporarily change the item's password value and then change it back to the original. Another is simply to duplicate the item and delete the original, but that also removes previously used passwords history from the new item.

  • if you do want to remove the Vulnerability Alert from a Login item and retain its current password, one method is to temporarily change the password and then change it back to the original

    This method has worked very well for me. If I'm certain there's no real vulnerability, I'll usually just pick a unique character, like “•”, prepend it to the password and save to get it off watchtower's list, then remove it right away.

    I've never encountered any bugginess with Google's two factor authentication. It can be tedious, but I see it as the cost of the extra security. I noticed though that if I change a Google password, the app-specific passwords that I created will continue to work as before, without any changes. This definitely simplifies things. I'm no expert, but I'm not sure there's much risk in leaving the app-specific passwords alone. I'd appreciate it though if one of the AgileBits folks could chime in with their opinion on this.

This discussion has been closed.