Watchtower re-alerts on recently changed passwords?

JHP
JHP
Community Member

I like the Watchtower feature and appreciate being encouraged to change vulnerable passwords.

I am somewhat surprised to see that some very recently updated passwords are again being flagged by Watchtower (after I changed them because of a prior Watchtower alert). Why am I seeing repeated "infractions"? All recently updated passwords are strong and different passwords generated by 1pw.

Running 4.4.1 on MacOS 10.9.4

Comments

  • sjk
    sjk
    1Password Alumni

    Hi @JHP,

    I'm glad you like Watchtower encouraging you to change vulnerable passwords. :)

    Do any of items reappearing with a Watchtower Vulnerability Alert after their recent password changes have more than one website field? Also, open Preferences… > Watchtower, click Update Now if the database hasn't been updated relatively recently, and see if your items still have the alerts. Can you mention any of the URLs for specific sites where you're having this problem?

    Thanks!

  • JHP
    JHP
    Community Member

    OK, I hit update now, and the problem persists. All of my Google accounts show the red Watchtower alerts, and the accounts with have password changes in May and Jun 2014 or later.

    I'm not sure that it relates to the problem you mention, but I do have multiple 1pw login items with common google id/passwords (i.e., I have different login items for Gmail and other Google apps that share id/pwd so I go directly to the appropriate Google service and apply login which is used across multiple Google services).

  • Hi @JHP,

    We are aware of the frequency with which Google seems to acquire new certificates and are working on ensuring that it does not continually show up as a fresh vulnerability.

    Similar to what @jpgoldberg‌ said in another discussion:

    One of the huge difficulties with Heartbleed advice is that there are so many uncertainties in drawing conclusions from the information we could readily test. As we see with the Google case, Watchtower certainly could be smarter than it actually is.

    But our development focus on Watchtower is toward the future, and away from Heartbleed. The kind of database we need to build and maintain for Heartbleed is very different than the kind of database we need to build and maintain for providing the most helpful advice and user experience.

    The short answer is that sites replace certificates all of the time, and in general it should not be considered an indication of any problem. It's routine, and signifies little.

    In the weeks following Heartbleed a replaced certificate is taken to mean replacing a potentially compromised certificate. But outside of the context of Heartbleed, replacing compromised certificates only one of many reasons why a certificate might be replaced.

    In the other direction, a replaced certificate can be part of an attack. If we look at the MITM attack against Iranians talking to Google a few years ago, the attackers (presumably the government of Iran) acquired a valid, but bogus certificate for gmail. It was first discovered because the Chrome browser actually hardcodes a list of Google certificates instead of trusting the whole certificate trust mechanism.

    The overwhelming majority of certificate replacements will be innocuous. Some might be to replace a potentially compromised certificate. Some might even be part of an attack by a network operator who was able to obtain a bogus certificate. Even if we were to make Watchtower much much smarter, I doubt we could build up heuristics that would be able to distinguish among those. So once we move past Heartbleed, I expect that we will not be looking at certificate replacement times.

    Please let us know if you have any other questions.

This discussion has been closed.