Watchtower

Howdy! Can someone clarify how Watchtower is supposed to work?

In the web interface one of my items has a "Vulnerability Alert" displayed, but in 1Password 6 for Windows, my Watchtower items are 0.

Are these supposed to be the same feature or are they different features? If it matters, I also don't see any sign of a warning in iOS.


1Password Version: 6.6.407
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: 1Password.com

Comments

  • AlexHoffmannAlexHoffmann

    Team Member

    Hey @TheDave,

    Our knowledge base article "Use Watchtower to find passwords you need to change" explains how Watchtower works.

    It definitely should warn you about the same sites on any platform (web, Windows, iOS). Are you able/willing to share the site this is happening on?

    Cheers!

  • This particular one is pcplus.ca, I last changed my password "10 weeks ago" (according to the iOS app's password history -- I can probably get more details when I'm at a PC).

  • AlexHoffmannAlexHoffmann

    Team Member

    Very good, @TheDave, we'll be standing by.

    Cheers!

  • It shows the entry was last updated at "Mar 4, 2017 at 1:19 am by You"

  • brentybrenty

    Team Member
    edited May 2017

    @TheDave: I apologize if this is a silly question, but did you change your password at that time, or just make another edit to the item? 1Password is specifically looking at the date of the password.

    That said, I did want to make sure there wasn't a bug with that behaviour, so I tried editing an item (I literally just clicked Edit and Save without making any substantive change) and while the Modified date was updated, Watchtower didn't stop reporting the issue (can't change that password, unfortunately).

    Getting back to this particular case, a security breach was reported there back in February, so if you'd changed your password in March you should be all set. In either case, it sounds like there's some kind of bug if the 1Password Windows and web apps are giving a different result. We'll see if we can narrow this down.

  • Password was changed, for sure. They forced it, and I had to update the password on my partner's phone as well as it got forgotten.

    Also; my password history says "10 weeks" which is about right.

  • brentybrenty

    Team Member

    @TheDave: Sorry for the delay getting back to you. I've literally been going through my items trying to find a case where I could reproduce this.

    I have to be honest, I'm still not sure why this is happening (what I found was that no password is treated differently between clients), but it's clear that there are some inconsistencies between clients. We'll have to investigate further and get this to work consistently everywhere. In my case, 1Password for Mac seems to be behaving correctly; whereas in yours it seems that the iOS app is. Do you have access to a Mac? I'd actually expect the behaviour to be the same between the two, as they share a lot of code.

    Is there anything else "interesting" about this login as compared to others? Was it imported? Any idea where it was created, or where you updated it? I'm not sure what we're looking for exactly, and I don't blame you if you're not sure. No matter what, I really appreciate you bringing this to our attention.

    ref: OPW6-1109

  • I have iOS, Windows and web access only. I believe I updated it from a PC, likely, but no guarantees.

    It was likely originally imported, but I'm about 95% sure that the import was before the password change. I could find out for sure.

    I could export the entire item and share it with you if you want, the only confidential information is the password and I'd be happy to change it first -- But, this potentially wrecks the test case to test a fix. I can try duplicating the item first and just updating the duplicate, if that would help?

    Or, just wait and see? What is the Watchtower date for this one, could it be a different interpretation of timezones if I happened to update my password in an unlucky window where one device considers the password good and another bad?

  • brentybrenty

    Team Member

    @TheDave: Okay. I think I figured out my issue. In my case, I had a password saved in the item at one point and "changed" it to null. So the 1Password.com web interface and the 1Password 6 Windows app were treating null as a password that needed changing. The reason I mention this is on the off chance that this applies to your situation in some way.

    I really appreciate the info, and your offer to share the item. The easiest way to handle this would be to copy and edit the JSON directly to remove anything sensitive, but that is only possible in 1Password for Mac at this time I'm afraid. However, if you can change your password on the site and save a new login, then sharing the old (affected) one via 1Password for iOS (sorry to put you through all of this) should cover our bases.

    You can do this via the Share [ ↑ ] menu in the item details, and just send it to [email protected] and post the Support ID you receive here so we can take a look. Suffice to say that I want to get to the bottom of this both to address the issue and to document this so we can have Watchtower behave consistently and predictably everywhere. Thank you so much for your diligence and willingness to work with me on this! :)

  • I've been following this thread with interest, and have read the KB articles. Is it possible over years of use, 1000+ logins, using all 1P platforms, I have never had a Watchtower alert? I mean, I'm pretty aggressive with my updating and online security but with all the badness in the world I would have expected something to pop up over the years. Just makes me wonder if something is wrong. Any way to force an alert?

  • brentybrenty

    Team Member

    @jhamer: Well, if you're aggressive about updating accounts, you may simply be proactively avoiding Watchtower alerts. For example, we add new sites to Watchtower very quickly, but we're just going by the same public disclosures that are available to everyone. So if you're following security news fiercely, you may well be ahead of the game.

    It's also entirely possible that there's been a bug, or that Watchtower was disabled or unavailable in cases where you would have otherwise seen a warning. If you have something specific in mind, please let me know the versions you're using and the site in question.

    However, if you're just curious about what it looks like though, just save the following to a text file, give it the extension .1pif, and import it into 1Password:

    {"uuid":"h63vfslefzcphk46pd5e4ghoci","updatedAt":1494796803,"locationKey":"feedly.com","securityLevel":"SL5","contentsHash":"fd614914","title":"feedly Watchtower test","location":"https:\/\/feedly.com\/v3\/auth\/auth?loginState=A1xWBk7VsAPsTT_5MxdV652jgS2Z8qkU7gtkTAfpyEACU3Njpx7hAEfhNhcMUzKR3LjLbIpkBva_cC_AN-E9V457oPdXQfsLH27kO5geoCgIqNMVKogikwtiemKnP5Qv2N24A1QJ_Q","secureContents":{"fields":[{"id":";opid=__0","value":"someusername","designation":"username","type":"E","name":"login"},{"id":";opid=__1","value":"notagoodpassword","designation":"password","type":"P","name":"password"},{"value":"Login","id":";opid=__2","name":"","type":"I"}],"passwordHistory":[{"value":"6hPB8Lw93jY44yAZBpNHtw26vpm8U2","time":1479375817}],"htmlMethod":"LB1","sections":[{"title":"Related Items","name":"linked items"}],"URLs":[{"label":"website","url":"https:\/\/feedly.com\/v3\/auth\/auth?loginState=A1xWBk7VsAPsTT_5MxdV652jgS2Z8qkU7gtkTAfpyEACU3Njpx7hAEfhNhcMUzKR3LjLbIpkBva_cC_AN-E9V457oPdXQfsLH27kO5geoCgIqNMVKogikwtiemKnP5Qv2N24A1QJ_Q"}]},"createdAt":1479375548,"typeName":"webforms.WebForm"}
    ***5642bee8-a5ff-11dc-8314-0800200c9a66***
    

    That should be marked as vulnerable until you edit the password field, indicating you changed your password after the vulnerability was reported.

  • So that's what a Watchtower alert looks like. I'll take the lack of ever seeing one as a sign of vigilance. Appreciate the test entry.

  • brentybrenty

    Team Member

    Well, that's pretty awesome. I'm a little embarrassed that I can't say the same. Seriously, while mostly for testing, I still have some for accounts that are unused, not a risk (no personal or financial info), or closed, but I've not taken the time to clean things up. I salute you! :innocent:

  • Hello again,

    Sorry about the delay, I've been traveling a bit. I exported the item using 1Password for iOS and sent it via email as requested, ID is #ZZK-11169-443.

    I copied the item, and updated the new one with a new password and security question, so the item can be freely shared as needed.

    As of today, 1Password.com still shows a Watchtower alert, while neither iOS nor Windows does. I also imported your test item and it does show Watchtower alerts on all three platforms as expected, so I believe I can rule out a case where I am simply misunderstanding the UI :)

    Thanks!

  • brentybrenty

    Team Member
    edited May 2017

    @TheDave: Ha! I have no doubt that it isn't you. In the process of investigating this, I've come to appreciate how much room we have to improve here — especially between platforms.

    Thanks so much for sending that! I still haven't been able to figure out why this is happening, but I've added this to the Watchtower issues we're tracking for 1Password for Windows and the web client so we can get this fixed. I was able to confirm that 1Password for Mac does not flag this as vulnerable, so I'm sure we'll be able to get to the bottom of this. Cheers! :)

    ref: ZZK-11169-443

  • Works for me. It's really not an issue for me personally (and even less so now that I've changed my password and am only keeping the old item around in case I want to test against it), I only mentioned because it was inconsistent.

    What was the date you flagged them as vulnerable in Watchtower?

    (If there was an issue at all, it sounds like it may have just been a lot of people re-using credentials -- Several frequent shopper programs in Canada are being hit right now and it seems like Canada is targeted in person because the one common factor is that a real life, in store presence is needed to redeem the points, nearly always into prepaid cards of some sort.)

  • brentybrenty

    Team Member
    edited May 2017

    Works for me. It's really not an issue for me personally (and even less so now that I've changed my password and am only keeping the old item around in case I want to test against it), I only mentioned because it was inconsistent.

    @TheDave: Sounds good! We've got everything we need. I've had a lot of fun experimenting with this item, trying to puzzle this out. Thanks! :)

    What was the date you flagged them as vulnerable in Watchtower?

    D'oh! That's one of the first things I checked, but you had me wondering just now if I'd misconstrued things based on the date. You mentioned seeing "last updated at Mar 4, 2017 at 1:19 am", so when I saw that the Watchtower entry is set for 2017-02-20 I put it out of my mind. Looking at it again now, and realizing that the password change is showing for February 20th as well, I thought that might be it...

    I thought it might come down to a matter of hours due to the Watchtower entry being for the same day, but changing the password change to a day later in the JSON had no effect. Next, I tried changing the changed password to something different (it matched the prior password) in the JSON. Still flagged. I really, really don't understand why, given that everything seems to line up perfectly an this isn't the case in 1Password for Mac or iOS.

    (If there was an issue at all, it sounds like it may have just been a lot of people re-using credentials -- Several frequent shopper programs in Canada are being hit right now and it seems like Canada is targeted in person because the one common factor is that a real life, in store presence is needed to redeem the points, nearly always into prepaid cards of some sort.)

    You're probably right about that... Better safe than sorry. :dizzy:

    ref: OPW6-1109

This discussion has been closed.