Please support searching for multiple compromised email addresses
Comments
-
@Ben Ah I see. Sorry, I had interpreted your comment slightly differently.
You could probably cover a high percentage by allowing gmail, hotmail/outlook (I couldn't find the offical support document about it with a quick search) and protonmail domains though.
0 -
Indeed. :) Hopefully that is something we can consider as we continue to build out Watchtower.
Ben
0 -
:+1:
Ben
0 -
You could always allow users to add additional email addresses for Watchtower checking, ensuring that ownership is correctly verified for each email address. Of course, you would still want to allow 1Password login with only the Primary email address.
0 -
You could always allow users to add additional email addresses for Watchtower checking, ensuring that ownership is correctly verified for each email address. Of course, you would still want to allow 1Password login with only the Primary email address.
0 -
It's certainly a possibility. :)
0 -
Hi, any update on this? I have over 100 unique emails (~127 with some false positives) and it's quite a pain to manually copy them to the website once let alone check it every few months. I'd be perfectly willing to click on a hundred(/hundreds of) confirm links in my inboxes.
I'd even be happy with a boolean telling me if I should manually check a certain email with no additional information. Just a list with "bad" addresses and then I can go investigate for myself.
0 -
Agreed that this feature is needed badly. Dashlane has it, you just need to verify each email you add. You could make it nice and easy by pooling emails from logins and allowing users to verify unique ones. Lack of support for multiple email addresses renders this feature that can be insanely useful almost useless for many people. 98% of my logins are using a different email to my 1Password account.
0 -
Thanks @ag_ana
Shortly after my last comment I came across https://monitor.firefox.com. It actually 100% does what I'm after so that's a bonus as I can use that to get the coverage I'm after. It's Mozillas take on this offering and also uses the HaveIBeenPwnd database, but allows multiple email accounts to be enrolled which once verified (via email link to the account) can be tracked ongoing. Also allows per account 'resolving' of breaches, including managing each account individually if multiple enrolled accounts were exposed in the same breach. Awesome. Not sure it it helps the people using heavy +SOMETHING aliasing in email addresses on a per service basis given HaveIBeenPwned doesn't seem to support that, but for me where I have half a dozen email addresses I want to track it's great. Hopefully it can help others who use a different email address in 1Password to what they use to track those addresses, as well as give a bit of a template as to how WatchTower could manage it in a future update.
I know the rational for how it is right now may be that the majority of customers use a single email address. I just want to throw out two use cases that accounts for some of my different email addresses that I think would impact many customers
1) I have a work issued email that I don't use for personal activities, but none the less in 8+ years of having that address it has accumulated usage with other work related services be it supplier billing systems or accreditation sites and the like. In many cases a lot of that informations just business info, but in some cases there will be personal information tied to those accounts that are linked to the email address. I definitely like to know if that work email account was caught up in any breaches even if its not my day to day personal one.
Some businesses will have IT teams managing this, but not all businesses will be and they may not be as responsive as would be ideal, or perhaps less attentive to issues that don't impact the company itself.
2) I'm guessing many peoples current email address is not their first, and they have an old @hotmail or whatever laying around. Being able to add old accounts (although they may need to be active still if you want to mandate verification), can potentially surface a bunch or services people haven't used in a decade plus and weren't across any breaches, especially if the old email address isn't monitored any more. Chances are payment details etc have expired if we're talking services people haven't used in ages, but again there may be forgotten accounts with personal information that can be an identity risk people will want to try and secure. Using the https://monitor.firefox.com brought in 2 or 3 results I'd completely forgotten about for example for accounts I didn't even have in 1Password because they predate my use of password managers.
Just throwing that all out there as something that works for me, and two scenarios I think would apply to many that fuels my own desire or need to track multiple addresses, besides the fact I'm in that fringe group that doesn't use their primary email for a lot of e-commerce sites which also creates an issue with Watchtower.
0 -
Hi, I still need this feature.
I tried https://monitor.firefox.com but it is limited to 5 email addresses from what I can tell. There is a workaround for that, but not a feasible one for me: request more than 5 emails before verifying, then verify them all at once. This would mean I need to remove all of my email addresses every time I want to add one. That this works at all is probably a bug and might get fixed in the future.
So I'd like to ask again for this feature. Please allow – at least for gmail.com – aliases to be scanned by the breach report. There are two ways of aliases with google:
1. "dot don't matter" (Source: https://support.google.com/mail/answer/7436150): If you verified foobar@gmail.com you can safely assume foo.bar@gmail.com, f.o.o.b.a.r@gmail.com, etc. are the same account.
2. "+"-aliases (Source: https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html): If you verified foobar@gmail.com the following (and more) email address belong to the same account: foobar+baz@gmail.com, foo.bar+anything@gmail.com, f.o.o.b.a.r+somanyaliases@gmail.com, etc.So basically, IF it's a gmail address:
1. Take verified email address: foo.bar+1passwordverfied@gmail.com
2. sed 's/+.*@gmail.;com$//; s/.//g' => this will yield the unique identifier for the google account
3. If an email address matches, check and include it in the breach reportThis is what I know and found about the google aliases. It would be great if you could include them in the breach report
0 -
Please allow 1Password to track multiple email addresses in watchtower.
We understand the potential for abuse but there is a way to implement this securely if the user is required to verify each email address before it gets tracked.
We need this feature. Dashlane has it, you can do it too.
Thank you0 -
Thank you for the feedback as well, noted! :+1:
0