Watch Tower functionality

To elaborate on @gazu's excellent advice above, @harish_ravikumar, what this ultimately means is that at some point in time, this particular password has been found as part of a data breach. It doesn't mean your account has been compromised, just that the password is out there in the world which necessarily makes it more vulnerable. As gazu said, there are only so many numeric combinations out there, so statistically, most of them probably are vulnerable and there's not going to be anything you can do about that. That stinks for sure, and the real root problem isn't you – it's those sites that think numeric passwords are a good idea – but sometimes that's the world we live in and we've just gotta cope until they figure things out.

With that said, I have a few items like this myself and I actually like that they're flagged. It reminds me that this is an account I need to pay special attention to because it is more vulnerable to being broken into. When I do my rounds to deal with any new Watchtower warnings, I also check my account activity on sites where I'm not able to secure that password. That way, I am keeping a constant eye out for anything suspicious and can react quickly if something is amiss.

Finally, if you'd like to learn more about the Watchtower warnings, we cover them all here: https://support.1password.com/watchtower/

@harish_ravikumar:

This is a tricky feature to add, as we don't want to encourage having weak passwords everywhere and then dismissing Watchtower warnings. We will pass your suggestions to our team and we will have further discussion. Thank you again! :+1:

++
Greg

The concern is the same, @harish_ravikumar – making it too easy to dismiss these warnings can encourage them being ignored, even when folks are able to act on the warnings. That said, we're fully conscious of the fact that there are cases where you cannot do anything to correct a vulnerable password, and are certainly open to options to tidy things up in such cases.

Also, although this is definitely a matter of opinion, I would argue that banks absolutely will listen to requests from their customers to allow stronger passwords. This may well vary from country to country, but here in the U.S., we have myriad options for banking that allow us greater password freedom and if customers take their business elsewhere as a result of poor security choices by a bank they will take that into account. It may not immediately translate into change and there may not be enough who care just yet to have any meaningful impact on their business, but we need to start somewhere and there's value in having your voice heard. With strong 2FA, you may correct that the danger of using a weak password is lessened, but some forms of 2FA (like SMS) aren't as great an extra layer as many think. They're better than nothing by far, but SIM swapping – an attack where someone asks your carrier for a new SIM card to be attached to your phone number – is becoming increasingly common. We humans are often the weak link in any system and, unfortunately, bad actors have been able to exploit humans at cell carriers to essentially bypass the protections 2FA provides. This isn't to say 2FA is bad – it's good and you should use it – but I would still say a strong password is an important component for any account, where possible. It's one of the two factors, after all, and you're always better off if both are strong.

Of course, we're all going to make our decisions based upon our own threat model, and I'm certainly not going to expect everyone's to be the same as my own. There are folks who are going to be less paranoid than I and those that will take my paranoia to another level entirely and that's fine. But my advice (and 1Password's generally) is always going to be to use a different strong password for each site that hasn't been compromised in the past, with 2FA where available. Doing so will ensure your account is as safe as it can be under all circumstances. :+1: