Weak passwords for Mac don't match on Windows
Windows: 7.0.558 - Windows 10
Mac: 7.0.4 - High Sierra
I've noticed that under Watchtower the for the Mac App and the Windows App are different in that the Windows app will show the weak passwords while the Mac app will not. Not a huge deal, kind of like it as the Mac app doesn't show the weak passwords which are just pins or gate codes anyways, but it does make worry that if the rest of the Watchtower works at all.
Unsecured web logins and inactive 2FA work fine though.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi again @Zoup, I have some updates regarding the issue you reported. It turns out that the mismatches for Weak Passwords are due to a change in our password strength calculation method. It will be fixed in a future release.
Although the Weak Passwords fix did not make it into this release (it requires extensive refactoring), we have made a number of improvements to Watchtower in v7.1 for Windows. It was just released and you can download it here: https://app-updates.agilebits.com/product_history/OPW6#latest or check for updates in the app itself.
0 -
Just a quick note to say that this inconsistency remains.
Like the OP the difference is Windows 1P is flagging 4 digit PINs as weak, whereas macOS 1P is smart enough to realize they are PINs and so doesn't flag them. I am running the latest published releases on both platforms.
Dave Ings
0 -
If your Login item does not have a website value and the password is all digits and 6 or less characters, @ings, it is then considered a PIN code and should be skipped by the weak password check. I double-checked myself and 1Password for Windows appears to be handling this properly in the current version. I do have a vague memory of 1Password for Mac actually messing up in the opposite direction for a bit, but I've not been able to find the issue covering that to confirm. It would exclude 6 or less characters all digit passwords even if the item did have a website field. These should be included in weak passwords. Yes, sometimes websites essentially require you to have a weak password by restricting you to what amounts to a PIN code, but the fact remains that the password used is weak and is subject to all of the same risks a more traditional weak password is. Watchtower's job is to alert you to these risks so to skip flagging such a weak would be shirking its duties.
So, in short, if this Login item does have a website entered in the website field, then it should be flagged. If it doesn't, then it should be skipped. It sounds to me like either Mac or Windows is doing something wrong here, regardless, so if you could let me know which you see misbehaving, I'll be sure to give it a test and pass along my findings so it can get fixed up. :+1:
0 -
Hi @bundtkate
Your diagnosis was spot on. It appears macOS 1P is misbehaving, as it is not flagging the entry as weak when a website is present.
Thanks.
0
