Please support searching for multiple compromised email addresses

2»

Comments

  • AventuraViper
    AventuraViper
    Community Member

    @Ben Ah I see. Sorry, I had interpreted your comment slightly differently.

    You could probably cover a high percentage by allowing gmail, hotmail/outlook (I couldn't find the offical support document about it with a quick search) and protonmail domains though.

  • Indeed. :) Hopefully that is something we can consider as we continue to build out Watchtower.

    Ben

  • XIII
    XIII
    Community Member

    If you do, please add FastMail to that mix.

  • :+1:

    Ben

  • Old_Bonezee
    Old_Bonezee
    Community Member

    You could always allow users to add additional email addresses for Watchtower checking, ensuring that ownership is correctly verified for each email address. Of course, you would still want to allow 1Password login with only the Primary email address.

  • Old_Bonezee
    Old_Bonezee
    Community Member

    You could always allow users to add additional email addresses for Watchtower checking, ensuring that ownership is correctly verified for each email address. Of course, you would still want to allow 1Password login with only the Primary email address.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's certainly a possibility. :)

  • Syphdias
    Syphdias
    Community Member

    Hi, any update on this? I have over 100 unique emails (~127 with some false positives) and it's quite a pain to manually copy them to the website once let alone check it every few months. I'd be perfectly willing to click on a hundred(/hundreds of) confirm links in my inboxes.

    I'd even be happy with a boolean telling me if I should manually check a certain email with no additional information. Just a list with "bad" addresses and then I can go investigate for myself.

  • Hi @Syphdias

    It isn't something that is currently on the radar, but we'll continue to gather feedback on the subject.

    Ben

  • Smigit
    Smigit
    Community Member

    Agreed that this feature is needed badly. Dashlane has it, you just need to verify each email you add. You could make it nice and easy by pooling emails from logins and allowing users to verify unique ones. Lack of support for multiple email addresses renders this feature that can be insanely useful almost useless for many people. 98% of my logins are using a different email to my 1Password account.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for your feedback on this as well @Smigit, noted :+1:

  • Smigit
    Smigit
    Community Member
    edited July 2020

    Thanks @ag_ana

    Shortly after my last comment I came across https://monitor.firefox.com. It actually 100% does what I'm after so that's a bonus as I can use that to get the coverage I'm after. It's Mozillas take on this offering and also uses the HaveIBeenPwnd database, but allows multiple email accounts to be enrolled which once verified (via email link to the account) can be tracked ongoing. Also allows per account 'resolving' of breaches, including managing each account individually if multiple enrolled accounts were exposed in the same breach. Awesome. Not sure it it helps the people using heavy +SOMETHING aliasing in email addresses on a per service basis given HaveIBeenPwned doesn't seem to support that, but for me where I have half a dozen email addresses I want to track it's great. Hopefully it can help others who use a different email address in 1Password to what they use to track those addresses, as well as give a bit of a template as to how WatchTower could manage it in a future update.

    I know the rational for how it is right now may be that the majority of customers use a single email address. I just want to throw out two use cases that accounts for some of my different email addresses that I think would impact many customers

    1) I have a work issued email that I don't use for personal activities, but none the less in 8+ years of having that address it has accumulated usage with other work related services be it supplier billing systems or accreditation sites and the like. In many cases a lot of that informations just business info, but in some cases there will be personal information tied to those accounts that are linked to the email address. I definitely like to know if that work email account was caught up in any breaches even if its not my day to day personal one.

    Some businesses will have IT teams managing this, but not all businesses will be and they may not be as responsive as would be ideal, or perhaps less attentive to issues that don't impact the company itself.

    2) I'm guessing many peoples current email address is not their first, and they have an old @hotmail or whatever laying around. Being able to add old accounts (although they may need to be active still if you want to mandate verification), can potentially surface a bunch or services people haven't used in a decade plus and weren't across any breaches, especially if the old email address isn't monitored any more. Chances are payment details etc have expired if we're talking services people haven't used in ages, but again there may be forgotten accounts with personal information that can be an identity risk people will want to try and secure. Using the https://monitor.firefox.com brought in 2 or 3 results I'd completely forgotten about for example for accounts I didn't even have in 1Password because they predate my use of password managers.

    Just throwing that all out there as something that works for me, and two scenarios I think would apply to many that fuels my own desire or need to track multiple addresses, besides the fact I'm in that fringe group that doesn't use their primary email for a lot of e-commerce sites which also creates an issue with Watchtower.

  • ag_ana
    ag_ana
    1Password Alumni

    @Smigit:

    Thank you for the additional information! This will certainly be useful while we continue to evaluate how to move forward :+1:

  • Syphdias
    Syphdias
    Community Member

    Hi, I still need this feature.

    I tried https://monitor.firefox.com but it is limited to 5 email addresses from what I can tell. There is a workaround for that, but not a feasible one for me: request more than 5 emails before verifying, then verify them all at once. This would mean I need to remove all of my email addresses every time I want to add one. That this works at all is probably a bug and might get fixed in the future.

    So I'd like to ask again for this feature. Please allow – at least for gmail.com – aliases to be scanned by the breach report. There are two ways of aliases with google:
    1. "dot don't matter" (Source: https://support.google.com/mail/answer/7436150): If you verified foobar@gmail.com you can safely assume foo.bar@gmail.com, f.o.o.b.a.r@gmail.com, etc. are the same account.
    2. "+"-aliases (Source: https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html): If you verified foobar@gmail.com the following (and more) email address belong to the same account: foobar+baz@gmail.com, foo.bar+anything@gmail.com, f.o.o.b.a.r+somanyaliases@gmail.com, etc.

    So basically, IF it's a gmail address:
    1. Take verified email address: foo.bar+1passwordverfied@gmail.com
    2. sed 's/+.*@gmail.;com$//; s/.//g' => this will yield the unique identifier for the google account
    3. If an email address matches, check and include it in the breach report

    This is what I know and found about the google aliases. It would be great if you could include them in the breach report

  • HyperV
    HyperV
    Community Member

    Please allow 1Password to track multiple email addresses in watchtower.
    We understand the potential for abuse but there is a way to implement this securely if the user is required to verify each email address before it gets tracked.
    We need this feature. Dashlane has it, you can do it too.
    Thank you

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the feedback as well, noted! :+1:

This discussion has been closed.