Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
1Password Account marked Vulnerable
I recently ran a workshop to help Mac users get savvy with 1Password. Among 9 participants, after enabling Check for vulnerable passwords in the app's Privacy settings, at least 2 found that their 1Password Account record was marked as vulnerable. This seemed really odd to me.
Additionally, working one-on-one with one of these users after the workshop, she changed her account password and found that the item was still listed as vulnerable. This was after the app updated to the latest version (as of 8 July 2025).
Is there a bug in the app that can cause 1Password Account records to appear in the Vulnerable Passwords listing of Watchtower?
4 Replies
You can check the old, new and any other password to see if has been breached directly with Have I Been Pwned's Pwned Passwords. The result should match what you see in Watchtower.
This is one of the extremely rare cases in which putting a password into a web form is safe and proper. Of course you should not trust me on this, but rely on the information about the k-anonymity process used and Troy Hunt's reputation and relationship with 1Password.
- 1P_Timothy
Community Manager
Hi earthsaver, thanks for writing in! That sounds like a great workshop.
I'm not aware of a bug causing passwords to be erroneously flagged as vulnerable. Were your participants seeing this in 1Password for Mac, the 1Password extension, on 1Password.com, or somewhere else? I'd also like to ask to confirm if you're referring specifically to the "Vulnerable password" banner (example below) and not another Watchtower alert category?
Without revealing any specifics about the passwords in question, could you share any more details about why it seemed odd that these passwords were marked as Vulnerable?
Thanks again!
Thanks for your response, Timothy! My participants experienced this in 1Password for Mac. I encouraged them to enable the check for vulnerable passwords and they immediately found their 1Password Account item listed in this Watchtower category.
One disabled and reenable the setting and found the item disappeared from the list. The other's record remained in the list. The first oddity for this user is that they never used this password for anything else nor shared it with anyone. Further, though, they changed their account password to something else unique and still the record appeared in the Vulnerable list.
- 1P_Timothy
Thanks for sharing those details earthsaver!
Even if a password is only used as an account password, and hasn't been shared it could still appear in a breach if it was somewhat generic. For example, if a participant was a fan of space travel and chose the password rockettothemoon they would find it was vulnerable (appearing in 104 breaches according to Have I Been Pwned) even if that's the only place they used it.
If it was still showing as vulnerable after updating to something unique that our password generator might create, such as abrupt-vita-starve-bouquet, that would suggest to me something may not be working as expected on our end.
This sort of behaviour can be difficulty to diagnose second hand. We would be happy to help both participants if they're interested in getting in contact with our team. They can open a ticket with our chatbot, or email support@1password.com with a description of the issue.
Let us know what you think, and thanks again!
