Feature: Weak Passwords

Hi anthony0030:

Thanks for your input! I've added your feedback to the discussions my colleagues mentioned above. We wouldn't be here without feedback from customers like you, so thank you again!

Jack

I have the same problem.
Our ISP's routers here in Greece fail easily.
Our ISP ships us a new one and the username and password is underneath you plug them in and they get the settings automatically.
It is hard to guess the password on them. I want a way to ignore them, so when I see there is a problem with the watchtower I know it is something serious and not my router passwords because over time I have become blind to the warnings. Also, some passwords that are for PPPoE get set by the ISP and can't be changed by the end-user.

Thanks for taking the time to add your voice to this issue @GHB 💌

Hi, I'd just to add to the desire to be able to exclude Watchtower warnings related for weak passwords, indeed I've some where I'm not able to use something as strong as I would like but if these populate the list in Watchtower it makes me kind a skip the list and that way I might miss an unintentionally weak password. So it would be very welcome to have the option as suggested above by Former Member: "The only viable way I see is the ability to manually flag a weak password as "risk accepted for weak password" and make it vanish from Watchtower if flagged as this. "

Thank you for the suggestion @palpie :+1:

I have the garage code at my work as a warning, and some other places where I can't change the password.

It's possible to hide 2FA notice by tagging with "2fa". The same method could be used to hide warnings for weak passwords.

Thanks so much for sharing your perspective, Former Member! You raise a really good point - 1Password doesn't know the particulars or implications of the data it has stored (beyond locally comparing URLs against a compromised website database). It's because of these varied circumstances and use-cases that something like Watchtower warnings need to be well thought-out and, as Peter put it, "accurate, actionable, and salient". Thanks again for sharing! :smile:

I work for a worldwide company, and its worldwide company intranet, running with 10.x.y.y addresses, is operated with roughly the same security policy as you would have for internet hosts. With other words: it is mandatory hosts within the intranet must be as secure as if they were directly exposed to the internet. The intranet is considered only a bit less hostile than the internet itself, it' not considered as friendly and secure.

So passwords used within the private network range must be as strong as passwords that are used for internet hosts.
Another thing against excluding private network ranges from password checking: 1Password cannot know if a host is accessible from the internet with NAT or port forwarding. The same host you can connect to as 10.10.10.10 might be accessible from a public IP if this is configured on some NAT router exposed to the internet, so it's ok if weak passwords are reported.

The only viable way I see is the ability to manually flag a weak password as "risk accepted for weak password" and make it vanish from Watchtower if flagged as this. I assume such functionality has not been added until now, because some people would just flag all their weak passwords to make them going away as alert without actually realizing the risk. In my opinion, this is too much care and attempt to protect the user from himself.

Hi @xotan ,

This is an interesting idea, and it raises questions we care a lot about!

Regarding the network: should you be able to exclude items that fall within a private IP space? What if an organization that uses similar private IP ranges has high security requirements, or operates on a zero-trust model? My feeling is that delineating that kind of thing in Watchtower specifically might do more harm than good.

However, I can see an argument for being able to disable Watchtower alerts for certain passwords you choose, though. For example, some websites actually (sigh) require weak passwords, and some devices require short PINs, which in all other contexts would be considered weak and something you want to change ASAP. What to do about this?

This is very much an ongoing conversation here. Maybe the best long-term answer is to allow a user to manually specify which alerts they want to disable, and for how long. Or maybe it's better not to allow that kind of option at all, because if someone's bank requires a weak password, 1Password can help by at least reminding you that that's a point of vulnerability.

Ultimately, we want the Watchtower alerts to be accurate, actionable, and salient - and we 100% welcome your input (and the community's) on what that might look like as we go forward.

Thanks for opening up this discussion. I'll be very interested to hear what more you and others here have to say on the topic!