The ability to change all vulnerable passwords, automatically as a group.
I know it's very challenging because password change/reset procedures vary widely, but that part of the process is still manual. 1Password already automates logins almost entirely successfully. Perhaps password changing can be automated as well?
If it were robustly automated, you cold easily rotate your passwords once a month, with very little fuss, for example.
This is really something that authentication schemes could benefit from supporting an automated API for.
Good work on the service. I suspect that heartbleed was the current use case, but this service will be very helpful for future breeches and issues. For example they could alert you that XYZ Service had a data breech, it's fixed, and you should rotate your password.
Filling into sites and gathering the necessary information for this I think is far easier than determining how a password change takes place. We have an algorithm that we've developed over years that is constantly changing in subtle (and not so subtle) ways to make filling more accurate. Some of the biggest changes in a long time will be coming in the 4.2 version of the browser extension, currently in beta.
But you're right, sites and their password change processes differ greatly. Some require the old password, some require only the new password. Some only require the new password once (admittedly rare).
I think at best though we'd only be able to do this if we went to the password change page for the site and attempted to fill the data in for changing the password. There's no way we could bulk update as that would probably require we hard code each individual site rather than relying on an algorithm for filling data into the site.
It's a tricky thing, but we're always trying to come up with new ideas and ways to accomplish those ideas.
Heartbleed was the first use case for Watchtower, but you're correct in that it'll be available for other situations as well. Now that the foundation is there we can leverage it for other issues in the future.
> Filling into sites and gathering the necessary information for this I think is far easier than determining how a password change takes place.
Maybe start talking it out with browser developers and big websites stuff so there's a way to standardise an endpoint or in-page meta-information allowing for automated password reset?
This could be a real win. If there was a way of marking a standardized form with some meta data or tags to say "hey, this is safe to use automatically in the expected way" such as the typical form with old > new > repeat new or something. One little HTML change and it advertises compatibility.
That way, classy sites could enable a 'safe enough/good enough' flag that any software could use.
There is also the thought that it may be worth hard-coding for the biggest sites. The high profile sites are the most vulnerable when a vulnerability hits, there are big existing databases of user names around, and these can be exploited automatically and quickly on relatively high value targets (gmail accounts, amazon, facebook, twitter etc). Even top 10 would be helpful, but top 100 seems approachable, especially since the bigger sites are probably more consistent. The payoff here could be big next time around.
Also if the framework were around for doing this, you could target a particular site or three that just had a major breech, and push the rules for reset out with the breech notification.
I know it's a huge amount of work to do manually, but even a relatively focused effort could have payoffs, and if working with big sites can start a 'automated password reset' standard rolling, others might adopt it.
Just thinking out loud, I know you've got to juggle priorities and features with limited time.
Thinking about it? Sure. We've had a lot of requests for it.
It's a pretty big job to write a whole new version of the application. It's also a big question of whether we'd sell enough copies to maintain it. Traditionally Linux users haven't been big on purchasing software, particularly closed source software. I'm not sure how much this has changed, if anyone has some real solid stats on it I would love to see it. I was once a Linux user (started on Redhat 4, but fell in love with Debian) so I know what the past was like, but have been out of the Linux world for long enough to be unable to know how things have changed in this regard.
Either way though, I don't have any pull on this, but I can pass the request along. I think we (AgileBits) would all love to see 1Password on more platforms. It's just a bit of a careful process to go through. We hear the requests for Linux loud and clear. If it's something you want, please let us know. Include any thoughts for how you'd use it and what you envision it being. It's far easier to take to the powers that be ideas and thoughts than just requests.
Now though, the fun part is that the current Windows beta (version 4) will work in WINE and I do hear from users that the browser extensions will also function using the beta. Obviously this isn't an ideal solution but it might hold you over well enough.
If you'd like to try the beta, you're welcome to sign up here:
I'm afraid I don't actually know any numbers on Linux users' willingness to buy software, but I am aware of the reputation that Linux users generally prefer their ecosystem of free apps.
However, I bet that many Linux users are also Windows or OSX users, and if a password manager is to be effective, it has to be omnipresent. That's why I have begrudgingly paid for LastPass, while my dual Windows / OSX license for 1Password 4 has sat unused. I tried for awhile, but I couldn't stand the gap in coverage.
So I narrowed it down to RoboForm and LastPass, and I chose the latter because it seemed more popular and I hoped that to predict company longevity. Because as nice as lifetime licenses are, once software is no longer supported, esp. for things like intelligent form-filling, chances are you won't want to use your software anymore.
I can totally respect that decision. I'll pass the request along to the developers. I can't promise anything but hopefully it's something we can consider in the future. It's certainly not something that will pop up next week though :) For a native Linux application we would pretty much have to rewrite the entirety of the application specifically for Linux, save the extensions.
Thanks for the great feedback though! Hopefully you'll get what you want in the future.
Well, maybe you should try a Kickstarter campaign and see how it goes... I'm sure you have to invest a bit to create a video and all, but I'm sure it will be a successful campaign.
I wish that affected sites would simply reset my password themselves, internally, and then inform me when I visit the site that I need to use the 'Forgot Password' function to reset my password.
As it stands, they get to say they're patched while I remain vulnerable, and now it's my fault if my account is compromised if I don't get around to resetting my password (or they're a site I visited once, years ago, and forgot all about).
Simply updating OpenSSL without fixing passwords just shifts the onus to the users.
That's a tough call, especially for small companies. There are very real support expenses (not every app or it's users have SaaS-like support requirements) that don't make this an easy call.
As a half-way step, they could aggregate and normalize the various stupid rules that sites impose and then automatically generate valid, maximally secure passwords by default. Eventually, 1Password (or similar) could handle e.g. changing them all on a given schedule. I already try to have no passwords older than three months, and it's a PITA.
I think the parent comment is saying that 1Password would record the rules per site, not maintain a global list of rules that satisfies all sites. The latter would indeed yield an empty set, as some sites require a special character and some require no special characters.
Yes, exactly; for each site that 1Pwd can recognize as distinct, record the restrictions. Even share these restrictions. And perhaps people could put attributes on their password entry elements (or header metadata) that would describe the limitations of their password systems, so it wouldn't be specific to any one password manager; then, too, they could retire their terrible, terrible, terrible client-side strength checking crap.
This is a neat integration by 1Password! 1Password is probably my favorite Mac/iPhone app that I use. Their product is always top notch. Great work guys!
Thanks for the positive feedback! It really does mean a lot to us to hear that our users are happy.
We have more fun things to unveil in future versions so keep your eyes peeled for more down the road.
The really neat thing about Watchtower is that we don't send customer data out in order to tell them that their password needs to be changed (or that the site is still vulnerable). We download a database to the user's computer and the data in the user's database is checked against that.
If you ever have any questions, comments, or suggestions please let us know!
You could use the Favorites section. I favorite my most frequently used sites and use that for most logins that I access often.
Would that work? If you have a particular use case that you can run me through that would be wonderful.
Also, user gwkoehler, currently above me in this thread, suggests the ophttp:// and ophttps:// in front of users to open in 1Password. There is a bookmarklet for this here:
My wife bookmarks like a dozen tumblr pages, Reddit posts, fanfic stories, random websites a day on her iPhone and then reads them in bed on her iPad at the end of the day. She's not real tech savvy so I've got her using Chrome which syncs them up to all of our devices: 2 iPads, 2 iPhones, a PC that boots osx and windows, and a Nook. She can pick up any device and her bookmarks are there. It would be difficult to get her to give up that functionality or have to switch browsers depending on what site she's on. Even the bookmarklet that switches you to 1Password isn't intuitive. I wish 1Password would manage bookmarks and sync them between devices like Chrome does.
I'll take this feedback and see if there's anything we can do in future updates to try to come up with a solution.
I can't make any promises, but I'm sure you're not the only one with a similar type of use case. That said though, I don't think we'll be able to integrate with Chrome Sync, pretty sure that's closed up pretty tight.
Personally, one of the things I'd love to see is the ability to save a page to Pinboard, which is what I use for bookmarks that I want to read later or reference later. Not sure if that would be of any real use for you though.
My method: use mobile Safari, and when I need to log in, put "op" in front of the URL (so it looks like "ophttp://" or "ophttps://"). Press Enter, this launches 1password and points its browser at the URL, ready to autofill.
The thing this doesn't provide me are bookmarks (such as banking, servers, etc) that I need to keep more secure than a public site (even with privacy settings). However, most of these types of items are saved in 1Password.
I often just copy and paste the passwords from 1Password into Chrome for IOS. Chrome sync is the one feature that prevents me from using 1Password's IOS browser for anything but the most casual use.
Now if AgileBits could figure out a way to integrate with Chrome Sync, that would be something...
I'm not sure how feasible this is, having never looked into it, but I can certainly pass this along as an idea if you can confirm the request for only bookmarks. Again, no promises because it might be locked down pretty heavily.
No, not bookmark syncing (although that is something that is included in the Chrome Sync service). I mean syncing the open tabs across devices[1].
I use iOS Chrome over Safari (and 1PW Browser) exclusively for this feature. Any tab I have open on my desktop is synced to the cloud and available to access from my iOS devices. Any tabs open on my iPhone are also available from my Desktop copy of Chrome.
So yes, similar to bookmarks -- but for currently open tabs.
Since the update, I've spent the majority of the day updating zillions of passwords. As other users have mentioned, bulk updates would be amazing, but I can't imagine how complex that would be. Even trying to "open and fill" is frequently wrong because 1password has saved the webpage as the new user registration page instead of a true login. Small pain for the amazing product you have.
I would recommend one thing very highly. Please give the user some information why there is a vulnerability. I've noted some of them are marked from previous large user/pass dumps that are available. If the user knows this, she will know to never use that user/pass combo again. If the user is unaware, they may rotate to another common user/pass that has also been released.
We've made some improvements to the new user signup form end of the spectrum in the latest beta version of our extension. You can install the beta by visiting the page below:
Make sure you click "Enable Betas" below the Download button before installing. This should improve things quite a bit in most cases. If you run into any sites with issues please email us with the URL so we can test (support at agile bits . com). If we don't know about the site having problems we can't fix it.
If you're viewing a login that has a known vulnerability, you see a red bar at the top that says:
"Vulnerability Alert - Change Password..."
If you click this, it shows a popover, that popover displays a bit more detail with a "Learn More" link. That sends you to the Watchtower site with a lot more detail about why and what to do next.
I suppose we could be better here and tag it differently saying it was part of heartbleed, but not all vulnerabilities will have such a memorable name (CVE-2014-0160 is hardly memorable, agreed?)
Does that explain things a little more?
Please let me know if you have any trouble with the beta extension, too.
Are there any plans to update the Android version of the app? I love 1Password on my mac, but on my nexus 5, the experience sucks! Anything in the pipeline on that? Or is agilebits just focused on OSX/iOS for now?
Please email in to support @ agile bits . com, and mention my name please and that I asked you to email in. I'll get this all fixed up for you. Give a brief description of the error to jog my memory.
The ability to change all vulnerable passwords, automatically as a group.
I know it's very challenging because password change/reset procedures vary widely, but that part of the process is still manual. 1Password already automates logins almost entirely successfully. Perhaps password changing can be automated as well?
If it were robustly automated, you cold easily rotate your passwords once a month, with very little fuss, for example.
This is really something that authentication schemes could benefit from supporting an automated API for.
Good work on the service. I suspect that heartbleed was the current use case, but this service will be very helpful for future breeches and issues. For example they could alert you that XYZ Service had a data breech, it's fixed, and you should rotate your password.
Great work.