Security header

More Watchtower, still no watching

1Password WatchtowerThere are some great new features in the 1Password for iOS 6.2 update that hit the App Store last week. One of them is that we’ve added Watchtower (a feature that has been available on Mac and Windows for some time now) to 1Password for iOS.

Watchtower warns you if a site or service has been compromised in a way that would make it a good idea for you to change your password for that site. Watchtower in 1Password looks at the most recent time a password change was recommended for a site and it looks at the time that your password for an item was last modified. If, like Molly (one of my dogs), you haven’t updated your Adobe password since the 2014 breach, you might see something like this:

Watchtower warning in 1Password on iPhone

Molly hasn’t changed her Adobe password since the breach a couple of years back

Preserving your privacy

I want to talk about a far less visible feature of Watchtower: We’ve added Watchtower support in a way that still preserves your privacy. We don’t want to know what sites and services you have in your 1Password vaults, so when 1Password checks to see if one of your Logins is listed in Watchtower, it does not make a query to our servers asking about it.

Enable Watchtower in iOS

Turning on Watchtower in iOS. “Your website information is never transmitted to the 1Password Watchtower service.”

Querying Watchtower without querying you

Our Watchtower people are continually watching reports of site breaches and updating our database of such sites regularly. This is how 1Password knows that a password change is recommended for some site.

The “obvious” way for 1Password on your computer (and now iOS device) to alert you, would be to go through your 1Password items and ask our database on some server about the status of those items. The problem with this “obvious” way of doing things is that it means that any server your copy of 1Password queries would then be able to know your IP address and what sites you have in your 1Password data.

If 1Password on some device were to ask our server, “Do you have Watchtower information about” then our server will know that someone at your Internet address may have a very nasty secret. You certainly wouldn’t like us to know such things about you, and we don’t want to know such things either.

The road less travelled

So we don’t do things the obvious way. Instead, we send the same stripped down version of our Watchtower database to everyone who turns on the feature. You have a local copy of the Watchtower data on your device, and 1Password just checks against that copy of the local data. All we can know (if we chose to log such information) is which IP addresses have enabled Watchtower. We are never in a position to know what sites you have in your 1Password data.

Baked-in privacy

It may take a bit of extra work from us to design Watchtower in a way that preserves your privacy, but we think it is worth it.

Your privacy must be protected by more than mere policy (a set of rules we make on how we behave with respect to data about you); instead, we aim to bake privacy protection into the very structure of what we build. We design 1Password in a way that would make it hard for us to violate your privacy.

You can read more about this approach to privacy in our support article, Private by Design.

9 replies
  1. Don
    Don says:

    Could you not achieve a reasonable level of privacy by storing only a hash of the compromised site’s name and then having 1P query by hash? Or do you not want to deal with the trust issue of, ‘Yes, we promise we’re not secretly storing the names along with the hashes”? We’d have to take your word for it that you’re not doing that.

    My concern is how big that list is, and how big it will get over time. Mobile devices tend to be constrained on storage.


    • Anonymous
      Anonymous says:

      Is size really a concern? For each entry, a 32-bit hash (say CRC-32) is definitely enough for the domain, and a 32-bit unsigned int as timestamp will be good till 2106. So each entry only need to consume eight bytes. Then it takes 131072 compromised domains to even fill in 1MB (which is 15% the size of a 3-minute song from ITMS). Your vault is probably larger than that.

    • Don
      Don says:

      No, I meant not storing any list at all on the device. 1P would calculate a hash of the URL in question and query AgileBits to see if that hash is in the Watchtower database. So long as the hash is cryptographically secure and AgileBits disposes of the URL after putting the hash into Watchtower, the only thing AgileBits would ever see are queries for hashes. But as I said, that would put us in the position of having to trust them not to keep the URLs, which they may not want to do. It’s better for them to say, “We have no way to know what you’re looking up because we never see the queries,” than “You can trust us not to match the hash you queried against the list of URLs we surreptitiously kept.” It’s a trade-off between practicality (not using space on your phone for a large list, the majority of which you’ll never ask about), and security. I’m curious to know the reasoning behind their decision.

  2. Adrian Speyer
    Adrian Speyer says:

    First, thanks for an awesome product. I really love 1password!

    I do have a question. Does WatchTower check if a higher than normal amount of people change their password for a site? The reason I ask is maybe that would also help to identify when a breach happens. Currently there is a popular website which has sent an email to ask all their users to change their passwords, so I wonder if that should trigger something. It did not, but thankfully because I use 1password I only had to change the credentials for that site.

    I guess the other option would be we could report sites that are hacked when we get this notice, to help other 1 password users — unless there is a way I did not see.

    • julie
      julie says:

      We don’t track any of your actions, which includes keeping track of, and reporting to a central server, which websites you update with new passwords.

      There is a social media team which tracks notifications of data breaches and other issues which might cause passwords to need updating. If you receive a notification that doesn’t seem to have made it into the media, tweeting the website information could be helpful to anyone else who’s affected.

      Thanks for the great question and happy safe surfing!

  3. Rajveer Solanki
    Rajveer Solanki says:

    Great post man! I always follow your blog because it is full of compelling information about various things. I like to read this post because I met so many new facts about it actually. It’s really great that I noticed this post. Thank you very much again for sharing this informative article. Many thanks,
    [Link removed]

    • eva
      eva says:

      Hi Rajveer,

      Thank you so much for your comment and I am glad to hear how much you enjoy reading our blog.

      Take care,

Leave a Reply

Want to join the discussion?
Feel free to contribute!

What's on your mind?