Watchtower keeps you safe on cloudy days

Cloudflare is a large internet technology provider used by millions of websites around the world. Last week they announced a vulnerability that potentially affected all their clients.

In many ways this is a “no news” report for us as your 1Password data was safe during this entire time, and remains so today. 1Password was designed with multiple layers of encryption, and your data is encrypted before it ever leaves your computer. In short, we anticipated the day when HTTPS (SSL/TLS) might fail, so we weren’t worried when that day came.

Even though your data is safe in 1Password, and you don’t need to change your Master Password, it’s important to pay attention to the websites you visit. Some of them may have been using Cloudflare, and you may need to change their individual passwords.

Thankfully 1Password can help with that!

Use Watchtower to find passwords you need to change

Watchtower tells you about password breaches and other security problems on the websites you have saved in 1Password. It’s included on Mac and iOS with every 1Password subscription, and we’ve already added sites that were affected by the issue last week.

It’s easy to get started! Check Watchtower to see if any of the sites you have saved in 1Password are vulnerable. If so, change your passwords for those sites. 1Password can generate strong passwords for you.

? Get started with Watchtower

To keep ahead of future problems:

  • Avoid reusing passwords. Always use unique, randomly generated passwords for each website.
  • Turn on item counts. Choose View menu > Show Item Counts, and you’ll be able to see at a glance if Watchtower is reporting any vulnerabilities.

We continually update Watchtower as security breaches are reported, so you can change your passwords right away. We do this without ever knowing what websites you have saved in 1Password. 1Password downloads Watchtower information to check your websites on your devices. Learn more about how Watchtower protects your privacy.

13 replies
    • Dave Teare
      Dave Teare says:

      Hi Tuur,

      I’m not sure I fully understand your question as I can interpret it multiple ways. So I’ll just go ahead and answer both possible questions and let you choose which one you wanted. ?

      So first and foremost, when sites are added to Watchtower it does not require a new version of 1Password to be published. 1Password 4 for Windows has support for Watchtower so everyone with that version installed will get the alerts for the sites we’re adding in response to Cloudbleed.

      1Password 6 for Windows does not have support for Watchtower just yet but this is something that’s on our radar and will be added in a future release. I have some thoughts on when that may be but given how difficult it is to predict software release schedules I’m going to avoid sharing any details at the moment and instead look forward to having a future announcement when it’s ready. ?

      I hope at least one of those answers answered your question. ?

      Take care,

      ++dave;

  1. Adam Whiteley
    Adam Whiteley says:

    I’m a long term user of 1 Password and a strong advocate of your software having brought a family licence so to bring my love ones security online. So obviously I avoided the Mac App Store version ( single licence) and I recently subscripted to 1password online individual account management which is great if I find myself away from my desktop and idevices. But after last weeks unfortunate incidents (you had me worried there) I was wondering if it isn’t better to download the Mac app version and have Automatic updates turned on than manually update again (I know it was a one off case but you can never be sure). Whats the pros and cons of using the Mac app vs agilebits store? I intend to keep my subscription for many years (well until they get rid of passwords…) and have my family licence at hand.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Adam! ?

      Thank you for supporting us all these years! And sorry about the scare macOS gave you last week. If it is any consolidation, it scared us, too! ?

      You’re more than welcome to install 1Password from the Mac App Store if it makes you feel better. As long as you have a 1Password membership you’re able to install 1Password from anywhere on any device without needing to purchase any licenses.

      If you purchased from our website and want to try the Mac App Store, you’ll need to purchase again, which isn’t something I would recommend. The benefits of the App Store are not great enough to make that worthwhile.

      In terms of benefits, I personally like apps from the Mac App Store as the new ones are all sandboxed and I like that. But since I only install apps from developers I trust, it doesn’t really matter that much so I usually buy from their sites whenever I can as it allows them to get 100% of my purchase to fund future development. I’m also able to get updates faster than Mac App Store customers.

      So at the end of the day it’s really up to you. Either one is fine. ?

      Take care,

      ++dave;

    • Dave Teare
      Dave Teare says:

      Hi Jordan! ?

      It’s great to hear you like what you see! As for a safe product, you’ve come to the right place! ?

      Seriously, we geek out on all the security details. You can see our security page to see just how far we take things to keep your data safe and secure.

      Take care,

      ++dave;

  2. Travis
    Travis says:

    When I think of Watchtower, I think of the steps involved with changing a password. Often 3-4 steps (if the website is well designed and makes it easy to find), but still tedious. Especially if you’re, ahem, a bit behind on password maintenance.

    I hear that LastPass has a feature that changes the passwords from within LastPass. Is this something that Agile is looking into? If you have (I assume you have), what are the difficulties/considerations with implementing and is there a timeline for the feature?

    TIA

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Travis, ?

      You bring up a really good point – it would be lovely to automatically change passwords on all websites.

      And you’re right, others have this “feature” but the way they do this is absolutely terrible. If you read their white paper you’ll see that your passwords are sent to their servers so they can change your password on your behalf from their servers.

      Needless to say this is an absolutely ridiculous violation of privacy. 1Password will never implement a feature that destroys your privacy and security in this fashion. If and when we add this feature to 1Password we’ll do it properly, like the way we designed things in Watchtower.

      With Watchtower we download all the information needed to check your websites on your devices. In other words, your list of websites you have saved is never sent to us, and we certainly never see your passwords.

      Not only do we never sell information about the websites you save, we don’t even collect it. It’s a bigger technical challenge to design Watchtower this way, but we prefer it this way because it’s the right thing to do and it’s impossible use use, lose, or abuse (or require response to a court order) information we don’t have.

      Take care,

      ++dave;

  3. 7nk
    7nk says:

    Dave,

    I love you guys and as I work in IT I recommend you frequently.

    A site was I was a member of was recently compromised, and they emailed registered users about it. I contacted @1Password via DM on Twitter about it, and gave them details to help verify that the email was legitimate.

    The 1Password rep later said via DM they were going to wait to flag the site in Watchtower until the site publicly posts about the hack. It’s been close to a month now and the site hasn’t posted anything publicly, and the site still hasn’t been flagged in Watchtower. I believe the site has no interest in publicly posting anything about their website/customer database hack.

    Granted 1Password users are probably already using strong passwords… however I, and probably others, rely on Watchtower to known when a site/service may have been compromised – so I can investigate if my personal information has been compromised as it was in this case.

    https://twitter.com/7nk/status/829390613418299393

    Thoughts?

    Joshua (1P subscriber)

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Joshua,

      Thanks for the kind words and thank you so much for recommending 1Password! We wouldn’t be here without awesome customers like you. ❤️

      This is a very unfortunate series of events. I would be shocked that a company would email their users about a leak and then not bother to say so publicly anywhere. Given that the email states the passwords were stored in plain text in their database perhaps should teach me not be shocked by anything, but I still am.

      What I don’t get is if they were going to cover things up why would they have sent the email? Same thing goes for the password. Why bother doing the right thing and share exactly how your password was being stored (no matter how badly it was stored) but then stop short of doing the bare minimum publicly? That’s just weird.

      I sure hope you’re not trusting them to store anything valuable.

      As for adding this site to Watchtower, we’re in an awkward position here. We only add publicly declared sites to Watchtower for a few reasons. For one we like to be able to link to an official news article detailing the compromise so people can learn more about what happened. The other part of the equation is anyone could craft a fake report to smear a company and in theory we could be liable for defamation.

      It’s pretty easy to create something convincing and while I trust you I would hate to set a precedence here that could easily get us into hot water in the future.

      I don’t see how I can do anything except reiterate what @1Password said in your Twitter DM conversation: we really do need to wait for them to fess up and publish something official. When leaks like these are handled poorly (as appears to be the case here) they have a way of growing and blowing up, so I suspect we haven’t heard the last of the story here.

      Take care and thanks again,

      ++dave;

      P.S. Don’t worry about the typos. I didn’t notice any. ?

  4. Donna
    Donna says:

    I think you should know first that we purchased 1password on the advise of someone who works daily troubleshooting issues for computers. Highly recommend! I’m not a computer expert. I’m a senior citizen and just have found to many places I go on the computer require accounts with passwords and 1password helps to keep track and I use it daily. My watchtower shows a site that is for a continual backup for my grandsons laptop (a gift). My question: Do I change the password that shows on my 1password or do I contact my grandson and change it on that website?

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Donna! Thanks for commenting and my apologies for the slow reply — it’s been pretty busy around here! You’ll need to change the password on this website, so if your grandson is the only one that uses this login, go ahead and give him a heads up. :)

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *