Introducing Watchtower 2.0: The turret becomes a castle

Introducing the all new Watchtower – it is absolutely gorgeous, and appears to be rather timely!

Twitter asked their 330 million users to change their password yesterday due to a security snafu, putting privacy and security at the forefront of everyone’s mind once again.

1Password includes Watchtower, with its suite of security tools, making it the easiest and most comprehensive way for you to check the security of all your passwords.

Watchtower report

With a click of a button, Watchtower audits your passwords against a wide range of security vulnerabilities giving you an easy to read report with simple steps on how to fix any issues it finds.

Let’s take a look at some of the defences.

On the lookout for breaches

Watchtower will automatically notify you if there’s been a security breach for a website you use. A bright red bar that’s pretty darn hard to miss will display across the top of the item, prompting you to change the password for that site.

Login showing a breach

Please excuse me while I hop away for a sec and go change that Twitter password. 😀

A vanguard for pwned passwords

Watchtower can check your passwords to see if any have been exposed in a breach. Integrating with Troy Hunt’s haveibeenpwned.com service, your passwords are checked against over 500 million exposed passwords, highlighting any that are found.

Watchtower showing vulnerable passwords

To keep your passwords private, Troy found a brilliant way to check if passwords have been leaked without ever sending your password to his service.

Strong, unique passwords are your greatest defence

Using strong, unique passwords for every website is your surest way to keep safe. When a website is breached and your password compromised, that password can be used to sign in to other websites that use the same one. If you’ve reused that password elsewhere, you’re putting all those sites at risk.

Watchtower not only shows you which of your passwords should be stronger, it also alerts you when you’re using the same passwords for more than one website.

Graph of password strengths

Now would be a great time to use Watchtower to see if you reused your Twitter password for your bank account 😱

A second line of defence

Enabling two-factor authentication (2FA) on websites is a great way to keep your accounts there safe. Watchtower will now let you know about websites you have saved in 1Password that support 2FA, but don’t have it enabled.

Alert showing missing 2FA

This gives you the chance to enable 2FA for those sites. When you enable 2FA, make sure to keep the one-time password in 1Password.

Don’t get caught off guard

Watchtower not only looks out for your passwords, but for you as well. It will now warn you if one of your credit cards, driver’s licenses, or passports are expiring soon, making sure you aren’t scrambling to make last-minute arrangements.

Alert showing expiring passport

Here in Canada you can’t travel internationally if your passport expires within 6 months, so this can be a real life saver if you have that long-planned vacation coming up soon.

Try today with your 1Password membership

Watchtower is available today, so it’s time to give it a try now!

Sign in to your 1Password.com account, select a vault, and click Watchtower in the sidebar to create your report. If you don’t have a 1Password membership, start a free 30-day trial to get started.

Oh, and don’t forget to change your Twitter password :)

37 replies
Newer Comments »
    • Shiner
      Shiner says:

      Hi Theo,

      Yes, we are looking to add the new Watchtower into our desktop apps as well. There is more work to be done on the app side though, so I am not able to share dates yet. Keep an eye on our blog for any updates.

    • Kate Sebald
      Kate Sebald says:

      Hey, Matt! As Jeff mentioned, it’s on the list, but the native apps take a bit more time to bring on board. Hang tight and keep an eye out for updates. 🙂

  1. James Cleveland
    James Cleveland says:

    This looks like a great upgrade to Security Audit and Watchtower, can’t wait to try it. I hope it’s coming to the apps soon!

    Does the 2FA check only acknowledge that I have 2FA setup using 1Password’s one-time password field? I use 2FA with nearly every site that I can, but I don’t use 1Password to store my TOTP secrets. I’d love to use this tool, but it’s worthless if it’s falsely reporting that I’m insecure just because I’m using a different tool. Maybe an optional checkbox on logins to let 1Password know that I am using 2FA. Or it could ignore anything tagged with “2FA”.

    Reply
    • Shiner
      Shiner says:

      Hi James,

      It is great to hear that you are excited to give this a try, you may find the results surprising. I found a few passwords that needed changing when I checked my own vault.

      The 2FA check uses a list of sites gathered from twofactorauth.org and then looks to see if you have a one-time password field in the corresponding login for that site. If you do not want to keep your TOTP secrets in 1Password you can add the 2FA tag to that item. This will let Watchtower know it should ignore that item in its check.

      We are working on bringing the updated Watchtower to our desktop apps. There is more work to be done there so I don’t have a date that I can share yet. Keeping an eye on our blog will be the best way to check for updates.

    • Shiner
      Shiner says:

      Hi Micha,

      We are working on bringing the updated Watchtower to our desktop apps. The desktop apps take a bit more work to implement so I don’t have a date that I can give you quite yet. Keep watching our blog and I’m sure you’ll see something in the not too distant future 😉

  2. DxR_
    DxR_ says:

    Exciting! What version is showing all this new stuff? I’m on the 7 beta for Mac and while I see Watchtower, it doesn’t show me how to run a report.

    Reply
    • Shiner
      Shiner says:

      Hi DxR_,

      I kept trying to write that as DrX 😆

      Watchtower is currently available on 1Password.com. If you have a 1Password membership you can give it a try straight away. Simply sign on to your account and select one of your vaults. From there you will be able to run your Watchtower report.

      We are going to be bringing the new Watchtower to our 1Password desktop apps as well. This is more difficult to develop so I don’t have a date that I can share with you quite yet. I’m sure we’ll have a post about it when it is ready, so keep an eye out here.

    • DxR_
      DxR_ says:

      Ah, the nuances of multi-platform. Thanks for confirming. Looking forward to seeing it in all the apps too.

    • Kate Sebald
      Kate Sebald says:

      Hey, DxR_! We’re looking forward to it too. I love that we have truly native apps developed for each platform, but it does comes with some tradeoffs, such as a slightly slower development cycle from time to time. I think it’s worth it, though, and I hope Watchertower 2.0 looks as wonderful in 1Password 7 for Mac and Windows as it does on 1Password.com. 🙂

    • Shiner
      Shiner says:

      Absolutely, in fact, it already is!

      Just to be sure, I gave it a try on my own 1Password.eu account. Being from Canada, I admittedly don’t have much in that account, but I did get a nice report. Of the two passwords I have in there, neither needed to be changed 🤣

  3. Michael Klose
    Michael Klose says:

    This is a really great feature. Thanks for coding this.
    I have only two small wishes:
    – Please support clicking on Excellent, Good, Weak, Terrible to see all the passwords in each category.
    – Please add support for directly editing passwords in Watchtower.

    Reply
    • Shiner
      Shiner says:

      Hi Michael,

      On behalf of Jasper and team that developed this, you are more than welcome. It’s always rewarding to hear that someone enjoyed what we built.

      I think that your suggestion of linking off from the password strength graph is a great idea. I’ll definitely mention it. I was a bit confused by your request to allow editing from within Watchtower. Once you get the list of items from Watchtower, you can select any of them and edit right there. Was there something else that you were looking for?

  4. Brian Silverio
    Brian Silverio says:

    It might help if you broke the Terrible passwords out into a separate list.
    I have over a hundred weak passwords and 10 that are terrible.
    I would like to immediately change the terrible ones but I can’t identify them!

    Reply
    • Shiner
      Shiner says:

      Hi Brian,

      I agree.

      We had a good suggestion from Michael above that I think would help. If clicking on the Weak/Terrible labels in the Watchtower report brought you to the associated list of passwords, that should make finding them pretty simple. I’ll see if we can get something like that added.

    • Shiner
      Shiner says:

      Ha, glad you got it working. Admittedly it can be hard to see the Edit button at the bottom with the bright red Watchtower banner at the top grabbing all your attention.

  5. danco
    danco says:

    It would be nice if one could arrange to leave some passwords off the Weak list.

    For instance, some sites require a password to be eight characters or fewer. Those will be classed as weak, but there’s no particular point to changing them.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Ain’t that the truth, danco. I’ve heard of some banks that only allow PINs and not actual passwords to access online banking. 😱 Ideally, I’d hope these sites would get with the program and allow better passwords, but for the moment, it actually looks like random generated passwords can be recognized as “Good” at 8 characters long. Their strength varies, and you may find yourself regenerating a few times, but it’s worth it for a better password, right? 😊 All the same, disallowed symbols, having to use PINs and probably other restrictions I haven’t thought of may well lead to some folks being stuck with a weak password, so you still bring up an excellent point. I’ll pass your feedback along to the team. 👍

  6. MrC
    MrC says:

    This is really nice.

    I especially like the 2FA tag, since some some sites use 2FA non-TOTP.

    It would be great now to have a DJMP tag too for those items where various pins, pass codes, lock combos, etc. which are limited by their design would not be considered in the password strength meter or stats. (Don’t Judge My Password – I’m sure you’ll come up with a better acronym).

    (I posted this earlier, but don’t know where it went)

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey, MrC! It went into our moderation queue, where it hid from you for a bit while I was getting to it. Sorry! I’m glad you’re enjoying it! I really thought I was going to be super depressed when I ran my report (there are definitely a few neglected passwords in my vault) but was pleasantly surprised by only a small scolding from Watchtower. Still, I was far from perfect, so you’ll see no password judgment from me. 🙂

      As I mentioned in an earlier comment, I definitely feel you on excluding some items from weak passwords. I’ve heard of sites that only accept PINs (gross) and while we’d all much prefer those sites get with the times, we have to cope with the hand we’re dealt for now. I personally love your tag idea and will be sure to pass it along to the team with your recommendation. 👍

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *