I've been using 1Password as my password management solution for both the Mac and all my iOS devices for many years. For those of you that are not familiar with 1Password, it is a simple and secure way to store and manage not only passwords but just about any kind of personal or sensitive data (medical information, social security numbers, bank account routing numbers, software keys, the list goes on and on...).
1Password version 4.4 for Mac was recently released and one of the great new features is something called Watchtower. Here is a excerpt right from the Agile Bits Blog describing the new feature:
Watchtower is a new component of 1Password’s popular Security Audit feature, which shows you items with weak passwords, duplicate passwords, and other handy info to help you decide which Logins to update. Now built into 1Password, Watchtower lists all vulnerable Logins in a single place and even sorts them by status, such as “Avoid”—for sites that have not yet patched their vulnerability—and “Change Password” for sites that have updated and it is now safe (and prudent) to change your passwords.
This is a great new feature and I am looking forward to using it as a way to keep my most sensitive login accounts as safe as possible. However, the implementation of this feature just got me into a bit of trouble. Luckily I was able to spot what was going on and fix it before it caused any real damage. The problem I encountered was that when I was updating the first vulnerability listed in the Watchtower list I performed the following steps:
- Navigated to the website
- Logged in with my current username and password
- Navigated to the "change password" section of the website
- Was prompted to enter my current password and I did, by cutting and pasting it from my 1Password login
- Was prompted to enter a new password, so I selected the "password generator" button within 1Password to generate a new password
- I then hit the "save" button in 1Password to save the password I just generated to my login item
Here is where the process broke down for me. As soon as you hit save in 1Password, since you have just updated the password, Watchtower now no longer sees this login as a vulnerability and it disappears from the Watchtower list! I didn't realize it had done this and I wasn't happy with the strength of the password that the site was showing for the new password I had just generated, so I went back to my 1Password login item to generate a stronger password. I didn't notice that the 1Password item I was now editing was no longer that of the website I was currently editing in my web browser (because I had saved the updated password and it was removed from the Watchtower list) I was now editing the next login item in the Watchtower list.
This is just a warning for other 1Password users out there to pay very close attention when using Watchtower to help you update your login passwords. I wish 1Password would just leave the saved and updated login item in the Watchtower list (at least until you exit Watchtower and come back into it) and maybe just change the color of the text indicating that is now no longer a vulnerability. When working with a list of items like this in Watchtower I find it to be bad practice to change the list by removing the item from the list while the user is actively using the list. Change the status of the item in the list but don't remove it from the list. I have encountered the same issues when using the security audit feature in 1Password as well. After you make a change and save it you often want to go back into the item but the item is no longer listed. Now you have to leave the feature and go searching.
Agile bits is a great company and this certainly won't stop me from using what I believe to be the best password management solution on the planet. I'll submit this as a suggestion as a possible improvement for their next update. In the mean time, if you are using one of these features be aware of how the list is dynamically updated as you update each login item so you don't make the same mistake I did.