Security and privacy

About Watchtower privacy in 1Password

Learn how 1Password protects your data when you use Watchtower.

When you use Watchtower to find passwords you need to change, you can quickly find out about password breaches or other security problems that affect you. Because we continually update Watchtower as security breaches are reported, you can change your passwords sooner and stay safer online.

Everything is checked locally on your own device

The information you have saved in 1Password is not our business. We can’t share it because we never collect it.

Everything is checked locally on your own device, including reused passwords, weak passwords, unsecured websites, and expiring items. It’s a bigger technical challenge to design industry-leading security audit tools like this, but it’s the right way to do it.

Your websites are never sent to us or anyone else

To check for compromised websites, 1Password downloads Watchtower information from  watchtower.1password.com and compares your websites locally on your own device.

To check for items that support two-factor authentication, 1Password downloads TwoFactorAuth information from watchtower.1password.com and compares your websites locally on your own device.

Learn more about TwoFactorAuth.  

Your passwords are never sent to us or anyone else

To check for vulnerable passwords, ones that have appeared in data breaches, 1Password creates a 40-character hash of each password and sends only the first five characters of each hash to the Pwned Passwords service provided by haveibeenpwned.com.

The service provides a list of vulnerable passwords that have hashes starting with those same five characters, and 1Password compares them locally on your device. Only the first five characters of each hash leave your device. Your passwords are never sent to us or the service.

Learn more about how the Pwned Passwords service works.  

Protect yourself when you use the Pwned Passwords service

Your passwords are never shared with the Pwned Passwords service. However, if you have similar weak passwords like MySekret1 and MySekret1!, there’s a risk that Have I Been Pwned could learn your passwords if they acted maliciously. Strong, unique passwords created with the password generator in 1Password are not at risk.

To protect yourself while using this service, you should:

  • Change any passwords identified by the service, especially if they’re weak or similar to other passwords that you use.
  • Use the password generator to create strong, unique passwords for all your accounts.
  • Opt out of Vulnerable Passwords in 1Password if you’re unable to change your weak passwords.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: