Suppress the "Reused Password" prompt

2»

Comments

  • I absolutely understand the desire for a solution here, but every time we've used tags as a solution with the intention of them being a temporary fix that decision has bitten us. Development has made a firm committment to not use tags as a crutch more than they've already been. I wish I had a more definitive solution to offer or more encouraging news, but that isn't the case. We haven't found a good way to address this concern based on the tools at our disposal. Hopefully future foundational work will make things more flexible, which could open up the possibility of providing a solution here.

    For anyone who is reading that is looking for a better understanding of the difficulty we're up against... we don't currently have a way to store per-person per-item metadata. This is also why 'favorites' aren't per-person. If someone who has access to an item marks it as a favorite, it becomes a favorite for everyone else who has access to it. Same deal with the Apple Watch tag: if one person who has access to the item tags it with Apple Watch, it shows up on everybody's Apple Watch. We need this foundational piece to be developed before we can come up with a truly good fix here.

    Ben

  • JamesHaskell
    JamesHaskell
    Community Member

    Another +1 on this... it's really annoying that you can't mark legitimate "duplicates" so that this message doesn't always pop up.

  • Thanks, @JamesHaskell. :)

    Ben

  • johnsmith84
    johnsmith84
    Community Member

    +1 for me too. The university where I work has multiple places where you have to sign in. While I know that it is possible to use multiple websites with the same login information, this won't work as the username for some of the sites is different. Our email address at the university is given in the form abc12345@university.name. Some of the sites (such as the LMS) just require the abc12345 while other sites, such as the library portal, need the entire abc12345@university.name (and the email site requires abc12345@dep.university.name, for some unknown reason). Despite having different usernames, all of the passwords are the same, which means that those logins are constantly tagged with "Reused Password".

  • ag_ana
    ag_ana
    1Password Alumni

    @johnsmith84:

    Thank you for the feedback too, and for the example! I have let our developers know that you would also like to see this :+1:

    ref: dev/projects/customer-feature-requests#130

  • Unknown
    edited April 2021
    This content has been removed.
  • ag_ana
    ag_ana
    1Password Alumni

    @pruchai:

    That's a nice idea! I have passed your feedback to the developers too, we appreciate your support and patience here!

  • This content has been removed.
  • ag_ana
    ag_ana
    1Password Alumni

    No worries @pruchai, I have edited your post to remove the typo :)

  • This content has been removed.
  • ag_ana
    ag_ana
    1Password Alumni

    @pruchai:

    I know that there have been discussions around password items, so any feedback is definitely useful :+1:

  • oh2th
    oh2th
    Community Member
    edited July 2021

    +1 to this issue, I would really love to see a way either to have multiple records for the different variations to of the AD username to login with, be it any of the

    samaccountname@domain.tld
    DOMAIN\samaccountname
    samaccountname
    fisrtname.lastname@mycompany.com (home tenant)
    fisrtname.lastname@mycompany.com (guest in other tenant)
    fisrtname.lastname@mycompany.com (guest in nth tenant)

    all point to the same password anyway. Issue becomes more visible when you are in an legacy Office AD and Hybrid M365 environment where the mix of logins becomes annoying.

    Oh, and now where our company M365 accounts are as guests to other M365 tenants, the authentication is still to our tenant, except for the MFA part that is against the other companies tenant, so there are now even more of these same password issues:

  • ag_ana
    ag_ana
    1Password Alumni
    edited July 2021

    @oh2th:

    Thank you for the examples! Noted :+1: :)

    Oh, and now where our company M365 accounts are as guests to other M365 tenants, the authentication is still to our tenant, except for the MFA part that is against the other companies tenant, so there are now even more of these same password issues:

    You should be able to resolve this by adding both URLs to the Login item, so you can authenticate to your account, and also fill the OTP to the other account.

    ref: dev/projects/customer-feature-requests#16

  • oh2th
    oh2th
    Community Member
    edited July 2021

    Adding URLs to the same item doesn't resolve the issue when username and or OTP for login differs depending on how a M365 tenant is been setup. I am a guest member in some of our customer's tenants and each tenant has unique OTP/2FA.

    Already added those URLs, however same URLs end up in all of the different login items due to the same issue.

    So at this time I have four login items (one for each tenant) with my email address as username, same password but different OTP. In addition we have application (no URL) I.e. Teams to those different tenants and on top of that legacy application using samaccountname, so now Watchtower is complaining of six times the same password.

  • ag_ana
    ag_ana
    1Password Alumni

    @oh2th:

    Adding URLs to the same item doesn't resolve the issue when username and or OTP for login differs depending on how a M365 tenant is been setup. I am a guest member in some of our customer's tenants and each tenant has unique OTP/2FA.

    Got it, I did not realize these were actually multiple TOTPs. You can also add multiple OTP/2FA to the same Login item by the way, although only the first one will autofill or be copied to the clipboard automatically.

    So at this time I have four login items (one for each tenant) with my email address as username, same password but different OTP. In addition we have application (no URL) I.e. Teams to those different tenants and on top of that legacy application using samaccountname, so now Watchtower is complaining of six times the same password.

    Understood :+1:

  • wrxcub
    wrxcub
    Community Member

    I just want to keep this going as I'm also struggling with finding a good solution for this using 1password. I'm trying to go through and update any old reused passwords, but I have a lot that rely on the same ADFS account and have that red banner flagging them as duplicates.

    I thought about adding all the url fields under the ADFS login item, but some of them have different TOTPs, security questions, and pins depending on the service, and the login item quickly became awful and confusing to look at.

    Someone mentioned linked items and I had the same thought initially too. Maybe I could add a linked item and tell this item to "use linked item password" in the password field, then when I navigate to a service it'll use the linked item credentials. but the linked item seems to just be FYI.

    Just wanted to pile on, as right now it feels like playing chess with no good moves to make this work, and in the meantime I have reused warnings grating my nerves every time I unlock.

  • ag_ana
    ag_ana
    1Password Alumni

    @wrxcub:

    Thank you for the feedback too! The scenario you described is indeed one our developers are aware of, so hopefully they will be able to come up with a solution :+1:

  • wrxcub
    wrxcub
    Community Member
    edited October 2021

    Maybe along these same lines, the Two-Factor authentication banner and watchtower count is also not always accurate or easy to deal with. I've gone through and enabled TOTPs on accounts I could, but some I use other apps, or 1password thinks it's available but the service doesn't actually offer it.

    To deal with this I selected "Don't Save in 1Password". Then I thought "Oh cool I don't have to look at the banner anymore".

    If I select that though, 1password seems to do it's own tagging of "2FA". I don't like that. I've spent a lot of time coming up with my own tagging structure. But if I remove the 2FA tag, the banner comes back.

    I don't want the 2FA banner after I've already made a decision on it, and I don't want the 2FA tag, it doesn't match how I'm using tags.

    Maybe show the big banner until after I've made a decision on it, and then move it to a more subtle banner or button down by Related Items or something? I do like being aware, but after 1password gets it wrong, or I've gone another way, it would be nice to move on.

  • ag_ana
    ag_ana
    1Password Alumni

    @wrxcub:

    I know our developers are thinking about ways to do this without using tags, so hopefully they will come up with a solution in the future.

  • This content has been removed.
  • DeanSu
    DeanSu
    Community Member

    +1 on this. It's 2022 now and I still can't find a good way to solve this alert.

  • macmaarten
    macmaarten
    Community Member

    Sometime ago I have suggested (I think per email) to enable selectively turning off Watchtower-warnings, on a per-item basis. Any warning, not just the 'duplicate password'-warning. Use cases: four digit PINs of your phone provider, CVC's that go with your credit card, WiFi passwords of networks that are not in your control. I think I saw release notes this week that this feature is in the new beta of 1Password 8.

  • We do have improvements in this regard in mind for 1Password 8.

    Ben

  • HarryMcIntosh
    HarryMcIntosh
    Community Member

    I wish you would just add an option to suppress all the "reused password" warnings on the "settings" list. You may not approve of this, but I've made the informed decision to use the same password for some of my websites, and I'm tired of having 1Password nag me about this.

  • Hi @HarryMcIntosh:

    As Ben mentioned, we do have improvements in this area in mind for 1Password 8.

    Jack

  • HarryMcIntosh
    HarryMcIntosh
    Community Member

    You've been dragging your heels on this for years now, and still nothing. Saying you have improvements coming in 1Password 8 is no longer good enough. I'm going to start looking at alternatives to 1Password; maybe I'll find a company that is more responsive.

  • Hi @HarryMcIntosh:

    While there isn't a way to ignore every single reused password notification in Watchtower, you can now ignore Watchtower warnings on specific items in 1Password 8:

    To ignore the reused password notification, choose Watchtower, then the Reused Passwords section. Find the item you'd like to ignore, then choose Ignore.

    Jack

  • HarryMcIntosh
    HarryMcIntosh
    Community Member

    I wasn't running 1Password 8 because I didn't know it was out (I don't think 1Password 7 ever told me I could upgrade...) I've now upgraded to 1Password 8 and manually told it to ignore each of my reused passwords. While that is a solution I can live with, I think you should allow Watchtower to be completely turned off.

  • KG4ZOW
    KG4ZOW
    Community Member

    Thinking about this one after a while ... maybe offer a way to "link" items which use the same password but different usernames ... and then the code which decides whether or not to show the "same password" warning, would be able to not show the warning if all of the items having that same password are "linked" together with each other.

    EVEN BETTER - when changing the password for one of these items, add a pop-up asking the user if they want to save the same new password to all of the "linked" items as well. I know THAT would save me 10-15 minutes every three months.

    A possible complication is, what if the "linked" items are in different vaults or different accounts? My thought is, (1) use some kind of unique identifier as a "link group" ID ... (2) add a process in each client which checks the "last changed" field for every item whose "link group" is not empty, across every vault in every account that that client can see, to make sure the passwords stored in those items are the same, and if not, give the user a pop-up asking if they want to update the "older" items to use the password from the "newer" items ... (3) run that process when the client first starts up (or comes back from being "slept" by a phone's OS), and offer a button or menu item to let the user run the process by hand.

  • jpallas
    jpallas
    Community Member

    It's nice to know that 1Password has been thinking about how to approach this problem for more than three years, and yet here we are. Since the timeline for my workplace converting every single login to use SSO is approximately never, this is still a big issue. Ignoring duplicates seems untenable if you also have mandatory password changes. (my workplace has finally abandoned mandatory periodic resets this year! yay!)

This discussion has been closed.