Bug report after update to v7.4.750: "Compromised Website," "Reused Password," "Open and Fill"

bjkeefe
bjkeefe
Community Member
edited March 2020 in 1Password 7 for Windows

[ETA] Apologies for attached image being displayed in the middle of the text, instead of the end, as I expected. Don't see how to fix it.

Original post:

  1. The "Compromised Website" banner is back for this site. I presume this is from last year? [1] If not -- if this forum has been compromised again -- please advise.

  2. The "Reused Password" banner is back. This is an issue that many have reported [2] for earlier versions. As I recall, it has to do with 1PW automatically storing a password under the Passwords category after a password is created using the built-in Password Generator utility: if the user creates a new Login entry by hand, so to speak, and enters the generated password in that entry by, say, pasting, then the password in that entry under the Logins category matches the one that just got created under the Passwords category. In any case, pretty much every one of my Login entries now, once again, displays this banner. This is not only a distraction, but could well lead to a boy-who-cried-wolf problem. As an aside, there is no obvious way to show where the password is being (re)used.

  3. "Open and fill" -- clicking this (for example, in the entry storing my credentials for discussions.agilebits.com) results in a new browser window opening, with my usual browser start page displayed; i.e., not the URL displayed under the entry in 1PW. This is the case for the several Login entries I tested.
    a. The Copy choice in the associated drop-down does, however, work; i.e., the displayed URL is copied to the clipboard and can be pasted into a browser's Location bar

    b. This issue might be due to my settings -- I have turned off pretty much everything in 1PW that has to do with browser interaction (see attached screenshot)
    

[1] https://discussions.agilebits.com/discussion/99527/how-do-i-clear-the-compromised-login-banner-message-for-a-given-site#latest

[2] https://discussions.agilebits.com/search?Search=reused+password


1Password Version: 7.4.750
Extension Version: (not installed)
OS Version: Windows 10 Pro v1909
Sync Type: Not Provided

Comments

  • Hi @bjkeefe,

    Thanks for reporting these issues.

    1. The "Compromised Website" banner is back for this site. I presume this is from last year? [1] If not -- if this forum has been compromised again -- please advise

    Yes, it's the same one. One of the major changes we made in 1Password 7.4 is that it pay attention to the subdomains for these compromised sites. In other words, it should only report it on discussions.agilebits.com now and not anyother.agilebits.com sites.

    There's no reason it should bring it back for you. I am not seeing anything like this, we've tested this extensively and definitely didn't see this.

    Just to be clear, you see this banner on an item that has a newer password than November with the discussions.agilebits.com URL saved?

    1. The "Reused Password" banner is back.

    Again, this is starting to sound like the same issue as above, this should be much better in 1Password 7.4.

    We've actually added an improvement where if you have a Password item with the same password and URL combination of the Login item, it will not see them as reused. As with Reused, it was tested extensively and did what it supposed to.

    This may be something else going on in your database.

    "Open and fill" -- clicking this (for example, in the entry storing my credentials for discussions.agilebits.com) results in a new browser window opening,

    If you press "Shift" when you do this, does it appear to work fine? Do you have 1Password extension enabled in your browser?

    Please let me know, it sounds like 1Password isn't rebuilding its index. We're tracking down a few reports of this and when testing with a separate new database, it didn't happen.

  • bjkeefe
    bjkeefe
    Community Member
    edited March 2020

    Thanks for your reply, @MikeT. I won't have time until Tuesday to carry out your suggested tests, answer your questions, etc., but I did want to acknowledge your post in the meantime. ttys!

  • ag_ana
    ag_ana
    1Password Alumni

    Sounds good! And on behalf of MikeT, you are welcome. Let us know how it goes :)

  • bjkeefe
    bjkeefe
    Community Member
    edited March 2020

    Sorry, here it is Wednesday, not Tuesday! At any rate:

    Just to be clear, you see this banner on an item that has a newer password than November with the discussions.agilebits.com URL saved?

    Yes. I changed the pw for this site in December, and at that time, it did clear the "Compromised Website" banner. It has only recently reappeared.

    1. The "Reused Password" banner is back. [...]

    This may be something else going on in your database.

    Any suggestions about what to try, here? (As I noted above, just like the "Compromised Website" banner issue, this issue went away and has only recently resurfaced.) For example, should I delete the entries in the Passwords category?

    "Open and fill" [...]

    If you press "Shift" when you do this, does it appear to work fine? Do you have 1Password extension enabled in your browser?

    Please let me know, it sounds like 1Password isn't rebuilding its index. We're tracking down a few reports of this and when testing with a separate new database, it didn't happen.

    This problem seems to have cleared itself. (Possibly by virtue of 1PW updating itself to v7.4.753?) Specifically:

    • if I just click the URL, the site opens in a new tab in my browser
    • if I shift-click the URL, the site opens in a new tab in my browser, but 1PW remains on top and retains focus

    Both of these seem like expected behavior, and in any case, what I want to happen.

    [ETA] I do not have the 1PW extension enabled in my browser, no. Therefore, I do not expect the login fields to be filled; I just expect the site to be opened.

    So, in summary, the third issue could be marked as closed, at least from my point of view. On the first: I will try changing the password again, waiting a few minutes, and then seeing if that clears the "Compromised Website" banner. On the second, I await your suggestions.

    [ETA2] I changed the pw for this site. 1PW immediately updated the entry under Logins, and is now displaying the "Reused Password" banner. (Likely due to my having generated the new pw with 1PW.) So, at least for now, I suppose we could consider the first issue closed, as well.

    [ETA3] I deleted the entry under the Passwords category that corresponded to the changed password for this site, and this had the effect of clearing the "Reused Password" banner for the entry for this site under Logins, as expected. So, I'll repeat the question I asked above, in case my spaghetti edits have caused it to get lost ;) -- should I just delete all of the entries under the Passwords category, if I want to clear the "Reused Password" banner for all entries under the Logins category?

    Thanks.

  • @bjkeefe,

    Thanks for the updates.

    We did ship 7.4.753 update this morning with a fix to that open URL issue.

    I changed the pw for this site. 1PW immediately updated the entry under Logins, and is now displaying the "Reused Password" banner. (Likely due to my having generated the new pw with 1PW.) So, at least for now, I suppose we could consider the first issue closed, as well.

    Hmm, I'm still not happy that it happened in the first place. I wonder if you can try something for me, can you look inside the Web form details of that Login item, does it have any other password that's not the primary one?

    So, I'll repeat the question I asked above, in case my spaghetti edits have caused it to get lost ;) -- should I just delete all of the entries under the Passwords category, if I want to clear the "Reused Password" banner for all entries under the Logins category?

    You shouldn't have to.

    Can you confirm this for me:

    1. The first Login item with Reused Password, copy its password and then go to Reused Password.
    2. Paste the password in the search box above the item list. How many items do you see?
    3. If two, compare both; do they both have the same URL and Password combinations? If no, what happens if you fix the URL address to both to be the same?

    Please let me know.

  • bjkeefe
    bjkeefe
    Community Member
    edited March 2020

    @MikeT:

    We did ship 7.4.753 update this morning with a fix to that open URL issue.

    Thanks for confirming.

    ... can you look inside the Web form details of that Login item, does it have any other password that's not the primary one?

    As I said in one of my ETAs, I cleared the "Reused Password" banner for the Login entry for this site by deleting the most recent entry in the Passwords category after I had changed the pw for this site. However, there is, under Web Form Details for this Login entry, a field I have never noticed before: PasswordMatch, which shows a pw different from the one currently being used, but which matches the earliest entry under "Show previously used passwords."

    I next looked at several other Login entries (not all of them), which still do display the "Reused Password" banner.

    • In several cases, clicking "Show web form details" reveals only two items: username and password fields, which in all of these cases match what I currently use for these respective entries.
    • In one case, there is an entry under "web form details" for username (matches current) and two other fields that I have also never noticed before: dummy-selectedOnlineId and dummy-passcode. The former has the value 0 (zero) and the latter matches the pw currently in use.
    • In one other case, there is an entry under "web form details" for reset_password[password][password] whose value matches the current pw.
    • In yet one other case, there are numerous entries under "web form details:" type, type, search_and_or, search_and_or, search_in, search_in, auth, and password. The values are, respectively, all, forums_topic, or, and, all, titles, and the username and pw currently in use.

    I would be happy to check more instances upon request.

    Can you confirm this for me: [...]

    I did the first two steps you requested: copied pw for first entry displaying "Reused Password" banner, pasted into search box. Result is only one item: that Login entry. Repeated for a dozen or so other entries; in all cases, there was just the one site.

    One wrinkle, probably irrelevant, but just in case not: while in the middle of carrying out the above test, I noticed a case where there were two entries for one site, which differed in username but had the same pw. (The search confirmed this.) This was a remnant of signing up for an account on that site eons ago where you could pick your username; when that site later started insisting on email address for username, it turned out that logging in with the old username still worked. I deleted the Login entry that had the old username and exited 1PW. Firing 1PW up again did not change the results described in the previous paragraph; i.e., for every entry with a "Reused Password" banner that I looked at, searching on the copied password continued to return only one result.

    Final point, just in case I never made it clear before: not every entry in the Logins category displays the "Reused Password" banner. I strongly suspect this is due to my somewhat haphazard approach to creating new entries; i.e., depending on the interface of the website I am working with at the moment, I almost certainly don't carry out the same exact sequence of steps.

This discussion has been closed.