Dealing with bad passwords that can't be changed
Fortunately I don't have too many. These are typically for sites that have changed so much they lost their old login systems. (Those logins are probably lost on some backup disk somewhere, and are at risk of being harvested, but what can we do?) Or sites that simply no longer exist. Etc. Our passwords to those places are set in stone, for better or for worse.
Many of these are marked by 1Password as Reused or Weak.
I want to use the Vulnerable Password service but possibly not with these Reused or Weak ones.
But -- perhaps I should? Perhaps it would be helpful to be warned just how compromised the very worst of these old passwords are, and maybe the small potential downside of doing this which you do mention is worth the risk.
What do you think?
1Password Version: 7.6 (70600005)
Extension Version: Not Provided
OS Version: Mojave
Sync Type: iCloud
Comments
-
Sometimes the sites are gone, but other times they have changed their login systems. I try to reset my password in the latter case, but that often fails with "no such user."
My motivations are:
1) If the site does become accessible to me again, I'd be able to change the password. (They might restore some old user IDs, or start to permit logins with passwords that no longer meet their current minimum requirements.)
2) There are also sometimes "notes" in the login item I want to preserve.
So the thought is to run Vulnerable Password on all of these just to have the information it provides; then I'd move all the information into Secure Notes and delete the Logins.
But if there is no upside to using Vulnerable Passwords on these, and only the potential downsides, then it would seem better to not use the feature. Your warnings are:
"This feature may pose a small risk to people who reuse similar passwords"
and
"Opt out of Vulnerable Passwords in 1Password if you’re unable to change your weak passwords."Since 1Password passes the first 5 characters of a hash of every password to haveibeenpwned, even then I'm not sure what that service can do with that. They already have a list of exposed passwords. Does getting an anonymous list from me that includes hashes of partial passwords that match some on their lists tell them much? I guess I'd like to see a clearer example of what damage a mischievous use by someone at haveibeenpwned could do.
0 -
So the thought is to run Vulnerable Password on all of these just to have the information it provides; then I'd move all the information into Secure Notes and delete the Logins.
Have you considered using a separate vault for these items? Many people (myself included) use a separate Archive vault to store all old items you don't really need anymore, but would still like to keep around for some reason. This also means that these items would not clutter your main vault, or your Watchtower report.
0 -
Indeed, that is what I do as well. Just be sure to exclude that vault from "All Vaults" if you don't want it cluttering your view. You can change those preferences in 1Password > Preferences > Vaults (this is a per-device setting). :+1:
If you have any other questions please feel free to ask.
Ben
0 -
Well yes, something else has come up.
Are the passwords in Password items checked, or only the passwords in Login items?
I have a number of useful Passwords, which are inevitably weak - door lock codes, garage door codes, combination locks. I wouldn't want these checked by haveibeenpwned. Many of them currently do show up in the list of Weak Passwords.
If passwords in Password items are checked, then I guess one solution is to put the codes into a different field in the Password item, and then blank out the password field.
Or, re-do these as Secure Notes.
I'd rather not put these items in a separate vault.
0 -
Are the passwords in Password items checked, or only the passwords in Login items?
All passwords are checked for vulnerability, not just those of Login items.
If passwords in Password items are checked, then I guess one solution is to put the codes into a different field in the Password item, and then blank out the password field.
That seems to work for what you are trying to do, I have just tested this in the Mac app :+1: For reference, I used a custom field for this, and marked it as "password" so it's still hidden.
0
