Two logins for same site, same passwords, but one is "good" and the other is "terrible"

camner
camner
Community Member

I have two different logins for the same web site. The two logins have exactly the same password. Interesting (and oddly?), 1P considers the password of one of the logins to be "good" while heaping scorn on the other instance of the same password by calling it "terrible."

There are a couple of differences in the logins. One has just a password, and the other a username & a password, and the URLs are slightly different. But I don't understand why those difference would lead 1P to come to rather different conclusions about the strength of the password.


1Password Version: 7.6
Extension Version: 1.21
OS Version: 10.15.16
Sync Type: 1P

Comments

  • Hey @camner

    Thanks for the report. :) It appears there are two things going on here:

    1. If you have a password saved on more than one item, 1Password is supposed to recognize that as a "reused" password, and as such rate it as terrible regardless of any of its other characteristics. In this case, both of those should be rated terrible. It appears we may have a bug where only one is.
    2. In the current version of 1Password the entropy (randomness) value of a password isn't preserved when copying it from one item to another. As such, even if you fix your items such that the password is only on one item (i.e. you stop running up against issue #1) the password is still likely going to be rated terrible as 1Password doesn't know how random it is.

    We plan to fix the issue outlined in #2 in 1Password for Mac v7.7. We have a fix in beta currently, if you'd like to try that. There is a caveat, though: it won't be fixed for existing items. There isn't a way for us to go back and figure out the entropy value on an item that has already been saved. Unfortunately the fix will only apply to new items going forward. To fix existing items, you'd want to generate a new password (once you have v7.7).

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

    ref: dev/apple/issues#973

  • camner
    camner
    Community Member

    Thanks for your prompt reply. What you said makes sense.

    I wonder, though, that if the only reason 1P marks a password as “terrible” is because it has been used before, it might be wise to let the user know that the reason the password is “terrible” is because of it’s duplicate nature. If I had created a really good password (by that I mean “a password 1P thought is really good”), and later saw it marked as terrible, I would be quite confused and wonder why 1P thought that. Maybe something like “terrible (duplicate)” would be a good way to do that?

    Now, I know that 1P typically marks a password in red when it’s a duplicate, but in this case did not. Is that because the two 1P entries was for the same site?

  • Fair point on the reason for the terrible rating not being visible here. I was actually just speaking with one of our developers about this and he suggested that it may be worth changing the rating itself to 'duplicate' instead of 'terrible' when encountering this case. I'm not sure any decision on that has been made at this point but I'd be happy to advocate for that position.

    Now, I know that 1P typically marks a password in red when it’s a duplicate, but in this case did not. Is that because the two 1P entries was for the same site?

    Yeah... there is admittedly a bit of a disconnect here as well. It seems that for Watchtower if the domain (e.g. 1password.com) is the same between two items, and the username and password match, then it isn't considered a duplicate by Watchtower. But it appears it is considered a duplicate by the password rating system. Hopefully we can come up with more consistent rules here going forward.

    Ben

  • camner
    camner
    Community Member

    I wonder if there isn’t a use case for having two 1P saved logins for the same site (though not exactly the same URL). For example, I have a login for Lightroomqueen.com, and another login for Lightroomqueen.com/community. Different credentials. Would 1P flag that as a duplicate if I used the same password for those?

    You did say that Watchtower wouldn’t flag a duplicate if the username and password both matched, but in the example in my screenshot, one entry had a username & password, while the other only had a password (don’t ask me why...I have absolutely no idea why/how I set it up that way!).

    Just musings here...no need to reply.

  • ag_ana
    ag_ana
    1Password Alumni

    For example, I have a login for Lightroomqueen.com, and another login for Lightroomqueen.com/community. Different credentials. Would 1P flag that as a duplicate if I used the same password for those?

    I have tested this for you, and I confirm that 1Password flags this as a reused password:

  • This content has been removed.
  • ag_ana
    ag_ana
    1Password Alumni

    @sylath:

    We are aware of a bug in the password strength meter in the latest versions of 1Password for Mac, which hopefully should be addressed soon. This might explain some differences that some users are seeing.

This discussion has been closed.