I needed to change my password for a website after a phising attack that I had previously sent to the security e-mail at the website. Their receipt of the phish apparently generated a message from the website that I needed to change my password as a precaution. Probably a good idea and the message was legitimate.
1Password generated something like this: [email protected] (NOT the real password, as I substituted random characters in this example, but the generated password is the same length and type.)
AFTER generating the password, submitting it to the website, and logging in using the new password, your program announces THIS IS A WEAK PASSWORD & TOO EASY TO GUESS. Really? Too easy to guess? So now I am being prompted by 1Password to change the password again that 1Password just generated and I submitted to the website less than a minute prior.
My question: Why does 1Password even allow generating passwords that, AFTER THE FACT, it labels as weak, FORCING ME TO RESET MY SETTINGS AND RESET THE PASSWORD A SECOND TIME, raising suspicions at the website? ("This user just changed their password, and is now changing it again a few minutes later? Suspicious!")
PLEASE STOP THIS PRACTICE IMMEDIATELY IN THE NEXT UPDATE. DO NOT ALLOW USERS TO SET UP A PASSWORD FORMAT THAT YOU WILL LATER LABEL AS WEAK AFTER IT HAS BEEN USED AND SUBMITTED TO THE WEBSITE.
IF, AFTER PRIOR NOTIFICATION OF A WEAK PASSWORD FROM 1 PASSWORD UPON PRESSING THE GENERATE PASSWORD BUTTON, THE USER INSISTS THAT THEY WANT A WEAK FORMAT PASSWORD, ALLOW IT WITH THE USERS APPROVAL.
BUT IT IS IMPERATIVE TO NOTIFY THE USER WHEN THEY SET THE PREFERENCE TO WHAT YOU BELIEVE TO BE A WEAK PASSWORD AND WHEN THEY PRESS THE GENERATE PASSWORD BUTTON AND MAKE THE USER EXPLICITLY REQUEST THAT 1PASSWORD CREATE WEAK PASSWORDS BEFORE THEY ARE USED.
The rest of this post is just a warning of what hackers are doing to steal your accounts. It is not 1Password specific. I am still a huge fan of 1Password, but this does seem like a good forum to share my experiences and the consequences that flow from hacking and phishing. If the Admins think this belongs in another category, please feel free to edit this part and post it in a different topic forum.
I just lost my entire 5-year-old Instagram account to a hacker who sent me the same kind of message I got from this website. This message showed up after days of not being able to log into Instagram. Instagram had a major worldwide system outage for 90 minutes on March 19, 2021.
The quality of phishing e-mails has improved dramatically. The logos are vector graphics and the PMS colors are perfect. There are no misspellings or grammatical errors. The tiny disclaimers and copyrights at the bottom are spot on. The use of English is perfect. They are now very hard to detect.
Since users have been conditioned to NEVER, EVER click on a link in a message from a company, the hackers have started buying and using 800 Toll Free Phone numbers. After the Instagram hack, I got an order confirmation from a different website for a $965 order I never placed with instructions that if there was a problem, to call their 800 number printed in the e-mail.
Calling that number is just like clicking on a fake link in their phishing e-mail. I would be connected to the hackers, that could pretend to be the legitimate website and ask me for more personal data. DO NOT TRUST ANY TOLL-FREE NUMBERS YOU GET IN ANY e-MAIL. Again, go to the website and find the official number there.
After having my Instagram stolen, I am certain that my data is being sold on the dark web on a "sucker's list" of people who fell for a phishing attack. This time, I did NOT click on anything in the phishing message or calling any phone numbers. Instead, I went directly to the website of the site and followed their outdated and now technically incorrect instructions on how to change my password. (The procedure is somewhat the same but does not actually match their instructions.)
Trying to recover my Instagram account, I received the 2FA 6-digit code via SMS to my phone and entered it and every time instead of letting me in, it told me they would investigate "unusual activity" and restore my account within 24 hours if I was the legitimate account holder.
Instead, they did NOTHING. Eventually, my Instagram account simply ceased to exist. I was told my account had been deactivated. Then my e-mail addess generated NO SUCH USER. None of my friends or followers could find my account anymore. Since Facebook / Instagram has decided as their company policy NOT to provide any end user support for any of their properties, I don't see getting my deactivated account back as a likely outcome.
I lost all my hundreds of followers, all the messages we exchanged, all the descriptions and keywords used with my photos and postings, and all the people I followed and whose posts I saved. All gone, with no recourse. Not even sure I will be able to set up a new account and start over. I do still have the original and edited travel photos. But that was maybe 30% of the content on Instagram.
My only recourse would seem to be a request for one-to-one arbitration, which is what is in their T&C's. Facebook doesn't really want to talk to end users. This request cannot be faxed or e-mailed. It must be MAILED via USPS Snail Mail. They will receive my Certified Mail Dispute Notification and Request for Arbitration this afternoon, 3/26/21.
Who knows if they will respond? Their Terms and Conditions say if I submit the data they request, they will respond. I'm doubtful of course. It is Facebook after all, and Zuckerberg doesn’t really care about anything but power and money. (BTW, if the Facebook or Instagram user has a business on their platform and loses that business due to the capricious nature of Instagram and Facebook's bad behavior, the user's compensation is capped at $100 according to the arbitration clause.)
I have become one angry, enraged end user, and I am now on a mission to get the Federal Government and Congress to start anti-trust proceedings against Big Tech, with the goal of breaking up these greedy, arrogant monopolistic companies.
1Password Version: 7.8.1. BETA 0
Extension Version: 1.24.6
OS Version: OS X 10.15.7
Sync Type: 1Password
Referrer: forum-search:Why is this a weak password too easy to guess, since your app generated it??