Help hardening my login passwords

williakz

OK, I'm FINALLY ready to go through my various logins and "harden" the current (original) passwords, ones that violate just about every 1Password rule in the book. Can someone please explain to me just how to do this so I don't manage to get myself locked out of my CRITICALLY IMPORTANT accounts with new hardened passwords known ONLY to 1Password?

So the typical "Change Password" screen on most sites consists of three fields:

Old Password: [I know this one, it's currently stored in 1Password, and it was used to gain access to the site]

New Password: [I want 1Password to generate this BUT I only want 15 total characters]

Confirm New Password: [Not sure how to fill this]

Like I'm 8 years old (better make that 5 years old, some 8-year-olds are pretty sharp), please lead me through the process of having 1Password generate a 15-character password and replace my old "soft" one with its new "hardened" one in the typical "Change Password" screen on the typical website. Thanks in advance for any and all assistance.

---

1Password Version: Latest production version - Mac
Extension Version: Latest 1P in Browser (Latest Chrome)
OS Version: Big Sur 11.4
Sync Type: 1Password.com

ag_yaron

Hey @williakz .

If you are using Safari:

1. Get to the "Change Password" form on the website.
2. Let 1Password autofill the "Old/Current Password" field for you.
3. Click the 1Password icon in your Safari's toolbar to open it, then click on the big "+Generate Password" button at its top.
4. Adjust the new password as you see fit, then click on "Autofill". 1Password should autofill it into both fields. In case it didn't, repeat step 3 and this time click on "Copy", then paste the new password into both fields.
5. If there's a "Save in 1Password" button showing up under the new password fields, click on it now and select to update your existing login with the new password. If there isn't such a button, send the form and 1Password should pop up, asking if you'd like to save or update this password - select the "Update" option.

If you come across a scenario in which you changed the password but 1Password did not ask you if you'd like to save/update it in Safari, you will find any and all generated passwords that were used in websites in your default vault for saving new logins, under the "Passwords" category, from which you can retrieve lost passwords that weren't saved.

If you are using any other browser that is not Safari:

1. Get to the "Change Password" form on the website.
2. Let 1Password autofill the "Old/Current Password" field for you.
3. Click the 1Password extension icon in your browser's toolbar (usually in the top right corner, might be hiding inside a grey puzzle piece button).
4. Click the big PLUS icon to reveal the menu, then select "Password Generator", which is the first option in the list.
5. While in the generator, change the password's type from "Smart Password" to "Random Password" and adjust the recipe as you see fit. When you are happy with the recipe, you can also set it as a default so that 1Password will automatically suggest such passwords everywhere you go.
6. Generate a password, then click the "Autofill" button. 1Password will try to autofill the new password in both "New/Confirm Password" fields and will bring up a prompt to save/update the existing login with the new password - confirm and update it, then send the form on the page.
7. If 1Password was not able to fill both fields, you can grab the new password from your now-updated login item as it already contains the new password, and paste it into the field(s) it missed when you tried to autofill.

If you come across a scenario in which you couldn't save the new generated password and lost it, you can recover it from within the generator by clicking the "Generator History" button at the bottom of the generator.

In both cases (of Safari and other browsers), you can recover your old password(s) in case you need them like so: https://support.1password.com/item-history/

williakz

Chrome, not Safari. On Mac, not iOS or Windows.

First site I tried, I got locked out. It seems that to be successful, one must know the nuances of the interaction between the 1Password and the site, but the underlying logic and thus the correct sequence of actions to take is not obvious to me.

Problem 1: 1Password's Password Generator said it would tailor its "Smart Password" to the site's requirements, but the site restricts passwords to 6—16 characters whereas 1Password thought 20 characters would work.

Problem 2: 1Password wanted to (re)name the (new?) entry to something I didn't want, causing a duplicate entry to be created. Also it wanted to save the entry in my Private vault which I do not use rather than the default Main vault which I do.

Problem 3: 1Password had "value" (placeholder default?) in the Username field instead of the actual username (email address) I had logged in with.

Problem 4: Notification that new password had been saved. Was it from Google Chrome or from 1Password? Chrome password handling is turned off, with 1Password in full control on all devices.

Problem 5: 1Password in the Browser did not sync with 1Password after the entry/username/password change. I'm still unsure how to force a sync on demand.

Problem 6: The new entry for the site now fails to log on successfully. I'm leery of simply throwing passwords at it due to the looming threat of lockout due to exceeding maximum failed login attempts.

Help.

ag_yaron

Hey @williakz ,

Problem 1: 1Password's smart passwords suggestions rely on the website to provide it with all the necessary information in the field's HTML code, but unfortunately a lot of websites do not adhere to that standard. Can you let me know on which website did you try this on?

Problem 2: It seems that 1Password suggested you save a brand new login item instead of updating your existing one. Here's how to switch between the two (and also switch vault for saving if you save a new item): http://recordit.co/8WBCowQM5A

Problem 3: The username remained blank because you saved a new login instead of updating the existing one. There was no username on that page (where you changed your password) so no usernames were recorded in the new item, therefor it remained blank.

Problem 4: Yes, 1Password notifies you when saving a new item.

Problem 5: The existing login item was not updated, you saved a brand new login item (probably present in your Private vault). You'll want to copy the password from that new item and paste it into your original login item to update the password in it, then delete the new login item you saved once you see you are able to log into your account with the new password.

Problem 6: If you are unable to log into the website with the new password, try logging in with the old password. Do not try it more than once or twice to prevent yourself from being locked out. One of the passwords should work.
You can also open the password generator in the extension, then click the "Generator History" at the bottom to check if you've generated more than one password on that website and try logging in with any other passwords you generated there.
Worst case scenario - use the "Forgot password?" or "Can't login?" button in the login page to reset your password.

You might find the following helpful:

• Changing passwords: https://support.1password.com/change-website-password/
• Creating custom passwords (not smart suggested passwords): https://support.1password.com/getting-started-browser/#create-a-custom-password

williakz

Thanks for the guidance, @ag_yaron. Life (and a hurricane) interrupted my project, but I'll be back on it in a couple days.

I'm thinking I'll start out hardening some silly sites (Dunkin Donuts, Waffle House, and the like) before I take on the more important ones (Schwab, Fidelity, and Citibank for example).

Do you have a feel for how often 1Password's Smart Password functionality actually works to conform password creation to site constraints? Never, seldom, sometimes, often, always? I'd like my "hardened" passwords to be as robust as possible, but I don't want to waste time and energy if the feature has little application in the real world (as it exists now). Thanks again.

ag_yaron

Take your time @williakz , and stay safe!

It is a good idea to practice on simpler websites where you can easily reset your password if you're lost, though I really don't think you'll get to that point if you stick to the basics:

• You must change your password both on the website and in 1Password. If only one of them accepts your new password, you won't be able to log in.
• If smart passwords are not working on a website, use the generator to generate your own password that complies with the website's requirements.
• If the website does not accept the newly generated password, stay on the page - do not leave it. Simply generate a new password that does comply with the requirements and autofill it, then update your login item entry again. You can repeat this process as many times as you want until you get the website to accept the new password for as long as you remain on the page.
• You can find generated passwords that you didn't save in the generator's history, and you can recover old passwords that were overwritten in the item's history so you have a failsafe for every scenario.

Usually you will get by with the first two points here on most websites, and the process should be pain free. Banking websites are often a bit more complicated so you might find the other points useful as well.

As for your question about smart passwords - they work on the majority of websites, but if you feel like you're unhappy with them, you can go to the generator, change it from "Smart Passwords" to "Random Passwords", adjust the recipe as you see fit and turn on the "Use as default for suggestions" option.
Smart passwords will usually be around 20 characters long and contain symbols, unless the website actually indicates in the HTML code of the field what is the max length of the password and what are the requirements.