PSA / Feature request / Security risk - duplicated records contain password history
PSA: Duplicated records contain password history from duplicated record
When duplicating a record to share to someone else and updating said record to contain their password, the immediate first item in password history is the active password of the account in there record it was duplicated from.
Please allow us an option to universally NOT retain password history when duplicating records.
Failing that, let us "clear password history" on a record.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hi there @wagnerone
You're quite right – when Duplicating an item, it's an exact copy, including all of its history, and this must be borne in mind when Duplicating an item. In the case you're describing, I would suggest making a brand-new item and copying over the relevant fields from the old item, then adding the new details that are specific to the person you're sharing it with. Please let me know if you have any questions, or would like any further help. :)
— Grey
0 -
This is what I find so frustrating about reporting bugs or feature requests to 1Password. We get a noncommittal nod and then the conversation almost always ends. We don't have a bug tracking system or any means of knowing what is currently being tracked and/or worked on in terms of bug fixes or feature requests. Would love to be corrected if I'm wrong about this.
It's not enough to acknowledge it happens. It needs to be addressed in some way.
I work in a business situation with 1Password and have complex records I need to share with people. I can't recreate them all from scratch due to time constraints.
It's also not adequate to say "be aware of it" because about .005% of the 1Password population will read this thread and then forevermore understand the risk of duplicating a record.
I reported this problem years(?) ago and it's gotten no traction obviously. I have no way to know if it's even being tracked. Arg!
PS: I do appreciate your reply - just not the content.
0 -
@wagnerone Generally agree with the sentiment; there's often a sort of "well this is how it works" statement of fact and not much in the way of considering modifying that functionality. Been seeing that particularly of late with 8 and its UI/UX design decisions (one of the reasons all my devices remain on 7).
I've personally wanted a way to delete password history for years and years and years, since some of the earliest 1P versions. I mean, why do I need a record of what an account's password was in 2007, and the 137 changes after that? Talk about bloating your database.
On a side note though, just a suggestion for you. Would creating a template record be a viable option? Like, create just one brand new record and fill it with all that complex info you require. A pain to do the first time sure, but once it's there, call that the Template and never add a password to that particular entry. Then you can Duplicate THAT record for creating new ones, and not have any history duplicated with it.
0 -
@Mousit thanks for the template suggestion. That could work.
We just had another dust-up regarding the password history and not being able edit form details anymore today. Our internal support channel lit up with users of various skill levels complaining about the absence of these features in v8.
0 -
Any update on this topic? Thanks!
0 -
Duplicating an item means creating a perfect cloned copy that includes all of the original item's information including password history. For the scenario that you described, I would echo Mousit's suggestion that you create a "template item" that doesn't contain any password history and duplicate that item before adding the user-specific information to the duplicate.
Personally I would be confused if duplicating an item didn't mean creating an exact duplicate and I imagine that would be the case with many other users as well. In fact, older versions of 1Password for Mac didn't keep an item's password history when an item was "duplicated" and we received a lot of feedback from users who were confused why duplicate didn't mean creating an exact duplicate. This feedback partially led to 1Password 8's current design.
That being said, I can see how an option to either copy an item without password history or an option to clear an item's password history would be useful. While I can't promise anything, I've passed along your feedback to the product team. 🙂
-Dave
ref: PB-32838318
0 -
@Dave_1P An option to edit all data an in entry would be ideal!
Second best would be the ability to clear the password history.
It is our data after all and having flexibility to manage it as we see fit would seem to be the ultimate goal. The fact I can no longer manage my own form data after being able to do it for so many year is so vexing! but that is another story.
0 -
@Dave_1P I expect a copy or duplicate to be a "perfect" copy of the original. But I would also like to have a way to create a copy without critical data like the history. It reminds me of releasing a picture to the internet by using a web safe export option, i. e. removing critical meta data like location, serial no. of the camera... before uploading the image.
0 -
I've passed along your request for the ability to clear the password history to the product team. Regarding editing form data, can you open a new thread so that we can discuss that issue separately?
Thank you for adding your thoughts. I really like your comparison to removing image metadata from an image before sharing it and I've passed along your feedback to the product team.
-Dave
ref: PB-32854297
0