I have way too many 1P generated passwords (and a question about how they work..) [resolved]

camner
camner
Community Member
edited December 2013 in Mac

Take a look at this screenshot of my 1P vault:

You'll notice that there are 67 passwords, and my understanding that these are all 1P generated passwords. I have definitely NOT asked 1P (at least not intentionally) to create these generated passwords. I've only tried that feature out a couple of times (yeah, I should use it more, but that's another conversation for another day....) And I'm CERTAIN I didn't try to create a password for "Safari" (where would the browser have a password, anyway?)

I don't understand how these passwords connect to the logins that are for the same website, if they connect at all. It seems (IIRC) that if I ask 1P to generate a password for me, it creates and entry in the 1P "Password" category. Are these passwords completely independent of the logins? So, for example, if I then ask 1P to save a login with the generated password, it creates a login entry, right? Are these linked in any way? If I decide to change my password and then generate a 1P password, does that replace the old "Password" category entry?

If there's no linkage between the stored generated password and a login for the same site, is the idea here is that I may wish to have a password generated for a site that I do not wish to store a login for? (I can't personally imagine why I would want this, but....)

A related question about a specific incident...I needed to change my password on a site. I asked 1P to generate a new password, which I had 1P fill in on the "change password" page of the web site. 1P then asked me if I wanted to replace the old login with the new login, and I said "yes." I then opened 1P and saw that the login entry for this web site was still the old password, not the generated one.

I then went back to the website, and manually entered my username and copied the 1P generated password from the "Password" category entry. After being prompted again with the question about whether I wanted to save the login or update it, I chose "update." Upon opening 1P I saw that the "Password" category entry for this site had disappeared, and the login entry had been updated, as I would have expected. Does this mean that all of the "Password" category passwords are those that are NOT associated with any login?

I'm obviously a bit confused about how all this is supposed to work. Thanks for the help.

Comments

  • sjk
    sjk
    1Password Alumni

    Hi, @camner.

    I'm sorry that it's confusing how generated passwords and the Passwords category are intended to work.

    To get some basic background about this, which hopefully also answers many of your questions, let's start with @Megan's post (#6): here.

    Running Help > Tools > Remove Redundant Generated Passwords can significantly reduce the number of items in the Passwords category. Its usage is mentioned in several topics, in addition to Megan's post, e.g.: here, here, here, here.

    And there's an improvement in the current 4.1 (MAS) and 4.1.1 (Agile Web Store) updates that should also help with item reduction there:

    • Duplicated generated passwords are now removed after saving or updating a login in the Save Login window.

    I'll have more information later about your specific incident with the password change and anything else that's been left uncovered. :)

  • camner
    camner
    Community Member

    Thanks for your reply. I ran RRGP which eliminated only 3 of the 67 Passwords….ugh. So I now have 64 of these generated passwords and there is absolutely no way I (intentionally) created all of these.

    I don't know if there is an easier way, but will this work?
    1. Wherever there is a login and a generated password for the same site (even if RRGP didn't find it), if the login works, I presume I can kill the generated password?
    2. If there is no associated login, I can use "convert to login" to kill the generated password, yes?

  • camner
    camner
    Community Member

    For what it's worth, almost all of these "wrong" generated passwords were generated on exactly the day that the associated login was created. Sounds like something was amiss...

  • sjk
    sjk
    1Password Alumni

    Hi, @camner.

    First, I'd like to refer you to my response to @samangh: here. There's overlap happening between this and that topic so I may merge them, as mentioned there, so we're not all bouncing back and forth. :)

    And here's something from @chrisdj:

    The two items @sjk mentions are our first steps toward making it easier to remove or convert Generated Passwords. We'll naturally adjust as we observe how things play out in the mainstream. We need to start somewhere, and I think these two menu items are as good as any place to start. :)

    "convert" being Convert to Login, about which you asked:

    2. If there is no associated login, I can use "convert to login" to kill the generated password, yes?

    That's one way of doing it, although unnecessary for items in the Passwords category you've determined no longer serve any purpose and can simply be removed. We'll eventually get around to ideas for figuring out which Password items matter or not; hang in there. :)

    Okay, briefly, here's one. Duplicate Passwords usage under Security Audit is discussed in Jeff's blog post:

    Time to give 1Password 4 for Mac’s Security Audit a whirl

    Any Password items you spot in Duplicate Passwords may be candidates for removal, likely more often than for conversion to Login items.

    Let's step back a bit and a look at which items might be in your Passwords category. Here's a brief description from @MikeT:

    Passwords is just a simpler version [of Logins] where it is only focused on a specific password, key, combination #, codes or anything of that sort. It's also being used as a safety net for the 1Password's Generator Password. Each time you generate a password, a copy of it is recorded into Passwords.

    The first kind are items you would manually create there, but completely optionally. The second kind are items that are automatically created there, which isn't an option.

    So how do you manage those items, especially if manually and automatically created kinds are both stored there? Obviously you'd want to retain them while they still serve their intended purpose. :)

    If you've chosen to manually create Password items then you'll need some way to identify them, e.g. with tags and/or in folders, so they won't get mixed up with ones created automatically. Then it's relatively simply to know which you want to keep and remove.

    Knowing which automatically created Password items to keep and remove can be less obvious. You already know about Remove Redundant Generated Passwords and Convert to Login. RRGP picks items for removal; CtL leaves the picking to you (possibly with the aid of Duplicate Passwords mentioned earlier). And you asked:

    1. Wherever there is a login and a generated password for the same site (even if RRGP didn't find it), if the login works, I presume I can kill the generated password?

    Correct, when you're confident the Password item no longer services a useful purpose by being superseded by the Login item.

    Then there's something like this:

    For what it's worth, almost all of these "wrong" generated passwords were generated on exactly the day that the associated login was created. Sounds like something was amiss…

    Offhand I can only speculate why. Maybe you unintentionally stepped on the Password Generator gas that day? :)

    In one of my primary 1P4 vaults with all All Items, sorted by Date Created, I see this:

    Since there isn't a Login item for Facebook created on the same day (or modified later) as that www.facebook.com Password item it's a candidate for status checking before removal. And the other three Password items there are more obvious fluff, making it likely the other is too.

    With the Passwords category selected, another tip for weeding out remaining items for possible removal or conversion to Login is to search for the Title of any you're unsure of and see if that matches any other items. And tapping the Option key to temporarily reveal passwords in password fields and under Previously used passwords may even help.

    As you can see by all that, there's a pruning process involved in getting the Passwords category into the shape where it may have more overall value then simply leaving it grow uncontrolled. Doing it initially may have some challenges, then managing it after that it can be relatively easy to sustain. One way to simplify it is choosing not to store manually created items there, or only have a small number that are clearly identifiable.

    Hopefully that addresses most of your questions and concerns about this. Oh, and please forgive me postponing a bit longer what I'd still like to mention about your "specific incident".

    Feedback welcomed. :)

  • camner
    camner
    Community Member

    @oversoul:

    Thanks for the detailed response. Most of it makes good sense to me (the part that doesn't I attribute to my lack of understanding, not to your lack of clarity…). The part I don't understand is what you describe as the "first kind," or "manual" passwords. This is perhaps because this is functionality that I don't think I use. Is this when there is some web site that has some entry that I want to remember (not necessarily a password) that isn't associated with a login? Perhaps an example is the second of a two-step login process (as many banks use)? Although for that I use a second "login" style entry, even though it only has a "password" entry.

    I presume that the second, or "automatically generated" situation is when I click on the "generate password" button, yes?

    As for stepping on the "Password Generator" gas pedal, I know that there have been a few times when I've clicked on the Generate Password button inadvertently, but it seems hard for me to believe that I did that 67 times!

    Anyway, I went through all of the 64 remaining after running RRGP and finding all of 3 duplicates. I did not find a single case where I didn't either have a (correct) login already or where it was a complete orphan, a "password" (one of your wonderful generated strings!) that was associated with a website I know I visited but for which there was no associated login. I now have 0 entries in the Passwords category, and I'm going to keep an eye out on what happens. Maybe I'll figure out what did occur, or maybe not, particularly if they don't continue to get generated.

    [Alas, finding duplicates doesn't work for me, because for many sites whose security I don't care about…e.g. lots of forums…I use the same password, generated in pre-1P times. The worst thing I risk is loss of reputation if someone gets the credentials and pretends to be me. Perhaps I shouldn't be blasé about that possibility, but right now I am]

    Thanks again for your help. =D>

  • sjk
    sjk
    1Password Alumni

    You're welcome, @camner. My pleasure to help.

    I think you're underestimating how much you understand. :)

    The part I don't understand is what you describe as the "first kind," or "manual" passwords. This is perhaps because this is functionality that I don't think I use.

    It's totally up to you how to make use of manually created Password items, if at all. :)

    Someone might use Password items for storing information that isn't associated with a web site, e.g. lock combinations, alarm codes, VINs, etc., and doesn't fit well in other predefined categories,

    Manually created Password items can act like "Generic" items.

    Is this when there is some web site that has some entry that I want to remember (not necessarily a password) that isn't associated with a login?

    Adding certain types of extra information (e.g. security questions/answers) in custom fields of Login items is generally preferable to having separate Password items for it.

    Perhaps an example is the second of a two-step login process (as many banks use)?

    Using Login items for additional pages of multi-page logins is still suggested for that purpose, at least when 1P4 can match an item with the page and possibly autofill on it.

    Interestingly, autofill from the password field of a single Password item can be used with different sites. But it lacks site matching (except when no Login items override it) and additional form field autofill support of Login items. Sort of in a pre-Covert to Login state.

    But let's not make this unnecessarily confusing. :)

    I presume that the second, or "automatically generated" situation is when I click on the "generate password" button, yes?

    Each time Copy or Fill is used in the 1P mini/extension Password Generator a new Password item is created. That's the only way new items are automatically added to the Passwords category. If there's another way it's probably a fluke/bug, like your unusual item overload:

    As for stepping on the "Password Generator" gas pedal, I know that there have been a few times when I've clicked on the Generate Password button inadvertently, but it seems hard for me to believe that I did that 67 times!

    Do you know/remember which date range those were create in? Maybe not easy to find since:

    I now have 0 entries in the Passwords category

    Nice!

    I use the same password

    Shhh. :)

    Cheers!

  • camner
    camner
    Community Member

    I use the same password

    Shhh. :)

    Well, I do make sure that I use the 1P password generated for my NSA password, which lets me access everything Snowden did, and more!

    [And now to be serious for a moment, I found myself thinking for just a brief moment as I wrote the above, "Hmmmm...any chance I shouldn't be writing this?" How sad that such an idea would even cross someone's mind.]

  • MrC
    MrC
    Volunteer Moderator

    I've read through much of this thread, but not all, so pardon me if I missed something.

    The very length of and confusion regarding this thread about the Passwords category is telling. The Passwords category is polluted. My personally created entries should not be mixed in with some automatically created passwords where I have to go figure out what is valid, useful, or necessary. It is simply too hard.

    If you've chosen to manually create Password items then you'll need some way to identify them, e.g. with tags and/or in folders, so they won't get mixed up with ones created automatically. Then it's relatively simply to know which you want to keep and remove.

    I think this is backwards. 1P4 should automatically place auto-generated items it their own Auto-gen'd Passwords category, or tag them with some term like "Automatically Generated", so they can be distinguished. With such a column, I can at least sort mine from yours in Passwords.

    I have a bunch of "No active app" entries. And I have no idea what they are for, or if I should delete them. I have one labelled as coming from Firefox, but it appears to be a password used in some other site. I have another one labeled as coming from com.agilebits.onepassword4, but it is used in a banking site. How can these be matched easily? Why weren't these detected by the Remove Redundant... tool ? I don't trust the tool now.

    The Duplicates tool in Security Audit for me shows 74 entries. But I have no idea how to match the duplicates (short of search for 74 copied passwords across all my records - shesh!). These duplicate records should be grouped with each other for easy detection and disposition. Other than sorting by Password Strength in the new row-based view, which gives a rough approximation of sameness, figuring out what to do is very difficult.

  • sjk
    sjk
    1Password Alumni

    Hi, @camner.

    "How sad that such an idea would even cross someone's mind."

    And how wonderful to be free from the possibility of mistrust and doubt?

    I now have some brief followup for you about this:

    A related question about a specific incident...I needed to change my password on a site. I asked 1P to generate a new password, which I had 1P fill in on the "change password" page of the web site. 1P then asked me if I wanted to replace the old login with the new login, and I said "yes." I then opened 1P and saw that the login entry for this web site was still the old password, not the generated one.

    >

    I then went back to the website, and manually entered my username and copied the 1P generated password from the "Password" category entry. After being prompted again with the question about whether I wanted to save the login or update it, I chose "update." Upon opening 1P I saw that the "Password" category entry for this site had disappeared, and the login entry had been updated, as I would have expected.

    The first part of that sounds like you've encountered a variation of bug reported here:

    1P 4.1.1 not updating login after selecting update in dialog [confirmed, will be fixed]

    We will get an update out with it fixed as soon as possible.

    The last bit of that happened with auto-removal of the Password item after successfully updating your Login item because of this 4.1//4.1.1 improvement:

    • Duplicated generated passwords are now removed after saving or updating a login in the Save Login window.

    That can help automatically reduce the Password item pileup that manual Remove Redundant Generated Passwords usage is intended to remove.

    Also, when prompted to save a new Login item or update an existing one, e.g.:

    … this new Edit Login in 1Password… feature can be useful:

    It provides a way to "preview" (and optionally modify) the item before saving (or canceling) changes.

    I hope that helps. :)

  • camner
    camner
    Community Member

    Thanks. I'll give it a whirl next time.

    And thanks for your responsiveness overall!

This discussion has been closed.