Create Login with no password

smallcheese

Hi folks,

One of the release notes for the latest Beta suggests that Watchtower will no longer report on Login items with no passwords. My question is how does one create a Login with no password? If I try this a password field still shows with an old auto-detected value in it, showing a weak indicator. For a couple of Logins I've had a similar issue, and to avoid seeing the item listed in the Weak Passwords window I've created arbitrary unused passwords for the accounts.

Is there a way I can have a Login item with no password in it? If so, how?!

Thanks,
Tom

Megan

Hi @smallcheese‌

Login items without passwords are often used for sign-in pages that have the username on one page and the password on a second page. Some users create two separate entries in cases like this, one for each page. Other than this use, I'm not quite sure why you would want a Login item that doesn't have a password - I'm curious, what are you using this for?

Now, I just created a new Login item using the '+' icon in the top menu bar and left the password field blank, and the field stayed blank, as it should. How are you creating these Logins?

smallcheese

Hi Megan,

This is mainly for banking websites which don't have a traditional username/password format for logging on, or where the first piece of login info they require is a 4 digit pin number and then I need to enter a bunch of other info after that. The goal is not to have things show up in the weak password warning section unnecessarily.

For such banking records I create all the relevant fields and associated kooky names within the record and then mask them out. Ideally I'd leave the username and password blank as it's not 100% relevant, it doesn't really fit the model.

I was able to create a test entry with no password, and I've also found I can remove the password on it if I set it and then try to remove it. In the case of the bank website I already have in place, if I remove the password it simply takes the entry from the first starred/masked field in the record and then moves that into the password field. In this case it's a 4 digit PIN which then shows up as a weak password.

Thanks,
Tom

Megan

Hi @smallcheese‌

I completely understand wanting to keep info out of that weak password section - I like having my Security Audit as empty as possible too. :)

Now, I'm not quite sure I'm understanding your workflow here. When you create a Login using the main app, you are leaving the default 'username' and 'password' fields blank, and filling all the details using custom fields? I might suggest trying to save a new Login using these steps:

• Edit the login that you currently have for this website by appending an "Old" to the title - just so you can tell them apart.
• Visit the site and fill in the fields you want filled. Do NOT click the login button.
• Click the 1Password extension, and unlock it if necessary.
• Click the gear icon (or vault icon if multiple vaults are enabled) in the upper right corner.
• Select Save new login.
• Give the entry a unique and identifiable title.
• Click Save.
• Revisit the site and see if 1Password fills in the site correctly.

These steps allow 1Password to learn the fields that the website requires for filling, and it saves you the work of having to create all of the fields manually. This should make things simpler for you. But if I am misunderstanding things, please let me know. If I know a bit more about your process I can do some testing to see if I can re-create the behaviour that you are seeing.

smallcheese

Hi Megan,

Because the bank in question has multiple pages of logins your approach doesn't quite fit. I can give you the specific details about an example website, which is a bank in the UK called Smile.

Their login process requests:

Page 1
Sort Code
Account Number

Page 2
Random digit from a 4 digit PIN
2nd random digit from a 4 digit PIN

Page 3
Answer to one of 5 different security questions (memorable name etc)

As you can see the traditional username and password approach is not relevant here. I just started a new item and began with putting the sort code, account number and PIN under a section I called Login Details, with the PIN masked out. I then entered the answers to all the security questions under a new section called Security Details and masked all entries.

Because the PIN entry is a masked entry this gets copied to the password field, and because it is only a 4 digit PIN it shows as a terrible/weak strength in 1P and thus appears in the audit.

Hopefully I'be done a better job of explaining myself this time!

Thanks for your patience.
Tom

Megan

Hi Tom ( @smallcheese‌ )

Thanks so much for that detailed explanation ... that is a rather unique sign-in process indeed! Now because it's a multiple page site, I'm not able to do a lot of testing here (because I couldn't get past the first page with my fake 'test' data), but this is what I would recommend:

Page 1 Sort Code Account Number

• Enter your account number
• Click on the 1Password extension, unlock if necessary
• Click on the gear/vault icon and select 'Save new Login'
• Title this 'Smile bank, page 1' (or something more creative and useful)
• Save

This will allow 1Password to learn the fields in a way that it will be able to fill automatically.

Page 2 Random digit from a 4 digit PIN 2nd random digit from a 4 digit PIN

Unfortunately, 1Password is not able to fill in random digits, so you might want to record the PIN manually within your existing 'page 1' Login. You can store it in a custom field hidden behind a password mask if you wish. You're right, I've done some testing here, and can confirm that 1Password will 'helpfully' use this custom PIN field as the password if you haven't entered another password. However, our developers are working on ensuring that PIN codes do not show up in the Security Audit, since these codes are often restricted to a short length.

Page 3 Answer to one of 5 different security questions (memorable name etc)

You're storing these exactly how I would recommend: in a custom section within your entry, with the password field type to mask the details.

So, it sounds like you have things set up as well as can be expected for this unique site ... for now. :) I have mentioned to our developers that you are keen on seeing PINs no longer show up in the Security Audit, hopefully we can get this sorted so that you don't have this entry clogging up your Security Audit.

.

smallcheese

Thanks for your help! :)

Jasper

On behalf of Megan, you're welcome. Please let us know if you have any other questions! :)