Duplicate passwords: Mark the 2nd item as a persistent duplicate [Will be smarter in future updates]

TheDave
TheDave
Community Member
edited July 2015 in 1Password 4 for Windows

I'm wandering through the few duplicate passwords I have in my list, how can I find the duplicated password?

This was previously discussed at https://discussions.agilebits.com/discussion/comment/149450/#Comment_149450 and the answer was "it doesn't really matter which ones are the 'duplicates' if you're going to change all that are reported as duplicates." However, there is a significant flaw in that logic, and it actually does matter.

Imagine that site1 and site2 share a password. I use the 1Password duplicate password finder to find them, and change the password of site1. Since it's no longer a duplicate, site2 is removed from the list automatically. Without any way to find other sites that shared that password, I don't know to update site2. Now imagine site1 maintains a plaintext or unsalted MD5 list of previous passwords, when site1 gets hacked, the hacker now has my username and old password and suddenly my site2 credentials are vulnerable. Since it is quite common to prevent password changes to recently used passwords, I can only imagine that many sites do maintain some sort of recent password list, and I can't imagine such a list being stored more securely than their main password database.

I can think of a couple possible fixes. First, allowing me to view all sites sharing a password might allow me to reset all their passwords in one shot. Second (and potentially more useful), the duplicate password finder should find any site where the current password matches another site's current or previous passwords. In other words, in my example above, site2 would still be listed as a duplicate.

Is there a better way to handle this situation currently?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • MikeT
    edited July 2015

    Hi @TheDave,

    Now imagine site1 maintains a plaintext or unsalted MD5 list of previous passwords, when site1 gets hacked, the hacker now has my username and old password and suddenly my site2 credentials are vulnerable.

    Just to step aside the discussion a bit, there is a bigger problem with two sites using unsalted hashes and changing password will not protect you on these sites as whatever password you change to will be broken extremely quick. You'd want to make sure they change to the right way to protect your passwords. If they simple reuse it and reset everyone's password, the criminals can simply reuse the table they've generated so far.

    However, we do have the password history feature for this reason, to avoid reusing the same password across the entire database but we aren't fully integrated it for deeper analysis. Right now, it's just basically comparing the main passwords but not factoring in the password history, this is something we plan to fix in a future update.

    First, allowing me to view all sites sharing a password might allow me to reset all their passwords in one shot.

    I'm not sure what you mean. Right now, you could just open both Logins as two tabs in your browser and change both sites at the same time, rather than just changing one site at a time, which would update the list in the program as you saw.

    We do realize this isn't a great experience as the duplicates should be marked as persistent duplicates until it is updated as well. It will get better over time as we plan to add more intelligence to the security audit section.

    There's also Watchtower, if we know both sites were breached, you'd still see the other one in there. Again, this will be improved in its ability to detect duplicate passwords in the Watchtower database to prioritize it above the rest.

    Second (and potentially more useful), the duplicate password finder should find any site where the current password matches another site's current or previous passwords.

    This is planned but I don't know how soon it'll come.

    ref: OPM-1601

  • TheDave
    TheDave
    Community Member

    Ultimately, I don't usually have any clue how a site stores passwords, so I assume they all do it poorly.

    The problem right now is that although I can see I have 20-30 some "duplicate" passwords as reported by 1Password, I can't see which sites are sharing a password, and once I did the first, the second disappears from the duplicate list too as it's no longer a duplicate (but it is still just as vulnerable as it was when it was on the list)

    (Why do I have 20-30 duplicates? Not all duplicate passwords are bad, if a company has multiple interfaces that use the same backend, they will be duplicated. But some are bad, and I want to eliminate those)

  • Hi @TheDave,

    The problem right now is that although I can see I have 20-30 some "duplicate" passwords as reported by 1Password, I can't see which sites are sharing a password, and once I did the first, the second disappears from the duplicate list too as it's no longer a duplicate (but it is still just as vulnerable as it was when it was on the list)

    We do understand the problem, I'm offering some options for now as this won't be improved in 1Password for a while. For now, you can double-click on every affected item to open it in the browser as separate tabs, so you can change each one as needed. In other words, use your browser to keep track of the password you need to change.

    Not all duplicate passwords are bad, if a company has multiple interfaces that use the same backend, they will be duplicated.

    Have you tried combining them all into one Login item to see if it works?

This discussion has been closed.