A number of suggestions to make password spring cleaning easier

Daves_Not_Here_Man

Elsewhere in this forum I have been griping about the lack of merge capabilities. Even if that is not going to be implemented soon, any number of other things might help when somebody is going through a spring cleaning of their password database:

1. A feature which would comb through all of the password entries, and find ones for which the website is defunct. Now on first glance, this would be a domain name which no longer look-uppable in DNS. Unfortunately that is only going to catch 1/3 or or so of the cobweb sites I have found referenced in my password database. Some of these domains are too valuable to just stop paying the rent on, so they are parked, or just don't have the original content on them anymore. One way for 1Password to catch web sites which at least need to be reviewed, would be any website which no longer has the same favicon. I suspect there are other ways to build a suspicion score (like a spam score), such as ip address for domain has changed, or common strings found on domain parking pages.
2. Speaking of websites that are defunct, it really made me uncomfortable to have 1Password go to an old site and try to fill in the username and password I had stored for it, and suspect that it was being sent to some other organization or person. I think anytime the favicon has changed, 1Password should stop in its tracks and ask me if I want to use my login. I would also like the ability for me to select a third option to "Open and Fill", and Copy, and that is just Open. In fact, I would like an option for 1Password to skip "open and fill" automagically when a password is more than X years old (where X is selected by me in preferences, lets make it default to 5 years.) I don't think you can track (or really can track reliably) when I have used a password to log in, although that would be a nice-to-have, and have it treat aging weak and unused passwords so that the default behavior for login is not fill, but just Open.
3. Every fifth login is getting deleted by me as I comb through my ~700 logins. It is annoying that when I delete a login, 1Password looses my place in the list. If I delete an entry, can you have the highlighted line either go back one entry, or forward to the next entry?

Is the a special place to put feature requests?

Thanks,
-Dave

---

1Password Version: 6.8.2
Extension Version: ?
OS Version: OS X 10.12.6
Sync Type: dropbox

Lars

Hey @Daves_Not_Here_Man -- there is indeed a special place to put feature requests, and you just did. :)

Truthfully, we don't have the digital equivalent of a suggestion box, but here on the forum is good, although you're also welcome to write to us directly at support@1password.com. Either way, we love every bit of feedback and every suggestion that we get. Obviously, we can't DO every request we receive (especially when you consider that some of them are actually in direct conflict with one another!), but we feel very lucky to have so many users like you who understand technology more than just in passing and are passionate enough about this tool we build and they use everyday to take the time to share their thoughts and wishes in detail. Thanks for being a part of that group. :)

I suspect checking favicons wouldn't be quite as easy as you make it sound, but I'll definitely pass along that idea. I'm not aware of any past conversations over having just an "open" function, but it wouldn't surprise me if this had come up at least once or twice in the past. My guess on that one is that we don't want to potentially confuse users with too many options for what to do with a URL, and simply opening something is what browser bookmarks are for. I understand your use-case, but I see a lot of potential for confusion and bug reports with that one, from people who don't understand the need for an "open" button or understand the fine distinction between "Open," "Open & Fill" and "Open & Fill, but only if the URL passes an invisible (to the user) set of criteria" (opened in the last __ months, not created more than __ years ago, etc...).

Regarding 1Password "losing your place," I'm unable to replicate that behavior; deleting an entry in 1Password for Mac on my setup results in the expected behavior: moving the selected item to the trash and selecting the next item in the list. How are you performing the deletion? Drag-and-drop? Using the keyboard? Something else?

Daves_Not_Here_Man

With the favicons, I figured you had already captured the icon (at least I have my preferences set that way, I guess not everyone might be doing that.) What I think they might make problematic is that it might cause a delay in the login, I'm not web developer, so I don't know when the icon comes over.

Let me remind you that the easier thing to check is defunct domain names, that should be part of any automagic culling/house-cleaning feature, so even if the favicon idea does not fly, I would like the dead-domain check option to be in the suggestions heap.

Yeah, I get how open and fill and open could add confusion. I guess I would wish that copy was dropped in favor of plain open, but I get how that is available for every other field, so for symmetry, you have it for website.

As for the "loosing your place" problem, it looks like if you have the logins category selected, it works fine, but I was using the Security Audit's "Weak Passwords" category. I suspect these act like Mac Smart folders, and when the entry is deleted, the thing has to a recalculation/rescan, and the place is lost. BTW, this lost place happens when you have the "All items" option selected as well.

I will say that I would never select a single category when I am doing housecleaning. I want to see duplicates, and often they span categories. (Think email accounts through google.)

If there is any question about how duplicate password entries get created, I would say the two most common are when I create an account, and after I have submitted my password, the damn thing up and tells me what kind of characters they want me to be using. How come at least a third of web sites do that? So 1Password creates two entries.

The other common duplicate/munged entry comes when 1Password take the recaptcha_response_field (or other challenge/security question answer field) and makes that the username. 1Password as recently as Feb 2016 did that, I presume that has been fixed in this version.

Daves_Not_Here_Man

Let me add one more thing that would make housecleaning easier: Is there a way for me to select the default view of login entries be to expand/reveal/"Show all web form details"? It is annoying to have two entries side-by-side, and when you try to see which has the better info, you can't just do a quick up and down arrow, you have to up arrow, then find/click on "Show web form details", then down arrow, find/click on "Show web form details". Just in the brief moment when the screen is cleared, I find I forget what was on the previous login, and find I am doing this over and over (and over).

Lars

@Daves_Not_Here_Man

Let me remind you that the easier thing to check is defunct domain names, that should be part of any automagic culling/house-cleaning feature, so even if the favicon idea does not fly, I would like the dead-domain check option to be in the suggestions heap.

Noted! I'll make our developers aware of your thoughts on this matter.

The other common duplicate/munged entry comes when 1Password take the recaptcha_response_field (or other challenge/security question answer field) and makes that the username. 1Password as recently as Feb 2016 did that, I presume that has been fixed in this version.

It's never "fixed" as a matter of course, across all websites. How websites implement some of these things varies widely and is always changing. So although of course the brains behind the filling engine is written with some general filling logic, often things have to be adjusted for individual websites. We count on users like you tipping us off that this or that site isn't either saving or filling the way it should. Most of the time, we can implement a fix or workaround, occasionally we can't (depending on what kind of shenanigans are going on with the specific site in question). If you've not seen this issue lately, then likely it was addressed in a past release. But if you see either the same thing or something completely different, let us know! Once we have an instance of it "in the wild," we can try to replicate the behavior ourselves and, if confirmed, usually track down what's causing the problem, and adjust to compensate.

Let me add one more thing that would make housecleaning easier: Is there a way for me to select the default view of login entries be to expand/reveal/"Show all web form details"?

There is not, currently. It's something that could be added, and I will again make your wishes known on this one. What I can't do is say whether it will get worked on, because while adding "under the hood" information like web form details for obviously technically proficient users like yourself might be helpful and appreciated, for many less technical users it's simply one more rabbit-hole for them to potentially get lost in. We run into this fairly regularly with feature requests: it's usually the edge-case, highly technical user that would like this or that feature, and we can't deny that, in their particular use-case, what they're asking for would indeed be quite helpful. If that were all that needed to be considered, adding such things would much more likely fall into the "no brainer" category. However, we also have to weigh other factors, like how intimidating 1Password is for "regular users" to use (which can be based often at least in part on simply the number of selectable preferences/items to choose/understand/worry about - how many knobs are available for twiddling, if you will).

Daves_Not_Here_Man

I'm sure I'm not telling you anything that has not been worried to death in multiple meetings, but: I think there has to be a way for users to conveniently and quickly upload failed login captures. I for one would do it if it involved one click. For 75% of my logins, I could really not care if you see all of my login info. My suspicion is that what you really just need is the domain name though, and then you can figure out how to reproduce it yourselves. As I root through my login database, I could send you 50-100, but they are not important enough for me to go posting them or email them to you folks. Since this might be looked at with shudders by some users, I do not know how to implement this, maybe as a special "insider's" edition during beta...

I certainly would not want this to happen automatically. I should be able to pick which logins get uploaded.

Daves_Not_Here_Man

By the way, backing up and bringing up the favicon issue again. I was somewhat surprised to see that the favicons were being updated just be the act of my clicking on the login entry (I don't mean double clicking on the entry and visiting the website myself.) I probably agreed to this (and understood it) when the feature was first introduced.

Ben

We would certainly love a more automated way of capturing instances where saving and/or filling didn’t work as expected, without causing privacy issues. It has indeed been discussed at length, and we even had a system built for it at one point. Unfortunately it is a very complex issue, and we just haven’t been able to find a better way than manual reports quite yet.

Re: favicons... Are you referring to the Rich Icons feature? If so this guide page may be worth checking out:

How 1Password protects your privacy when downloading icons

Ben

Smudge

May I suggest a method that I've used with other applications for advanced users; that is using the defaults command to adjust hidden/advanced preferences. For example, defaults write -app "1Password 6" AlwaysShowFormDetails 1 could be used to enable a setting to always show the web form details as Dave has requested.

This is a good way to limit access to the settings to advanced users that are not afraid of the terminal and regular users wouldn't have buttons in the GUI to accidentally click on.

It is also a good way to introduce and test a new feature in the application until the dev team can implement a proper button/menu into the GUI.

If you don't like the defaults idea, another option could be that in the 1P application > Preferences window, the "advanced user" would hold down the control+option keys then click on the Advanced icon to reveal these secret settings.

Also, any of these advanced settings would be disabled when the 1P application is closed. That way if by chance a "regular user" happens to enable one of these settings, everything would be back to normal if they were to quit and reopen 1P.

Hope this helps

Lars

Thanks for the suggestions, @smudge! We actually do have a couple of "hidden preferences" that are accessible only via the defaults write command. We appreciate the ideas; keep 'em coming. :)