Duplicated Passwords
Hi,
I have two wifi routers listed in my vault.
However, the pair are highlighted in the "Duplicated Passwords" folder, even though the all their passwords are different.
Is this bug that needs highlighting ?
Regards
1Password Version: v7.0.532-BETA
Extension Version: Not Provided
OS Version: Win 10 whatever the latest version is, I've got it
Sync Type: Dropbox
Comments
-
Hi @Swivel_Eyes,
Thanks for writing in.
In Duplicated Passwords item list, it groups the items with the first three letter of the password, you don't see that password at all inside each item? Here's what I mean:
In this case, this group of items all share the same password starting with com.
0 -
Hello Mike,
Thanks for the reply.
Yes, that's what I see. But when I interrogate the passwords in each item, they're all different.
If that's the case then why are my entries listed as duplicates ?
Am I missing something ?0 -
Hi @Swivel_Eyes,
Yes, that's what I see
See what, you see the password with the first three letters in both items? If yes, that's why is listed as a duplicate.
Reusing the same password anywhere is a security issue, there should not be any single password in common anywhere in your 1Password database.
Just to be clear, it's not two passwords that are the same in the single item, it's one password that is the same in two separate items.
0 -
Hi Mike,
Further developments.
If I create two new logins with identical (weak) passwords, they appear in both the "Weak" and the "Duplicates" folders.
If I strengthen the passwords or change one of them, they disappear from one or both of the folders, depending on what I change.
This is the exact behaviour that I expect.However, if I do the same thing with routers, I don't get the same behaviour.
They don't appear in the "Weak" folder if I use weak passwords and they don't disappear from the "Duplicates" folder if I make all the passwords different.Surely, there must be something wrong with v7's security treatment of routers ?
0 -
Hi @Swivel_Eyes,
Hmm, I created two Router items with the same password and they do not show up as duplicates. I see only Logins show up and I think we may not be including Routers in Security Audit, they may be to be limited to Logins only. I'll check with our team and get back to you.
0 -
OK Mike, thanks .....
0 -
@Swivel_Eyes: I'm going to ask a potentially stupid question since it's something I've been wondering and it doesn't seem clear from the rest of the discussion...but did you perhaps create those items on another device? I see you're syncing with Dropbox, so I wonder if there may be some difference between platforms that is confounding us all here. Let me know if you can.
0 -
Hi brenty,
I have two Windows PC's and three iOS devices all synced with Dropbox.
I can't remember if these two routers were created in iOS. It's unlikely I would have used iOS as there is more complexity in filling out the fields for a router as opposed to filling out for a simple login. So, with these types of items, I prefer to create them on a PC. By extension, that means they were created in standalone v4.Interestingly, since talking with MikeT, my two PC's on v7 are treating these two routers differently. One PC shows them as duplicates in the duplicates folder while the other PC doesn't [Both on Win10, latest update].
Regards
0 -
@Swivel_Eyes: Thanks for the extra info! I know @MikeT was looking into how router items are treated for duplicate password purposes, but a point of curiosity for me. The PC that is showing the Router items in the duplicate passwords section – is that the PC you made those edits on?
0 -
Hello bundtkate,
Yes. When I need to create another item that contains a significant number of fields, I find it's easier to copy an existing item and make the necessary changes, rather than creating an item from scratch. This is what I did with these two routers ....
0 -
Yes. When I need to create another item that contains a significant number of fields, I find it's easier to copy an existing item and make the necessary changes, rather than creating an item from scratch. This is what I did with these two routers ....
@Swivel_Eyes: Totally! I do the same thing. I've got a few "template" items with some custom fields I added which I duplicate on occasion. Is that how you created these affected items? If so, are you able to reproduce the issue by duplicating both of them again? I wonder if there's something you've specifically added there which is the key. Can you also reproduce the effect by creating a new dummy item? If so, let me know how to create the same thing.
0 -
Hi brenty,
Well, I don't have specific template items, I just pick the most suitable existing item that matches my new item. This was how I created the second of these two routers (in v4).
I've created two new routers in v7 and inputted my required information (including unique passwords) but can't reproduce the original problem. If I change to identical passwords and back to unique, they appear and disappear from the duplicates as expected.
Interestingly, the router default fields when created in v4 were
password --> base station name --> base station password --> server/IP address --> AirPort ID --> network name --> wireless security
wireless network password --> attached storage password --> serial no. --> notes --> attachmentsWhile the defaults now in v7 are
base station name --> base station password --> server/IP address --> AirPort ID --> network name --> wireless security
wireless network password --> attached storage password --> notes --> tagsI just wonder if this is some sort of conversion bug from v4 --> v7 ?
Regards
0 -
@Swivel_Eyes: I'm honestly not sure what that initial password field from 1Password 4 was intended to cover and I'm wondering if it might be the reason you were seeing things treated differently in Security Audit with items transferred from 1Password 4. Was the password you were changing to your testing in that first
passwordfield, by chance?As for the small difference in the fields, I'd wager this is just a change in the template that has happened over time as those you mentioned for 1Password 7 mirror those I see in other 1Password apps. The omissions of attachments I can explain as adding new attachments isn't supported in 1Password 7 just yet, so if this Router item didn't have any attachments, that field won't show up. It'll be back in a future update. And tags, of course, are something new in 1Password 7. If this item were in a folder before, you'd see those reflected here as folders are converted to tags, but absent any converted folders, it's expected to be empty waiting for you to organize the item as you see fit. :chuffed:
0 -
Hi @Swivel_Eyes,
Check for an update, 1Password 7.0.539 (Beta 5) should have this fixed now with not showing duplicated passwords for non-Login items.
0 -
To bundtkate,
Yes, but I was also changing the 2nd password field within each item to keep the passwords the same. This particular issue has now gone away since the time I created new v7 versions of these two routers.
To MikeT,
Thanks for the update, but I have a further question.
I have following login items for
(a) BT : ID
(b) Microsoft : ID
(c) Apple : IDI also have e-mail (non-login) items created for
BT : email
Microsoft : Outlook
Apple : iCloudAs each of the ID's are related to each of the emails, the passwords are deliberately the same.
These are now showing up as duplicates when really they aren't, as one is a login while the other isn't.Is this what was intended ?
0 -
Hi @Swivel_Eyes,
Yes, that is the sole purpose behind Duplicate Passwords, you should never ever reuse any of your passwords. For an example, if your Microsoft account gets breached, the hackers can reuse your password to try it with any known IDs you commonly use and ran an attack on thousands of sites at the same time to see what they can log in successfully.
Especially if your Apple ID or BT ID may have been mentioned somehow in your Microsoft account, like look for recovery emails in the Outlook account. Many folks reuse their other email address as recovery email addresses.
If your wireless router has been compromised and its password is known to the attacker, they can sniff out what sites you visit and try the same password.
0 -
Hi Mike,
Not sure if you've fully understood what I was trying to convey.
The (BT : ID and BT : email) items are recorded in the vault with the same password. That's because they refer to one and the same thing. i.e. one being a login record and a the other a non-login record.
The (Apple : ID and Apple : iCloud) passwords are identical because they refer to the same thing but are different to BT.
The (Microsoft : ID and Microsoft : Outlook) passwords are identical because they refer to the same thing but are different to both BT and Apple.If what you state is the sole purpose of highlighting duplicates, what's the point in having a login item that records a password, if that same password is able to be recorded in an email item as a non-login ?
0 -
@Swivel_Eyes, my apologies, I did misunderstand what you were saying, I thought you had three Login items with same passwords and three email items with same passwords and it did not click at all to me that each were a set of Login/email items of the same account.
If what you state is the sole purpose of highlighting duplicates, what's the point in having a login item that records a password, if that same password is able to be recorded in an email item as a non-login ?
The problem is that they're not linked, we don't support linking items that tell 1Password they're the same "account". For simplicity and accuracy, the duplicate password goes through all categories and find passwords that are the same, nothing more than this. It is better to have more duplicate "findings" than to have less where it may incorrectly assume some items were related and skipped them.
In this case, what happened was the email category was created at the time where web email clients were not common, you had email clients, so email items contain the information you need to get into your email account. However, as web email clients became more common, you only need to use Login items and record the rest of the information you need in the custom section of the said Login items.
What we wanted to do is embed the said email item within the Login item and when we tried it, it made it incredibly difficult to sustain with reliability, consistency and so on that we need. This would not be marked as duplicate like so. We still want to find a way to let you embed other items but that may be a far away.
For now, you have a few approaches to this:
1. Do not store the password in the email item, tag the Login/email items together if you want to go that way
2. Only use the Login item and add the information you need in the custom section with custom fields.0 -
OK Mike thanks for clarifying,
This also applies to, for example, a bank login item and a bank account non-login item.
What I don't understand is that this wasn't a problem in v4 but it is now in v7.Maybe you should change the defaults for when creating a non-login email or bank account item, so they don't include the ability to record a password or PIN.
What do you think ?
0 -
What I don't understand is that this wasn't a problem in v4 but it is now in v7.
1Password 4 is much older with different rules that didn't factor in a lot of things. 1Password 7, we're expanding it further to cover more items and more various edge cases.
If you create a new Secure Note item and generate a password in a custom password field, 1Password 7 can compare with other items and let you know. 1Password 4 wouldn't catch this because it was limited to Logins only if I remember correctly.
Maybe you should change the defaults for when creating a non-login email or bank account item, so they don't include the ability to record a password or PIN.
I'll bring it up with the team to see what they think. We try to encourage the password generator as much as we can but sometime we may go overboard with this.
0 -
Thanks Mike,
Yes, I already use Secure Notes extensively with the password generator to record items that have a monetary element and I reserve my login items for non-monetary websites e.g. shopping etc.
I think we can now close this thread ...
0 -
Thanks for the conversation, it helps us to consider some of the upcoming features more throughly based on specific use cases.
0
