I think haveibeenpwned.com integration is not working properly in 1P7
Hi,
I've just upgrade a couple of days ago to 1P7 and I'm really pleased in general with the improvements and revamps. Everything looks more solid than in the previous version.
However, I've just noticed what I believe isn't a proper integration of haveibeenpwned.com in the app. Some of logins and passwords I have stored in the app display a banner saying that they have been compromised in a data breach according to haveibeenpwned.com. However, it is far from true and if I go and check on the haveibeenpwned.com they return nothing.
What it seems to be going on is they are vulnerable passwords because they really have low complexity. So probably the categories have been mixed up.
Thanks!
1Password Version: 7.0.1
Extension Version: 4.7.1
OS Version: macOS 10.13.4
Sync Type: iCloud
Comments
-
Make sure you're checking passwords on the Pwned Passwords search page and not on the home page that's designed for checking email addresses: https://haveibeenpwned.com/Passwords
0 -
ahhhhh!!!!! carajo!
Thanks a lot @troyhunt and @Jacob for pointing in the right direction!!!
Anyhow, do you think that a password that has been used before and been leaked is a thread even when there is not associated username?
I guess that can be use in a dictionary attack, but I don't know if it can be really a problem.
0 -
Well it's certainly an increased risk, plus, think about what it means if you're using a password which is in a previous data breach: either you've chosen one that's common enough that it's identical to someone else's or it's yours and it's been leaked in a breach. Either scenario makes it a bad choice as a password.
But hey - what are you worried about - you're a 1Password user so go and generate a totally random, unique one!
0 -
banks sometimes doesn't allow you to choose username and password... mainly because they have a second layer of security underneath, i.e. banking codes.
If they allow you to choose password the options are usually pyrrhic, like just 6 characters.
It would be great if you can choose no to check certain passwords - logins in the app. I really think that checking passwords agains @troyhunt page is a really good idea, but if there are permanent logins under the vulnerable category the alert is going to lose it's purpose.
0 -
For example... one of my banks only accepts 6 numerical digits as password... any combination I've tried to generate with 1password has been used / pwned.
0 -
By the way... in the same way we should be able to mark logins / passwords as don't verify, we should be able to mark some duplicated passwords as OK
I have duplicated passwords in that section, but they are not really duplicated. I have to keep two (or more) entries in 1P7 for them. For instance, I have a couple of pi or servers elsewhere, I have the information as server entry, but if I want to login through browser and use the autofill feature I need to create a login entry.
Other issue is, I have an university account and to login on university services I need to use my username without the domain. However, they also have office online, and to login in that services I need to use the domain.... so I need two entries on 1P7 for the same account.
0 -
@lpuerto - thanks for the suggestions. We're looking into ways we can allow for a user to mask certain login records from showing up in the various lists. We want to make sure we implement any such feature in a way that doesn't allow necessary warnings to the user to be inadvertently skipped or bypassed, but still allows users some control over what they see in these lists. Right now, we're erring on the side of caution and security, but this is definitely an area we'd like to refine over time.
We're also looking into ways we can associate entries or potentially show portions of one item within another, for just such situations as you mention. A common one is bank accounts: users will often have a savings or checking account item within 1Password but also have an entry for the same bank's online banking feature; being able to either combine entries or easily view at least a part of one within the other would be a big step forward, I agree. Now that we have 7.0 out the door, we'll have more time to devote to such ideas, hopefully. Thanks for the suggestions once again! :)
0
