How can I disable the password insecure warning in 1Password 7.0.4?

PaulShark

Hi, after upgrading to 7.0.4, I get big red warning sign about "insecure passwords" and "Weak passwords are easier to guess. Generate a strong password to keep your account safe.". This occurs even with passwords containing 8 mixed characters like "69877E57". This is quite silly and very distracting. Please, how can I turn of this feature, or else downgrade to version 6? I will not change hundreds of passwords only to get rid of this warning.

---

1Password Version: 7.0.4
Extension Version: Not Provided
OS Version: OX X 10.13.5 (17F77)
Sync Type: Seafile
Referrer: forum-search:disable password insecure warning

lucasm

I also want to disable the alert, it is annoying AF. I don't care it is my problem if I choose easy passwords

Ben

Hi folks.

The whole point of 1Password is to enable you to use secure unique passwords. You’re right, it is up to you if you’d like to do that or not, but helping you do so and encouraging you to do so is what 1Password is all about. That said, our development team is looking into ways to make this less obtrusive / dismissable. We don’t have a solution yet, but hopefully we’ll be able to figure something out soon.

Thanks!

Ben

ref: apple-1293

JonDoe

The whole point of 1Password is to enable you to use secure unique passwords. You’re right, it is up to you if you’d like to do that or not, but helping you do so and encouraging you to do so is what 1Password is all about.

It's not always up to us. Have you developers no bank accounts? I had a bank where I only could choose a four digit numeric password...with a different bank I can only choose a five digit alphanumeric passcode. If I cannot use a different password I don't give a f**** if it's unsecure ... it's just annoying. The same for the https info. Who cares about that, if there is no https link for that website (e.g. home network) ... and if you click that "make https" link than only the first website gets changed? Where is the point in that if I have 4 websites and only the first is https ... please test your software with real people before you release it.

AGAlumB

@JonDoe: Thanks for the feedback. We do. But it's still 1Password's job, and ours, to raise awareness about actual security risks.

I had a bank like that too. I took my business elsewhere. I suggest you to do the same. There are a lot of options in that space. My financial information isn't something I'm going to mess around with. There are enough companies out there exposing our personal information completely outside of our control. We can't always opt-out. But this is one case where we can do something about it.

1Password is designed to tell us about these sorts of things. If you'd rather it didn't, you don't have to use that feature. Either way, we'll continue to improve 1Password to help more people be aware of the ways in which they can improve their security.

tonyl4

I want to be able to disable this warning, too. I have several websites that require two-factor authentication and those sites won't allow me to have a password that is longer than 6 characters with no symbols included. The red warning is really annoying.

Lars

@tonyl4 - thanks for adding your voice to supporting the addition of this feature.

chirpity

I would also like to hide warnings. I actually have two-factor authentication enabled for a couple sites, but only use (or only WANT to use) number codes to access those sites, not a QR or anything. Thus, 1Password says that I don't have two-factor enabled, but I do.

Lars

@chirpity - you're aware you can suppress this banner on an item-by-item basis by adding a tag called 2FA to the item, right?

chirpity

@Lars I was not. But why would I want to add an extra tag in my tag list just to suppress a banner? It seems like this should be a checkbox in Preferences doesn't it?

Lars

@chirpity - we're looking into the best approach for doing this, and that may be part of the solution. Though I will say that I'd be a much richer person if I had a dollar for every time we fielded a suggestion of "just add this as a check-box or preference" -- and 1Password would be a bloated and much less usable app if we pursued them all.

sktret

I think suggesting irrelevant workarounds which are not meant to be used that way, in order to give less distracting options to the users, also won't make an application much more usable.

Of course, it's a well thought-out feature. But, is making people conscious of password security, really deserving that priority in a password manager application? In my humble opinion, this is a simple usability issue which has a straightforward solution.

It could have been much more understandable, if you said that it's not profitable to prioritize this issue in the production queue, rather than patronizing your users or giving a misleading advice.

I would agree that 1Password is currently the best password manager on the market for now. But, considering that you are so indifferent to numerous user requests, I'd say throw a dollar into a piggy bank for every time you fielded a suggestion ...until you can't.

Ben

@sktret,

I sense some hostility in your post and I apologize our decisions have caused you to feel that way. I understand it can be frustrating when a tool doesn’t operate in the way you’d like, but please consider that we’re designing 1Password for a very broad audience and have to account for that when moving the offering forward.

I think suggesting irrelevant workarounds which are not meant to be used that way, in order to give less distracting options to the users, also won't make an application much more usable.

I’m not sure I follow? Are you referencing Lars’ suggestion to add the 2FA tag to items to remove the 2FA warning? That is exactly what that tag was implemented to do, and accomplishes what the customer was requesting. If 1Password is not set up to generate TOTP codes for the account adding the 2FA tag is the only way 1Password knows you’ve enabled 2FA to that account. We have no other way of gleaning that information.

We are evaluating how we might make the interface for this better (perhaps an ‘ignore’ button on the warning itself that would add the tag) but I couldn’t say for sure if or when this would happen.

But, is making people conscious of password security, really deserving that priority in a password manager application?

I’d argue that yes: it is. Ideally it wouldn’t have to be, but we are at a point where many people simply are unaware of the need for proper password hygeine (or what proper password hygeine is), and so it is in our customers’ best interest (and as such ours as well) to do so.

If you feel you don’t need that it is possible to turn off Watchtower in the app entirely, and then use the website if / when you want to check it. It isn’t what I’d recommend, but if you find the Watchtower banners more annoying than helpful that might be the best path forward.

I would agree that 1Password is currently the best password manager on the market for now. But, considering that you are so indifferent to numerous user requests, I'd say throw a dollar into a piggy bank for every time you fielded a suggestion ...until you can't.

Thanks for the kind words about 1Password. We take all customer feedback into account when making our decisions, but we cannot possibly accomidate everyone’s preferences and opinions. We field dozens if not hundreds of requests daily. Consider that for one, some / many are contradictory. For every request that we say ‘yes’ to there are at least 10 others that we have to say ‘no’ (or at least ‘not now’) to. There are a lot of factors that are considered when determining which direction to take 1Password.

Ben

stevesobol

Well, I'm frustrated that haveibeenpwned says a website I own and manage has been compromised when I'm pretty sure it isn't, and 1Password is telling me I need to change my password when I most likely don't, and how did you guys get this information when I have to jump through verification hoops to get it?

stevesobol

Oh, and I get the message "this password has been compromised in a data breach" on a password only used for a Windows PC, and the 1Password entry doesn't include a URL so I have no clue how you can even look up whether it's been compromised.

Ben: The feature is BROKEN and I want a way to disable it, please!

(Edit: I found a way to disable it, sorry)

ag_kevin

Hi @stevesbol,

I believe you are mistaken about how haveibeenpwned works.

Haveibeenpwned checks passwords that have been found across all web site breaches in its database. A positive response from haveibeenpwned does not necessarily mean your site or PC has been breached. It means the password you use for your site has been used in a site that has been breached.

In other words, your PC login is using the exact same password as someone else used on a different site that has been breached. Since your password was used by someone on a different site, if your PC were to be stolen or be accessible over the Internet, an attacker may have access to your password and could try it to gain access to your PC).

I hope that clears it up a bit.

Regards,
Kevin

Lilx

Hi guys! I liked the 2FA tag solution to suppress the other banner, but it would be really nice to have a tag to suppress the "Weak Password" banner also! Like weak, ignore-weak or something. If not a checkbox on the form, at least the tag as a hidden feature (for power users).

I really like the Watchtower - Weak Passwords feature, but there's currently 88 entries there for my vault that I'm pretty sure 99% I can't do anything about because the site or service won't allow a stronger password, being unable to suppress the banner ends up cluttering this tool and discourage me to review the legitimate entries that I could change because there are so many entries.

Lars

Welcome to the forum, @Lilx! Glad to hear you're a fan of Watchtower. We're currently looking into ways to refine the banner-displays to make them both more useful and less-obtrusive when (as you note) you can't do anything about the data in question (like for sites that don't allow a long password, etc). I don't have anything to report on this just yet, but keep your eyes on release notes and updates; that's where you'll see announcements of new features/fixes first. Cheers! :)

Lilx

Thanks, keep up the great work!

Lars

:) :+1:

richeldecos

I would also like the ability to remove the "weak password" warning on a per-item basis.

In my case, the only 2 that I would remove it from are wifi networks.

a) I honestly don't care if my wifi password is weak, because it would also require somebody to be physically in my house, and at the point I have bigger concerns
b) I don't have control over other people's wifi network passwords
c) changing my wifi password will require me to set up tons of devices again (Nest smoke detectors are awful - you have to actually take it out of the ceiling, scan the QR code on the back of it, and set up the entire device again)

richeldecos

And on a related note, same thing goes for "vulnerable" passwords

One of my vulnerable passwords is for a test user on a local environment. Since the server is only accessible on my VPN, I'm not worried about anybody hacking into it.

Lars

@richeldecos - thanks for weighing in to support this feature. :)

pietervanwijngaarden

Hi!

+1 on this feature from me. I have another use case: I'm storing passwords for multiple servers / systems (e.g. RDP sessions), which are all authenticated via a single ActiveDirectory. This means they all have the same password. I prefer to create one entry per system (instead of doing: website1, website2 all the way to websiteX - but that could work to some extent as well). I would like to suppress the duplicate-password-warning (on a per-entry basis, for example by setting a tag).

Thanks!

Lars

Welcome to the forum, @pietervanwijngaarden! Thanks for weighing in on this feature request and letting us know about your use-case. :)

AxzHandul

I'd like to add support for the suppression of vulnerable and weak passwords on an item-by-item basis at the discretion of the user. I have several use cases which require me to intentionally store what 1Password considers to be weak passwords:

1. 4-6 numeric PIN numbers, badge IDs for keypad entries.
2. Factory default passwords for network devices.
3. Factory default passwords for various software apps.
4. Factory default passwords for base VM install images.
5. Lock combinations.

None of the above in either their structure or their value can I or will I ever be able to do anything about, nor are they a reflection in any way of my choices or behavior which can be corrected. The alerts / banners about vulnerability and weakness skew the counts of the legit vulnerable and weak passwords, and they introduce an unnecessary filtering exercise, which constitutes less-than-optimal usability and noise. The net gain of these alerts / banners is to establish and form a habit or ignoring their signal, and to disregard the counts of such as inaccurate.

I've read this entire thread, and it appears the contention between users and the 1Password Team Members generally revolves around a perception that usability and security are somewhat mutually exclusive in this case. Users want the nuisance gone; 1Password feels turning off alerts may compromise the intent and security of the app.

I'm a sec-pro myself, and I'd like to lend one thought -- any time you introduce noise into data, your security posture drops. This is in large part one of, if not the primary security challenge of large organizations -- a tiny signal-to-noise ratio. Detecting issues and generating alerts isn't the challenge -- it's filtering out the noise and focussing in on the actual security issues you need to deal with. Many issues fly under the radar because they get lost in the noise...and generating noise / hiding within it is also a very common offensive attack tactic, but I digress...

The point is that with respect to 1Password, perhaps it might be helpful for the designers to consider that this isn't a turn on/turn off security issue as it is being framed. This is a noise / filter noise issue. Whenever 1Password presents alerts and includes irrelevant data in its alerts, it is increasing noise, dropping the signal, and decreasing security posture -- it isn't debatable. It's the same reason why a need for password managers even exists in the first place: because as soon as users have a bunch of passwords to remember -- it becomes a mass of noise, and then passwords are created simple to remember, and then passwords are reused. Perpetuating the same noise problem within 1Password regresses to the very shortcoming which made 1Password so necessary to begin with.

If a mountain of weak or vulnerabie password alerts exist and many are bogus, the default action becomes "ignore". But when there's no noise and the weak / vulnerable password alerts are legit, then the default action becomes "respond". That psychology is very common -- I've seen this repeatedly at large scale in how firewalls / WAFs, security dashboards, SIEMs, etc. are addressed by techs. The key is filtering out the noise -- whatever great features in 1Password are delivered with noise, its actual value will be diluted.

That might have been 3 cents, but I hope it helps.

Great app...been using for a decade or more now. Met a few of you guys at the WWDC a few years ago....good bunch of folks!

Cheers....

AGAlumB

Thanks for the kind words...and sharing your 3 cents! ;) From what I've seen, your examples are not common among our userbase, and most people won't have a "mass of noise" as a result. But you're totally right that those are real challenges with the current implementation, as 1Password would need to be more flexible to accommodate. As mentioned above, it's something we're exploring, as far as offering a way to disable specific warnings. I can't say for certain what form that may take, but it's definitely on our radar. :)

laelito

I really want some way to disable these banners as well. Here's a couple of the false-positive scenarios that are driving me bonkers:

• I often duplicate and share login items with my family in a shared vault. Watchtower continues to warn me that those shared login items contain "reused passwords," when in fact they are really just duplicated versions of the exact same login item. Since each item has the same username, password, and website info, it seems like 1Password should be smart enough to recognize that nothing is being reused except the 1Password login item itself. Instead, some of my most frequently used logins have a permanent banner warning above them.

• I use multiple media server apps (it's complicated!), and for ease of use and sharing purposes they all have the same simple, easy-to-remember password. These are local applications running on a secured LAN without any links to critical personal or financial information. There is tremendous upside in keeping these passwords simple and reusing them, and no security threat whatsoever. But once again, 1Password thinks it knows better than me, and adds those annoying, non-dismissible security warning banners to my items.

Based on this topic thread it's pretty clear that at least some of your more enthusiastic and skilled users often need to repeat passwords and share or duplicate items in ways that trigger these inaccurate, false-positive warnings. And as "AxzHandul" so thoroughly articulates, these warnings only serve to add unhelpful friction to the UI and irritating cognitive white-noise to the user experience -- all of which might actually be counterproductive to your security-advocacy intentions.

I'm not sure what the best solution is;

• A mechanism to disable the Watchtower feature itself?
• Controls to turn off Watchtower alerts on either an individual or group basis?
• A more robust tagging system that accounts for more situations than just 2FA-related false-warnings?

What I do know is that most of my Watchtower warnings have become flat-out inaccurate, and there's nothing I can do about it, which makes using 1Password a more unpleasant and unhelpful experience. I sincerely hope your product team is working on a solution.

joebinis

I too would like to have a way to disable the banner for REUSED passwords because, for example, my business Active Directory authentication is identical for so many apps and services that I could not possibly fit into a single 1Password record. A simple example is my AD credentials for accessing network-based services is also the required login for all my Microsoft tenant services such as Office 365.

The banners are a great idea, especially for people that don't already understand the risks of reusing passwords, but I greatly dislike when the lowest common denominator is forced upon everyone else too.

gek

joebinis, I couldnot agree more.

Lars

Thanks for weighing in, folks. :)