Bug: Changing Passwords updates "last changed" for all entries of that domain
1.) i just generated a new password for a website in 1password and clicked no when it asked with the 1password helper to update (because i already did it in the 1password app) -> i just saw that all my accounts / entries are updated with last changed = current date (even the entries i didn't touch
2.) you should think about a bug bounty program for 1password!
1Password Version: 7.0.7
Extension Version: Not Provided
OS Version: 10.14
Sync Type: Not Provided
Comments
-
@theElvis sadly you've not provided the one key piece of information which would enable us to know whether you're seeing the same bug as reported, and acknowledged, in this thread. Are you using WLAN sync to synchronise your 1Password data between devices?
Stephen
0 -
thank you Stephen,
yes, i use WLAN Sync (+ no i don't see putting the keychain in the cloud as an option ;) )
0 -
@theElvis: Thanks for confirming. Just to clarify, are you experiencing the same issue? You said "all my accounts / entries are updated". That sounds a bit different, and I'm not seeing that all of my item timestamps in 1Password are updated when I change a single item. I'm not able to reproduce anything like that.
0 -
thank you + yes, all entries of that domain are updated ( .+ sorry no time to dive into it atm)
0 -
@theElvis: No worries. Just wanted to make sure we're on the same page. Currently when syncing using WLAN Server, 1Password will update the timestamps for items when they are displayed. The development team is looking for the cause to address this. I'm sorry for any inconvenience that's caused in the mean time.
ref: apple-266
0 -
another issue btw.
when i edit an entry (and generate a new password in the 1password app)
copy that password to the website the 1password helper asks me to update it for the entry
it gets somehow switched back to the old password in the 1password app entry.
lucky, i still found the newly generated password in the password history- you should definitly think about a bug bounty program to get more detailed bug reports and tests (because i am a bit unlucky to be your free bug hunter for such simple bugs all the time + especially you are NOT open source and paid software)
0 -
@theElvis: If I'm understanding your correctly, it's not that it "gets somehow switched back to the old password"; you changed the password manually yourself, and then told 1Password to save the original password again. 1Password should comply when you tell it to do that. I'd recommend not changing the password in the login item first. You're not even sure if the website will accept the change at that point. So it's better to sign into the site, do the password change, and then update your login in 1Password. That way you won't be undoing the change you just made:
Change your passwords and make them stronger
Also, we have a bug bounty program for security vulnerabilities. But we're always happy to take the time to evaluate, test, and respond to any non-critical issues as well. :)
0 -
first, thumbs up for the security bug bounty program! :)
yes, you got it right + yes there are other ways to "change + generate passwords" - anyway it seems to be an issue, because some user (like me) got the idea to generate the new password in 1password and not the 1password helper ;)
thank you
0 -
- https://support.1password.com/change-website-password/ is the better solution for me in the future! ;)
0 -
Glad that helped! While there's nothing wrong with doing it your way, it does have the added burden of being conscious not to undo the manual password change, so we generally recommend doing it the other way; it's just less work, and a bit smoother. Cheers! :)
0
