How do I eliminate the EXTREMELY annoying Weak Password warning?
I'm still in the trial period of the software.
How do I eliminate the EXTREMELY annoying Weak Password warning?
I understand that some "newbies" may need a certain amount of hand-holding. However, I am capable of making my own decisions regarding password strength without any nagging.
1Password 7.2.1 Mac Pro, OS 10.13.6
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@K49 - there's currently no mechanism to disable this feature. We're looking into ways to allow more experienced users like yourself to disable warnings, without making it too easy for less-experienced users to defeat the entire purpose of the feature. Thanks for letting us know you'd be in favor of such a feature. :)
0 -
Thanks Lars,
As a retired programmer, I know that you can't make everyone happy. But aggressive nagging turns off MANY users.
So far, the Weak Password warning is the single item that keeps me from loving 1Password.
I'm sure you're familiar with the expert ( Bill Burr, working for the National Institute of Standards) that has reversed his position on the use of overly complex passwords.
http://fortune.com/2017/08/07/password-recommendation-special-characters/
I do appreciate your excellent support. Hopefully, I will soon figure out how to log into the iPhone app. (I have posted that question in the IOS section.)
0 -
@K49 - we're definitely familiar with the revised NIST standards; they echo what we had been waging a somewhat-lonely battle over for several years. Ironically, the battle was with the previous set of recommendations drafted by Burr, back in...2003, I think(?), which suggested passwords be changed frequently, and recommended the use of substitution of special characters like 0 for O and $ for S, etc. Did you get your 1Password for iOS question answered to your satisfaction?
0 -
Did you get your 1Password for iOS question answered to your satisfaction? <<
Yes. I installed the iPhone app and synchronize by getting a code provided by the Mac app.
Previously, with mSecure, I synchronized 100% locally. I am now using your system, very convenient. I hope you guys have this encryption stuff working as good as you claim! :)
Thank you for your excellent support. You're very good at your job, and an asset to all humanity.
0 -
Thank you for your excellent support. You're very good at your job, and an asset to all humanity.
Wow, thanks for the kind words! You made my day.
I don't know how much you enjoy digging into the nitty-gritty of things like encryption details, but we have a very comprehensive 1password.com security white paper that goes probably deeper than most people are interested in. We don't actually publish our source code, but we use public crypto libraries wherever possible and we publish our own security models so you can inspect them if you like. :)
0 -
Hi Lars,
I became interested in the subject of encryption accidentally. I read a fantastic book called "Code Girls". It tells the story of the code breaking done by United States during World War II. Almost all of it done by about 12,000 college age women. (It is most fortunate that even back in the 1940s women went to college and got A's in math and language skills.) A gread read that I highly recommend.
Interestingly, despite a huge effort the Japanese and Germans were never able to break the American codes.
Even today with all of our technology the most secret government communications are physically HAND carried to the recipient.
This is why I think it is wise for 1Password to offer a local synchronization option. This is a requirement in some organizations.
0 -
@K49 - it's certainly a topic on which people can have different legitimate views. If you're using Apple devices, there is the WLAN server for local sync, and if you've got an Android device, the latest version of the operating system allows for local file sync, so you can use that to stay "off-cloud." The only configuration that currently has no local sync option is someone with Windows and iOS.
0 -
The "Reused Passwords warning is bogus in some cases, such as where several different applications and services require SSO within an enterprise environment, and other cases with web-based services such as Microsoft Office 365. So instead, I created a Secure Note for one of my sites that requires security questions. I recorded my grandmother's first name (not her real first name) and now I get a "Weak Passwords" warning. This is getting too problematic for me. 1Password has not properly defined product requirements and use cases, and you seem to be reluctant to address these issues. This should be figured out before you implement the features. I'm not inclined to renew my subscription based on the current trend.
0 -
Understood. Thanks for the feedback @joebinis. To be clear though: that doesn't make the warning "bogus." It may make it superfluous for your case, but it isn't bogus or inaccurate. One way I've suggested handling such situations until a better solution is agreed upon and implemented is to just have one login item for all of the services that use that SSO authentication. You can achieve this by adding multiple URLs into separate
website
fields on the item. That way you won't get the duplicate password warning, as there is only one item with that password, but you'll likely still be able to fill all of those services using that one login item. This approach has the added advantage of only having to update one record when you change your SSO password.Ben
0 -
Ben, Ok, it’s superflous rather than bogus. Regarding your suggestion, I’ve considered that but there are far too many details that I record for most enterprise sites and services. I already have multiple URLs in many of the records for a single service. I don’t want to combine: Office 365, iSupport, Veeam, Splunk, SolarWinds, Active Directory and other sites, apps and services that all use the same AD credentials. One of the advantages of using 1Password is to stay organized. Combining these into one record would not meet my definition of organized.
I can create a record to store a picture of my ID card, and I can link that to a record about my ID card. Perhaps you can give your customers a similar method of creating an entry for SSO, and then linking the records that use the SSO credentials.
In the meantime, I have cancelled my subscription which was set to renew in a few days, so that I may consider alternatives.
0 -
The way to use 1password that I found is to use "security notes" instead of all other kinds of items and write all credentials as a plain text. This trick allows to workaround annoying warnings about "weak" and "reused" passwords.
0 -
Hey, if that works for you, that's great. :)
I do think it's worth considering that storing a text list of passwords has some downsides:
- Passwords in a list of notes can't be checked for vulnerability. If you save separate Login items for each account, you can easily see with Watchtower what passwords need to be changed, and improve your security -- and avoid leaving yourself open to attack. I guess you're doing what you're doing to avoid getting notified about passwords that need changing...but given that's sort of the point of 1Password from the security angle, it's worth mentioning. :)
- From the convenience angle, passwords in a list of notes can't be filled in your browser. If you save separate Login items for each account, you can use the 1Password extension to fill them on websites. That's only possible with a Login item, and only if you have the username and password saved in the appropriate fields there. Saving the login using the browser extension allows 1Password to better understand the webpage to fill it later.
- Also worth noting, having 1Password fill passwords is not only more convenient, but also avoids putting passwords on the clipboard where other software can access it.
Again, maybe you're okay with that tradeoff. But really you could accomplish the same thing with a text file in an encrypted disk image, and I wanted to clarify for everyone who may want to use 1Password for what it's been designed for. Cheers! :)
0 -
I'm using 1Pwd for sharing TEST passwords with other team members. Such passwords are used for test databases (Oracle, Postgres, MS SQL Server, etc.), that databases are usually empty and never contain any meaningful information, just test examples. Theses resources also protected by VPN (they aren't accessible from Internet). Even if someone managed to steal these test examples, it's not a problem at all.
For example, it can be credentials like:
Test_User_1 / Test_Password
Test_User_2 / Test_Password
Test_User_3 / Test_PasswordSo checking passwords for their strange and uniqueness is nonsense in such case.
And it'd be a great feature to allow to turn annoying warnings (that are pretty stupid in such case) for a vault.
0 -
Thanks for taking the time to share your perspective. That is certainly an interesting use case, but I hope you understand why we would consider that an 'edge case.' Most people aren't using 1Password in that way / for that purpose. When considering changes like this we have to consider what will have the greatest impact for the most users. That said, we do certainly appreciate the feedback, and will take it into consideration as we determine what features get implemented and at what priority.
Ben
0 -
I never use password managers with closed code for storing really important passwords — such passwords must be remembered (and it's the only secure case).
Even if I'd do, I'd created a separated vault for it.
Any way, allowing to set warning level per vault would be a great feature.0 -
I never use password managers with closed code for storing really important passwords
We're getting a bit off topic here, but open source does not necessarily mean more secure.
such passwords must be remembered (and it's the only secure case).
Perhaps that would be the ideal situation, but if people could remember their passwords there wouldn't be a market for password managers. ;)
Any way, allowing to set warning level per vault would be a great feature.
Thanks for the feedback. :+1:
Ben
0 -
@leonid26: I don't know why we're having this conversation then. :) While our security model is very open, and we participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them, 1Password itself not open source.
0 -
@Ben @brenty sorry if I said something impolite, but I'd explain. 1Pwd is nice software, that's why I'm using it. But it has some bugs, and I hope (and I sure) it's possible to fix them to get it even better and applicable for more cases like my one.
but if people could remember their passwords there wouldn't be a market for password managers.
Usually one has not many life-influencing passwords, so they can be remembered. For all the rest, password managers can be used. And passwords can be different security levels.
Another thing is to allow a user to decide the level of security for every group of passwords. I hope it will come in one of future updates.
Thanks for the great work and waiting for fixes!
0 -
@leonid26 - oh, no worries! No one's upset here, we really are glad to hear your (and other users' use-cases). I think Ben was just pointing out why we don't (and shouldn't) design around these, as a general rule. And reminding future potential readers of this thread that open source isn’t synonymous with secure. Anyway, thanks for the conversation!
0 -
@leonid26: Likewise, thanks for clarifying. I'm sorry if I gave you the impression I was offended, or that you'd said anything wrong in the first place. That's not the case. I was just confused that you said "I never use password managers with closed code for storing really important passwords", if you use 1Password. I think there are good reasons to use 1Password, some of which have been mentioned above. But if closed-source is a dealbreaker, 1Password would not meet your criteria. Cheers!
0