Reused Password limitations - Is this 1P7's MOST annoying function?

Options
amcd
amcd
Community Member

I am using 1Password 7 Version 7.2.1 (70201002) and macOS 10.14

The Reused Password function seems very primitive, it is quite distracting and needs urgent attention.

1> Even if I have ONLY my Personal Vault active, all 3 of my Vaults (containing archive data that I want to keep) are scanned and Reused Passwords are inevitable.

2>Furthermore; all 3 of my Vaults remain visible despite my settings.

3> I use some Email services that allow alias email addresses. Each alias has a different username but MUST HAVE the same password. I don't need to be reminded that each alias has a Reused Password.

4>There seems to be no way to better manage the Reused Passwords function at the moment?

Please advise.

Thanks
amcd

Comments

  • Thank you for the feedback, I'll discuss with the security folks what should be done here. As you discovered, the Reused Passwords section currently checks against all passwords in every vault. I think we can make improvements here.

  • amcd
    amcd
    Community Member
    Options

    Thanks Chadseld...

    But it goes beyond the vaults to cases where inevitable reused passwords occur. Please note: you did not respond to the following items from my previous post.

    Email Alias Issue

    1> My Apple ID is *****@bigpond.com and Apple automatically creates... *****@icloud.com. Both have the same password.... I can login to Apple with either, as Apple sees them as identical.

    2> I also have aliases in some other online secure email services.... again every alias is essentially identical to the main username and; like with my Apple ID, every alias MUST have the same password.

    I would suggest an option somewhere (eg: in each Password field) to selectively allow reused passwords

    Vault Preferences

    1> Why do all three of my Vaults appear in 1P7 even though I have ONLY selected PERSONAL in preferences.

    Thanks

    amcd

  • MontanaKarl
    MontanaKarl
    Community Member
    Options

    +1 Thanks for posting amcd!

    I was about to report this as a bug and found this thread. I'm a long time 1Password user.

    I agree that this is the most infuriating feature of 7. It should be the most helpful feature to find actual duplicates in a meaningful way to improve security, but there is so much noise from meaningless banners that the feature turns out fo be useless for finding security holes in my opinion.

    In my case, I have multiple vaults loaded ... usually my personal primary and a shared vault. Some logins are duplicated to the shared vault after creation. I don't want to delete them from my primary.

    A password is not reused if all of the credentials ... exact URL and username match. Duplicates should not be flagged. Argh. :-(

    The "Reused Passwords" search in my 712 item vault lists 199 entries. Very few of these are actual reused vs duplicates. Yet, no help is provided to see where a duplicate is used. There should be some type of drill-down capability so that for any flagged entry, you can see all other entries that 1Password considers as reused passwords.

    Some web sites have multiple sub-domains that all use the same log in credentials. Those multiple (sub-domain) entries,, too, show up as reused passwords, but are not.

    Please fix the pattern matching. At the least, nothing should be flagged if the username, password and website URL/domain are the same. A Preference item might allow root domain (vs subdomain) matching as well.

  • A change is coming to address the issue with shared URLs. Those items are not really duplicated and should not be flagged as such.

  • MontanaKarl
    MontanaKarl
    Community Member
    Options

    Hurray! Thanks for the update, chadseld!

  • rjwalicki
    rjwalicki
    Community Member
    Options

    Interesting. I have a standalone license and am considering the membership, so I signed up for the 30 day trial to evaluate the latest version. I ran into the same problem and thought it might have been a function of copying my primary vault to the new version (while maintaining my old vault). Yet, it didn't make sense that this should read as a reused password.
    This does seem like an important issue to address, as it is both distracting and misleading.

  • Lars
    Lars
    1Password Alumni
    Options

    @rjwalicki - as chadseld mentioned above, we're looking at ways for the future to streamline this feature and make it more-closely match what people expect to see without reducing the effectiveness of the feature. Stay tuned! :)

  • MontanaKarl
    MontanaKarl
    Community Member
    Options

    Thanks for the 7.2.2 update released today which fixes this issue! :-) My "Reused Passwords" list went from 196 down to 96 entries that are actual re-uses for me to address. Since I've used 1Password for so many years, some of these are identical login credentials for unique URL's where a company changed their name etc and I just need to delete the out-dated entries - or otherwise had strange URLs associated with the login. Some are ancient (8 years or more) / dead accounts. All now very useful for cleaning up.

    Just crashed, though, so 7.2.2 Mac might need some more work... ;-)

  • MontanaKarl
    MontanaKarl
    Community Member
    Options

    A functionality glitch: I like that there is now a "n other items" drop-down to help find which other login item has a re-used password... but it isn't functioning quite right yet. One of the firms I beta test for has 4 entries because of different subdomains. Three of the entries say the password is re-used by 1 other item. That item, the fourth, lists 3 other items (correct). Enough to track things down ... but it seems like all 4 logins should show a list of 3 other items?

    Again, happy enough that I can actually use this feature now to clean up my passwords. Thanks again.

  • Lars
    Lars
    1Password Alumni
    Options

    @MontanaKarl - thanks for the feedback, and glad you're enjoying the refinements to the Reused Passwords warnings. :)

  • rennsport
    rennsport
    Community Member
    Options

    This thread is a bit old, but I'd like to expand on the issues that have already been brought up here. For me, my university uses Gmail as their email provider so 1Password says the password is a duplicate for my login for gmail and my login for the university's portal. Another example would be Facebook's site and Messenger's site. Same password, but two different login entries required (or so I think?). It would be nice if there was an option to be able to link different login entries to prevent cases like this from arising.

  • MontanaKarl
    MontanaKarl
    Community Member
    Options

    @rennsport Sometimes, issues such as the two you bring up can be easily solved by adding the second site's login URL to the single 1Password entry... (I'd only do it if it is definitely a linked site of course.)

  • Lars
    Lars
    1Password Alumni
    Options

    Welcome to the forum, @rennsport!

    This thread is a bit old...

    :lol: you wouldn't believe the age of some of the stuff I've seen people exhume from the archives here. A couple months isn't even close. So, no worries. :)

    Your examples are appreciated, and well-taken. I've noticed similar ones myself, that there's no easy (existing) solution for. And yes, it's annoying. As has already been mentioned in this thread, we're looking into ways we can allow users to adjust things in such cases without reducing the effectiveness of the warnings altogether. Keep an eye on updates and their release notes to keep abreast of changes made to these warnings, and thanks for taking the time to participate! :)

  • Lars
    Lars
    1Password Alumni
    Options

    @MontanaKarl - yep, that's what we suggest as well, for many situations. The problem that happens that I think @rennsport is referencing is when there are systems that require you to use the same credentials, but for which the URLs (and the function of the systems) really are entirely separate. Then it's harder and less convenient to avoid keeping two records with "reused" passwords...but you do get the banner warning.

  • rennsport
    rennsport
    Community Member
    Options

    @Lars, thank you for the reply. I'll keep my eyes peeled for updates. Great to know the team is working on solutions to this :smile:

  • Lars
    Lars
    1Password Alumni
    Options

    :) :+1:

  • Rip Amderson
    Rip Amderson
    Community Member
    Options

    I encountered the same problem when converting to 1P7 subscription on the Mac — with only ONE vault. While many reused passwords show up on the mac, only DUPLICATE passwords (duplicated in the vault logins) show up my.1password.com [which really shows DUPLICATE passwords, not REUSED passwords — there is a difference].

    The problem is, 1P7 Mac seems to "remember" every password ever used or generated, whether it's been deleted or not.

    If I have a login with no duplicated password, use 1P7 Mac to generate a password and use that password in the login, 1P7 show a duplicated password — 1 in the login, 1 in the 'passwords' category. If I then delete the duplicate in the generated passwords list, the duplicate warning goes away.

    But, if a generated password is deleted from the list before conversion to 1P7, 1P7 "remembers" this, and there seems to be no way to delete that "phantom" password.

    However, it is true that while not duplicated within the current vaults, the password HAS been reused.

    The only way I've found to get rid of the duplicated password message is to update the "offending" account password.

    ( Or, ignore the 1P7 Mac reused password function and use it on 1P7 Web.

  • ag_ana
    ag_ana
    1Password Alumni
    Options

    Hi @Rip Anderson! Welcome to the forum!

    But, if a generated password is deleted from the list before conversion to 1P7, 1P7 "remembers" this, and there seems to be no way to delete that "phantom" password.

    When you say "deleted from the list", which list are you referring to?

    before conversion to 1P7,

    Do you mean before upgrading from 1Password version 6 to 1Password version 7?

This discussion has been closed.