Way to hide fields without having them be marked as bad passwores
This is somewhat of a followup to part of the closed topic:
https://discussions.agilebits.com/discussion/79464/security-audit-and-weak-passwords-terrible-pins
Some of us set certain user-added fields (e.g., Credit Card CVVs AKA "verification number", PINs, Social Social Security numbers in health insurance membership entries, alarm company security words, answers to telephone security questions) as type = Password (vs. Text) just to get the benefit of hiding the value unless we explicitly take action to show it. Unfortunately, this often (but not always) results in a distracting "terrible" (or other poor) password quality indicator for the field, and these fields sometimes show up in Watchtower (for example, as "Reused Passwords", although in 1Password7 they no longer seem to show up in Watchtower as weak passwords -- expected?).
It would be useful to have a new field type (say "Hidden [Text]") that gives the Type = Password viewing experience, but doesn't evaluate the item as a password. Other use cases are discussed on the thread I mention above.
There does seem to be a new behavior in 1Password 7 such that 4-digit PINs are not evaluated as passwords even in the main password field. Intentional? It seems like if one chooses longer PINs, they do get evaluated (usually as weak), even though sites that require all numeric PINs generally don't allow them to be long enough to be strong. Although this new behavior, if intentional, may be a good heuristic for decluttering the UI of password warnings, it has the downside that it doesn't point out weak passwords in places where a user could use a strong password. Seems like an argument for having an explicit PIN or "I know this is weak, but the site won't let me do better" attribute. Perhaps a different enhancement request, but I noticed it at the same time.
1Password Version: 7.2.2
Extension Version: 7.2.2
OS Version: OS X 10.14.1
Sync Type: Agile Bits Membership
Referrer: forum-search:field type password
Comments
-
@kevinosinski - you're correct, we did indeed add a few exceptions for some of the more-common use-cases, such as PINs, which now no longer trip the weak password scan. Of course, if you re-use such things as CVV codes or other "answers" to security questions, and you list them as type-password for the hidden value, then yes, those will still show up as Reused. We're currently looking into ways in which we can retain the value of the warnings system that was debuted in 1Password 7 for Mac while allowing more sophisticated users or those with unusual use-cases to potentially hide or dismiss such warnings. The trick is to make sure it's something that can be extensible to other platforms as well as not allowing less-savvy users have the ability to (perhaps inadvertently) turn off a feature they thought was protecting them. I've nothing to announce on that score just now, but I really appreciate your thoughts on the subject and will pass them along to the developers. Thanks for taking the time to post this! :)
0