Multiple usernames with same password

Hello,
first of all sorry if this was answered in different discussion, but so far I have not found a fit to my situation.

I use 1password also for work related stuff and I ended up with one situation that I don't particulary like so I am curious if there is any built-in solution to that problem.

We have several internal services and use also Google services, and here is where the problem comes in. Our passwords are synced using LDAP, si we use one password for all the services, but for Google services we need to use email address as a username (i.e. "first.last@company.com") but for all internal services we use just a "username" which is the email without domain (i.e. "first.last").

This causes, that I ended up with two saved passwords with different usernames and different set of websites. Of course the security audit is "complaining" that I have duplicate password.

Is there a way I can "merge" them and have several possible usernames with the same password?


1Password Version: 6.2.1
Extension Version: 4.5.5
OS Version: OSX 10.11.4
Sync Type: Not Provided

«13

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    Thanks for your post, @ondrejfuhrer. Right now, there's not a great way to handle the situation you're describing. Having two logins is the best way. I realize it clutters up the security audit section, but I don't have a better suggestion for working around it right now. I'm sorry I don't have a better answer for you… :(

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • lehon
    lehon
    Community Member

    I would like this also.

  • ondrejfuhrer
    ondrejfuhrer
    Community Member

    Hello @jxpx777 ,

    just a small bump in here. Is there going to be anything done regarding this issue? Even if it is just a matter of future plans. Thanks for the answer :smile:

  • jxpx777
    jxpx777
    1Password Alumni

    I'm sorry but no, there's no progress on this right now. The situation is as it ever was and honestly, the number of users that would run into the situation you're describing is so much smaller (probably by orders of magnitude) than the number of users that actually do need exactly the behavior you're describing. If the URLs are different, then the duplicate password detection won't be able to differentiate them, and I'm not sure what it would even mean to have multiple usernames for a single Login.

    You said that the username is the same as the email address originally but without the @example.com portion. Is that right? If the cluttered Security Audit bothers you enough, you could add the URLs to the same Login and then have the username be either with the domain or without and then manually adjust it when you sign in. To facilitate this, I would recommend turning off autosubmit for these Logins by entering edit mode and setting the Submit attribute to Never. If you wanted to automate this further, you could use something like Keyboard Maestro to recognize when you are on one of these pages that needs to be manually adjusted and have it adjust the username field for you. That's about the best workaround I could think of.

    Sorry I don't have a better answer for you, but honestly, this is just not common enough for the development team to give the attention it would require to make a consistent experience across all our platforms.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • vigorsm
    vigorsm
    Community Member

    Hi Jamie,

    Just by way of clarification and "me too", I'm also finding it challenging to keep all of my corporate accounts up-to-date in 1Password.

    I have multiple corporate accounts which have different usernames and URLs but share a common password. So whenever I change that common password in the SSO system, I have to change multiple records in 1Password.

    What would solve the problem for me would be if I could nominate a group of records in 1Password that all use the same password, so I only have to make the change once.

    Best regards, Mark

  • jxpx777
    jxpx777
    1Password Alumni

    Thanks for your input, @vigorsm. So far, the situation hasn't changed, but hearing about users' needs is definitely helpful for us to know what issues might need tackling in the future.

  • cvil
    cvil
    Community Member
    edited April 2017

    +1, I would also like a solution to this problem.

    I use 1Password for work and our Active Directory setup results in the same password across many sites but the user names may vary. The username in our scenario may be first.last@company.com, username, or AD_domain\username.

    My current solution is to maintain a single 1Password login item to represent the password. The username on the item is the username most common across our sites. The login item contains each website, I have 7 websites listed. Then in the notes fields, I keep notes on which sites use which username. Lastly, the login item is set to "never submit" and after it auto-fills I need to manually adjust the username before manually submitting to websites where the username is not the most common one.

    This is absolutely a real use case for enterprise customers. If 1Password Teams is targeting larger organizations then this is a common issue for your enterprise users. I'm not sure how you would measure how many users are potentially affected.

    Here are my thoughts on how the product could handle this use case. I have no expectation that this will be the actual solution but am providing it to help illustrate the problem.

    • As a user, I would like to group web form details in a login item by a list of websites.
    • As a user, I would like to define multiple usernames in a login item. (similar to websites)
    • As a user, I would like to reference any of the associated usernames from any specific group of web form details. (enabled by story #1)
  • Hi @cvil,

    You're right that this is a real use case for enterprise customers, and 1Password Teams is what we're hoping these customers would use.

    I'd love to hear more about the AD setup in these cases. Are you using SSO (maybe something like SAML?)? What's the relationship like between your AD server and these services?

    I think that when it comes to these kinds of enterprise configurations we need to think beyond the current tooling we have available to us.

    Rick

  • prime
    prime
    Community Member

    I've suggested this before, but too bad we couldn't have a check box on each login (or whatever) "do not include in security audit"

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: It's something we're considering. Not actionable at this point since we've got a lot on our plates and it would require a change across all of the apps, but definitely on our radar — amor other ways to make security audit more user-friendly. Cheers! :)

  • prime
    prime
    Community Member

    Thanks @brenty
    I have so many work things that I can't change, so it's pointless for those to show up in the audit. I see them, and at a point I am starting to ignore that area.. defeating the purpose of it.

  • ondrejfuhrer
    ondrejfuhrer
    Community Member

    Hey guys,

    I would also vote for the option of having a possibility to opt-out security audit for an item. I also have a situation (with one bank), that uses different login option that includes as a "password" just a PIN which can be max 6 digits and the secure part is actually a text message to your phone including more secure "one time password". So this item as well is in the "weak password" section, but I cannot do anything about it. So the opt-out security audit for an item would help there as well!

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @ondrejfuhrer,

    I wish banks would be more sensible in their approach to allowing longer and more sensible passwords / PINs. :( I'm very sorry but we don't have any plans at the moment to allow the exclusion of certain items from the Security Audit, but we will take your suggestions into consideration.

    As an alternative, you could edit your Login item for that bank such that the PIN is saved in your Login item as text rather than as a password (you could move it from the password field to a text field in the Login item and delete the password field). That way, it wouldn't show up in the Security Audit.

    Thanks for your suggestion and let me know if you've any more questions.

    Matthew

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @prime,

    I hear your frustration and I do think the idea of having a clean Security Audit section is important to ensure that 1Password users can easily see actionable security issues. Clarity is key. Hopefully at some point we can spend some time here to improve this area. At the moment we're working on some other goodies for you :)

    Matthew

  • cvil
    cvil
    Community Member

    @rickfillion Here are more details on our setup for a handful of services. All 5 of the examples below use the same password. For the 2nd set, I need to set my single login item to "never submit" then manually adjust after 1Password fills out the form.

    SAML/SSO:
    Outlook 365 (vendor hosted, SAML/SSO, login with AD_domain\username)
    Slack (vendor hosted, SAML/SSO, login with AD_domain\username)

    Other Setups:
    Service Now (vendor hosted, No SAML/SSO instead LDAP Bind to Active Directory over private conn., login with username)
    Room booking software (vendor hosted, No SAML/SSO instead LDAP Bind to Active Directory over private conn., login with username)
    Appian (vendor software hosted onsite, No SAML/SSO synchronized user base incl. passwords, login with first.last@company.com)

    I spoke to our SSO administrator about moving the 2nd set over to SSO. It's not realistic in many of our setups for various reason. This list of 5 services is a sample, we have many more services that fall into each of the 2 categories above.

    I would love to have 1Password solve this use case.

  • Thanks for the additional info @cvil. Looks like 1Password would need to do more to handle that case nicely than some of the ideas I had in my head. It's good to know that now before we start down that path.

    Rick

  • cvil
    cvil
    Community Member

    Thanks, @rickfillion. Don't hesitate to reach out if I can provide more information.

  • Will do.

  • slessard
    slessard
    Community Member

    +1 @cvil perfectly described the use case I am facing at my job.

  • Hello @slessard,

    Thank you for letting us know. I don't know if we've made any progress on how to handle these situations but it is useful to learn how widespread it is.

  • cttwapps
    cttwapps
    Community Member

    As a 1password user in an enterprise setting I have to deal with this every day. We have lots of systems that are tied to a centralized user management system, Active Directory; however, lots of these systems require the username be set differently. The ones I have to manually mange use the following username formats:

    • shortname (first initial lastname)
    • shortname2 (user portion of email address in firstname.lastname)
    • email address (firstname.lastname@domain.com)
    • randomly assigned user string

    In addition some of the services have a 2FA requirement.

    It would keen to be able to specify an option username with each website entry for a 1p login object. I would picture it being setup as follows:

    • new mult-user login entry is created (this would be a new object rather than extending the existing login object)
    • automatic submission for these objects is disabled
    • there is new username field between the vault and password fields
    • username is now attached to website entry (each entry is now two fields)
    • when 1p browser plugin matches a website the corresponding username is taken for the autoflll

    Another approach would be to extend the existing login obect so that the username specified in the webform details is not forced to be the same as the username for the login object itself. Since this section already has an email, username and text field if you label the field type as url (the first column) and allow the second column to be which username you chose (silhouette or email icon - which would need to be defined) then when 1p browser plugin matches a site from this section the either the username or email is passed.

    Right now the limitation seems to be that 1p assumes that develops have done the right thing and labeled fields as email when they want an email address; in an ideal world this would be true.

    Until we hav support I currently workaround this as follows:

    • disable form submission in 1p
    • create new login object
    • leave username blank
    • add or generate password
    • add websites (I change the label to match the application just for my sanity)
    • populate email address of webform details section (leave username blank here as well otherwise it sets the username for the login object)
    • for hard to remember applications i use the notes section to create "label" - "username" reminders which I can access via hover from 1p browser plugin

    While my workaround is not ideal and compartively slow it works for me as a stopgap measure until I either:

    • get support for multiple usernames on the login object from 1p
    • build my own wrapper for 1p browser or 1p that autofills with multiple logins
    • move to a password manager that supports this feature (if one exists)

    I hope this post can be helpful for users and developers alike.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cttwapps: That certainly does sound like a bit of a mess. I'm not sure that it will be possible for 1Password to untangle all of that for you, but there may be some things we can do that will help in the future. I'm not sure I've ever seen a request for multiple username support before (perhaps @rickfillion has), so I appreciate you going into such detail. While not ideal, I suspect workarounds may help others as well. Thank you for taking the time to share your excellence and feedback! :)

  • That’s really interesting. Thanks for going into so much detail. It sounds like a fun problem to solve. It’s not the first time I hear a request for multiple usernames on a single item, but it’s definitely been a rare one.

    Cheers.

    Rick

  • f1337
    f1337
    Community Member

    My current work-around, for managing multiple enterprise client usernames sharing the same password:

    1. Create an entry for each username+URL variation: only set the username (no password), and "Never submit".
    2. Create an entry for the password: only set the password (no username), and "Never submit".
    3. Manually copy every website from the username entries created in step #1 into the password entry created in step #2.

    Now login is a three-step process: select the appropriate username entry, then the password entry, then manually submit. But I don't have to worry about duplicate passwords.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Based on how 1Password currently works I do find your solution compelling @f1337. I could be wrong but you might be able to set the submit on the password Login item to Submit when enabled. There may very well be good reasons that this won't work though that I haven't considered.

  • markjeffery
    markjeffery
    Community Member

    +1 for me.
    My okta login is first.last@company.com with okta password
    My wiki login is first.last with the same password

    everytime I have to change my okta password, my wiki login fails.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @markjeffery: If you have two separate logins saved there, it makes sense that changing the password in only one of them would render the other useless if they're really the same account. Is that what you're doing?

  • mrdolittle
    mrdolittle
    Community Member

    I would also love the possibility to somehow manage multiple usernames with the same password. For me it is also in a corporate environment, but I use my personal 1password plan since the company does not have any password manager.

    We also have some AD system which updates the password on multiple sites and services but they use different usernames. Sometimes it is the email, sometimes the user id from the AD system.

  • sgorsuch
    sgorsuch
    Community Member

    I've go the same use case as many here. I have a few systems at work where I login as first.last@company.com and then just as firstinitial+lastname (e.g. flast) but must keep the password the same. Just adding my two cents as it seems this is something many people want.

    My solution is to have 2 logins with the same password and list the appropriate URLs for them and tag each login with "change_together" and just hope I remember to do it every time.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's certainly an interesting idea, but I can't imagine how it would work. If you've got multiple usernames saved, which one does 1Password fill? How does it know? More importantly, how does it not get it wrong? Food for thought.

This discussion has been closed.