Weak Password where there is no password
I am going through my Security Audit section and find that I have a bank account listed as having a weak password. The only problem is, this bank account entry doesn't have a Password field at all. I only have the bank name, name on account, type, account number, routing number and PIN (then of course the bank address, phone, etc). Why is it saying I have a weak password?
In a related question, I also have a government-related account for a web site that shows as having a weak password, but this particular account says that my password must contain exactly 8 characters and only have numbers and letters - no symbols. In other words this particular government web site requires that the password be weak and there is nothing I can do about that.
So my question is, if you have an entry that shows up as "weak password" is there any way to just cause the audit to ignore that particular entry? (If there isn't it might be a good feature to add)
1Password Version: 6.8.4
Extension Version: Not Provided
OS Version: 10.13.2
Sync Type: Dropbox
Comments
-
Going through the Security Audit, passwords are still showing up as "3+ years old" even after I updated the password. For example, I have a forum login item that was originally created in 2014 - 4 years ago - so it naturally showed up in security audit as 3+ years old. However, I went to that forum site and changed the password a few days ago, and the "last modified" date now shows Dec 8, 2017, but this item still shows up in security audit as being 3+ years old. Any idea why this is happening?
1Password Version: 6.8.4
Extension Version: Not Provided
OS Version: 10.13.2
Sync Type: Dropbox0 -
I am going through my Security Audit section and find that I have a bank account listed as having a weak password. The only problem is, this bank account entry doesn't have a Password field at all. I only have the bank name, name on account, type, account number, routing number and PIN (then of course the bank address, phone, etc). Why is it saying I have a weak password?
@BasilFawlty: I'm honestly not sure. I'm not able to get any Bank Account items to appear in Security Audit. When and where did you create that item? Have you added password fields to it at some point? If you create a new Bank Account item for that, do you see the same issue there?
In a related question, I also have a government-related account for a web site that shows as having a weak password, but this particular account says that my password must contain exactly 8 characters and only have numbers and letters - no symbols. In other words this particular government web site requires that the password be weak and there is nothing I can do about that.
So my question is, if you have an entry that shows up as "weak password" is there any way to just cause the audit to ignore that particular entry? (If there isn't it might be a good feature to add)Yup. That's a weak password alright. But it's out of your control. There isn't anything that can be done right now, but we'd like to make it possible to have Security Audit exclude/ignore certain items in a future version. Thanks for your feedback on this!
Going through the Security Audit, passwords are still showing up as "3+ years old" even after I updated the password. For example, I have a forum login item that was originally created in 2014 - 4 years ago - so it naturally showed up in security audit as 3+ years old. However, I went to that forum site and changed the password a few days ago, and the "last modified" date now shows Dec 8, 2017, but this item still shows up in security audit as being 3+ years old. Any idea why this is happening?
How did you update the password exactly? Using the browser extension? Manually editing in the app? Thanks in advance!
0 -
@BasilFawlty: I'm honestly not sure. I'm not able to get any Bank Account items to appear in Security Audit. When and where did you create that item? Have you added password fields to it at some point? If you create a new Bank Account item for that, do you see the same issue there?
Just for grins, I just created another "fake" bank account with all the same types of information (but entirely bogus) that is in my real bank account (which I've blacked out). As you can see in attached screen grab, there is no password field at all, yet it shows up in Security Audit as a Weak Password. The PIN field has a 4-digit PIN common with many banks, etc.
Yup. That's a weak password alright. But it's out of your control. There isn't anything that can be done right now, but we'd like to make it possible to have Security Audit exclude/ignore certain items in a future version. Thanks for your feedback on this!
That would be a welcome upgrade.
How did you update the password exactly? Using the browser extension? Manually editing in the app? Thanks in advance!
Well, this is weird. I went in this morning to look at that item and it is no longer showing up as having an old password. Can't explain that one as the password had been updated several days ago, but was showing in the 3+ years or older area of the audit, but now it isn't there this AM.
0 -
UPdate - in the fake example Bank account I posted above that shows up in security audit, I deleted the PIN and viola, the item no longer appears in the Weak Passwords area. Apparently 1Password is considering a PIN the same as a Password. I think your idea of making it possible to selectively ignore certain items in the Security Audit would solve the problem.
0 -
Hey @BasilFawlty -- yep, that's the one (the PIN code). Sorry I didn't drop by earlier to let you know about this. ANY "password" field - of which the PIN counts as one - will be included in the Security Audit at present. Unfortunately, that means that any bank or credit card with a PIN number entered (and obfuscated by 1P) will register as "weak," since most PINs are 4-6 digits, which would - if it were a real password - certainly count as weak. It's something we're planning to address in a future release, but for now, feel free to ignore it.
0 -
Hey @BasilFawlty -- yep, that's the one (the PIN code). Sorry I didn't drop by earlier to let you know about this. ANY "password" field - of which the PIN counts as one - will be included in the Security Audit at present. Unfortunately, that means that any bank or credit card with a PIN number entered (and obfuscated by 1P) will register as "weak," since most PINs are 4-6 digits, which would - if it were a real password - certainly count as weak. It's something we're planning to address in a future release, but for now, feel free to ignore it.
Thanks. Good to know you will address ability to ignore certain entries in the Security Audit in the future. In the meantime, since I only ever manually type in my Pin at ATMs, Point of Sales locations, etc., I have a work around that is to simply type in the 4-digit pin, then underscore and fill in a bunch of random characters. That was Security Audit for now ignores it.
0 -
@BasilFawlty -- that's a great, creative solution! As long as you know it's only the first four - or six, whatever - digits, that's an excellent way to keep that item out of Security Audit! :+1:
0 -
@BasilFawlty -- that's a great, creative solution! As long as you know it's only the first four - or six, whatever - digits, that's an excellent way to keep that item out of Security Audit! :+1:
At least until some sort of optional ignore function is implemented.
0 -
:) :+1:
Also, thanks for clearing that up. My bank accounts don't have PINs (only my cards do), so that's why I wasn't seeing the same thing. Cheers!
0