Reused Password warning

hazmat
hazmat
Community Member

Not sure if this is a beta thing or not, but I've been seeing the Reused Password warning a few times lately and I don't think it's correct. One is for a site that I had a password entry and a login entry for, same password. Another was for a site that I'd just changed the password for, so it was unique and brand new. Is this a known issue or is something wrong on my end?

Thanks.


1Password Version: 7.2.BETA-1 (70200001)
Extension Version: Not Provided
OS Version: 10.14 Beta (18A384a)
Sync Type: 1Password Family account

«134

Comments

  • Hi @hazmat,

    Would you be able to post a screenshot of the warning?

    Ben

  • hazmat
    hazmat
    Community Member

    Hi. Here you go.

  • Lars
    Lars
    1Password Alumni
    edited September 2018

    @hazmat - it's a little difficult for us to say with certainty since we don't actually know the contents of your data (nor should we). However, that warning is present because 1Password can see that you've used the same password in more than one item. If you switch to the Reused Passwords section of Watchtower in 1Password's sidebar, you should be able to see the items listed by password (grouped together) so you can see if you've got perhaps the same item duplicated elsewhere. This can often be the case if you have created a password item (which happens when you generate a new password using the Password Generator) and then you create a Login item for that site. The way it's supposed to work is that if you create a Login item with the password you generated, the password item that was generated gets removed...because you don't need it any longer and removing it avoids this issue. But that doesn't always happen, which is why you can review the items in Reused Passwords.

    That said, there IS an issue here in that the Reused Passwords section of Watchtower will search ALL your vaults, even the ones that are specifically excluded by you in the All Vaults view. So sometimes, it can appear as if you've got only one item with a particular password, when the reality is that the item is duplicated in a vault that's hidden from All Vaults. If you check for the item name in every vault that's not shown in All Vaults, you should find it in one of them.

    ref: apple-2031

  • hazmat
    hazmat
    Community Member

    Thanks, Lars. I think it's exactly it, that I had the same password for the password and login entries. I'll delete the password entry and see if the warning clears up. I only see it at home, where I'm running the beta.

  • Lars
    Lars
    1Password Alumni

    @hazmat - sounds good; let us know if you run into any issues. :) :+1:

  • johndavidson
    johndavidson
    Community Member

    Can I suggest a new feature: Marking duplicate/reused passwords as OK.
    I have an entry for icloud and Apple. Both use the same userid and password, so 1Password flags them with the Reused Password warning. However, I want them to be the same, for obvious reasons. It would be nice if you could click on an entry and mark it as "Known reuse", or something similar, so the warnings would disappear.

  • dutch
    dutch
    Community Member

    I have the same thing. Still have my primary vault on Dropbox, which I disabled, however the re-used password warning keeps coming. I would like to get rid of the Primary vault but can't delete it. Message: "Can't delete primary vault"
    Introducing another issue on this thread, so feel free to move.

  • Lars
    Lars
    1Password Alumni

    @johndavidson - it's not a bad idea, but it's one we'd need to make sure to implement in a very careful way. There are certain requests we've received over the years that we've had to in the end give a hard "no" to, because at the end of the day we believed they would likely lower too many people's security. Yes, users need to be responsible for their own security, but at the same time, our main job is security and as a result we don't want to put a tool in people's hands to intentionally lower it...especially one that might be misused by someone who didn't fully understand what they were doing. The Reused Passwords feature refinement you're suggesting falls very close to that line. We have something similar already with "Inactive 2FA" and "Unsecured Websites" -- both of these warnings in Watchtower can be bypassed by adding either a 2FA tag or an HTTP tag to the record in question, respectively. But in those cases, it doesn't run the risk of actually lowering users' security; often, there are sites you need which you can't control and you're quite aware the use http instead of https...so a warning is merely annoying: you need the site, you know it's not secure, and you're OK with that (possibly because it's non-sensitive information, like a neighborhood tennis-court sign-up website or something harmless). And the worst that could happen there, if you've used a unique password, is that someone might learn your password...for the tennis court. So we allowed that tag-based method of bypassing the warning in that case.

    But re-using passwords is one of the most-common and most-potentially harmful threats 1Password is designed to protect you against. You sound like a savvy user, but not everyone who uses 1Password has your level of familiarity with either the software, threat models, or in fact computers in general, yet they still come to us expecting - and deserving - the best security we can provide. Allowing people who may not be clear on the threats posed by duplicate passwords to turn off all such warnings globally or even individually is something we'd have to think much harder about. I'm not saying you won't see something like what you're suggesting (or have already done for 2FA and HTTP), just that this one's not quite the slam-dunk those are. Thanks for the suggestion, however, and taking the time to share it with us.

  • Lars
    Lars
    1Password Alumni

    @dutch - the Primary vault is always, well, primary -- it's the first, default vault you create when you first begin using 1Password, and it's the vault for which the vault password (for that vault) also serves as the Master Password for your application. That's why it can't be removed if there are still any other standalone vaults present. You can remove it, just not before everything else. Do you have other vaults present? If so, may I ask why you're trying to remove Primary? I might be able to offer some ideas on how to streamline things.

  • dutch
    dutch
    Community Member

    @Lars Thanks for your comment. I switched from using 1P locally (with dropbox) to online vault. Now I use the online vault I don't ned the local vault anymore. I get the warnings of duplicate passwords because I have passwords in both vaults. I keep up to date with the online hosted vault (with my 1P subscription) only.

  • Lars
    Lars
    1Password Alumni

    @dutch - ah, OK -- thanks. You can remove the Primary vault by clicking Preferences > Advanced and UN-checking the box marked "Allow creation of vaults outside 1Password accounts." Make sure the Primary vault is really empty and no longer needed, and that should work for you.

  • dutch
    dutch
    Community Member

    @Lars Okay, I can do that. I created a backup of the files in my Dropbox folder. Is that enough to go back on should I need to?

  • Lars
    Lars
    1Password Alumni

    @dutch - depending on what you put in Dropbox, I wouldn't do that; there's just no need. Let me try to be clear here: I would never encourage people to skip backing up their data...but 1Password already makes local backups of your standalone data, regardless of how you sync. If you open Preferences > Backups you should be able to see your backups dating back...well, quite a ways: daily for a week, weekly for a month, and then monthly after that, for up to fifty backups. When you switch to a 1password.com account, one of the benefits is multiple redundant backups made for you on the 1password.com servers...so I think you're covered. You're free to do as you like, of course, but I'd say there's little need to place a backup file explicitly on Dropbox, once you've converted to a 1password.com account.

  • dutch
    dutch
    Community Member

    @Lars Thanks!!

  • Lars
    Lars
    1Password Alumni

    @dutch - you're quite welcome; glad I was able to assist. :)

  • hazmat
    hazmat
    Community Member

    @johndavidson Sorry if I'm misunderstanding, but any reason you don't just put the URLs for both the Apple and iCloud entries into one entry if the username and password are the same for both?

  • Lars
    Lars
    1Password Alumni

    @hazmat - I can't speak for @johndavidson but one reason might be that double-clicking on an item from within 1Password's main window will only launch the first URL.

  • iDoug
    iDoug
    Community Member

    Am seeing "Reused Passwords" on duplicate entries in different vaults. As a general rule I am usually in one vault at a time. Thus, there is no indication as to which vault contains the duplicate.

    I use vaults as a means of separating functions. Would prefer that any vault I am not using be encrypted (*feature request). This would remove the duplicate passwords from "Reused Passwords". As well as being more secure.

    If you must check passwords across different vaults, then can you please expand that to the entire entry (*feature request)? Then you could tell me when duplicate entries have different passwords. That would be a useful feature.

  • Lars
    Lars
    1Password Alumni

    @iDoug - it's certainly something we can consider for the future, but the main point of the Reused Passwords feature of Watchtower is to alert the user to instances of duplicated passwords wherever they may be. If the duplicate is a different site/URL with an identical password to another Login item in 1Password, that's exactly the kind of thing Reused Passwords is intended to notify users of. If it's a case where a single Login item has been duplicated into multiple vaults, that's not something we recommend doing in general, as it increases confusion and the items do not sync with one another.

  • iDoug
    iDoug
    Community Member

    @Lars "If the duplicate is a different site/URL with an identical password to another Login item in 1Password, that's exactly the kind of thing Reused Passwords is intended to notify users of."

    Um, am seeing duplicate passwords with no site/URL, with servers, SSNs. This only applies to the first password/SSN found in an entry. Any other password/SSN in a single entry is not a used in "Reused Passwords". Is this a bug?

  • That’s a good question, @iDoug, and I’m honestly not sure of the answer. I’ll check with development and see what the intention there is.

    Ben

  • randy_g
    randy_g
    Community Member

    I have, or at least had, about a half-dozen different 1Password entries for Facebook, as I do for a number of sites (like Google and Amazon), because they're all different URLs on the facebook.com domain. Since switching to 1Password 7 a few days ago, I'm getting a "reused password" warning for almost every site I use. When 1Password asks me if I want to save a password, I basically always say yes, because I don't know what it's already stored. The real problem here, as I see it, is that 1Password doesn't recognize that these "different" sites are really all the same. How about a feature that just adds a new variation to the existing entry, if the password from the existing entry worked, or at least asks me if it should do that? This is almost always how this happens.

    I tried consolidating all of the variations for Facebook into a single 1PW entry with multiple website entries, but it's still giving the "reused password" warning. I find this really aggravating, because I would like to know if I have actually reused a password for more than one site, but the way it works now makes this impossible.

  • Donaldd
    Donaldd
    Community Member

    As the Watchtower flagged over 100 entries in my personal vault with the shiny "Reused Password" banner, I spent some time on this to find out what happened to a loyal password manager user 8-)
    The weird result is I could only see some "single" entries with the partial-displayed reused password, not pairs. So, how could I reuse a password with nothing? Besides, I have already deleted all the passwords generated automatically in 1Password...
    Then, I switched the displayed vault from "Personal" to "All Vaults" (Also selected all the vaults, including the shared ones in Preferences). What? This time the watchtower showed all the so-called "Reused Passwords" in pairs, but they are in different vaults. Wait a minute, these entries are the ones I do want to share with my family and copy to the shared vaults, so they're definitely the same passwords, "shared", but not "reused" ones.

    So...

    My questions are:
    1. If the passwords in shared vaults and personal vaults are identified as "reused" as a whole, WatchTower's "Reused Password" feature would be useless and I'd like to disable it, however, I can't find how.
    2. Avoid reusing password is definitely crucial, especially when using a password manager. But the current mechanism (is it a mechanism?) is so imprudent and annoying and not a 1Password way. Don't you think it should be "per vault basis"? >_<


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • russtms1
    russtms1
    Community Member

    Since the Reused Password is irritating and (to me) useless--for one thing, it marks as reused a password from the Password Generator that has also been assigned to a login--how can I turn it off? I do not mind having a way to search for reused passwords, if I choose to, but the constant annoying warning reduces my use of 1Password. I doubt that is the reason for the warning.

  • fritzophrenic
    fritzophrenic
    Community Member

    A couple here with multiple entries for the same site, either because they said "yes save it" when the browser plugin asked on a new part of the website, or because they copied the item to a shared vault.

    For the first, there's an "update existing" feature you could use instead of creating a new entry. Also consider just adding the URL as a second website field in the same entry.

    For the second, after copying to a shared vault, is there any reason to keep the first entry around at all? Just use it from the shared vault (and keep the settings to show "all vaults" most of the time). Otherwise the two entries could get out of date and the shared entry will end up just getting in the way.

  • InfiniteBeat
    InfiniteBeat
    Community Member

    Dear AgileBits

    At first thank you for enhanced security audit experience in version 7. Therefore, I 've decided to migrate to subscription from a standalone model. Excellent job.
    Well, I am not sure wether it has already being discussed here so receive my upfront apologise if it was but I would like to find possibility to link exactly same account multiple entries (e.g. Microsoft OneDrive, MS Outlook account, MS Skype or Google e-mail, YouTube etc) to eliminate warning about reused passwords for such accounts.

    Furthermore, there are some old, no longer used accounts or offline credentials in my basis which I keep backed up further for some reason and which have not been used for years. I would like to see possibility to exclude warnings for such entries.

    Thank You.

  • Donaldd
    Donaldd
    Community Member

    :( It is a surprise that my topic was merged into this one without any notifications. I've read @Lars 's comments but I still have no idea about the reason to flag the shared entries as "reused". A new tag/banner to notify the user "this item is being shared" would be far more reasonable and user-friendly than flag them all as "reused".
    Otherwise, is it saying that 1Password doesn't recommend sharing password within 1Password Families as it is a security risk?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2018

    :( It is a surprise that my topic was merged into this one without any notifications.

    @Donaldd: I'm sorry for the confusion, but like duplicate passwords, it isn't beneficial to have duplicate discussions. That slows down response time for everyone — including you. Let's keep it to a single thread per topic, if we can. That way everyone can participate and benefit from the discussion.

    I've read @Lars 's comments but I still have no idea about the reason to flag the shared entries as "reused". A new tag/banner to notify the user "this item is being shared" would be far more reasonable and user-friendly than flag them all as "reused".

    Otherwise, is it saying that 1Password doesn't recommend sharing password within 1Password Families as it is a security risk?

    No. But reusing passwords is. And if you're littering multiple vaults with duplicate items using the same password, how is 1Password to know that these aren't cases of password reuse? "Sharing" is not synonymous with "duplication"; you can absolutely put an item in a shared vault without copying it all over the place.

    My questions are:
    1. If the passwords in shared vaults and personal vaults are identified as "reused" as a whole, WatchTower's "Reused Password" feature would be useless and I'd like to disable it, however, I can't find how.

    You can disable Watchtower in Preferences. But it's hardly "useless". From you're description, you are reusing passwords, after all. And it's sort of 1Password's job to tell you about that, if you have the feature enabled. But if you mean you've made multiple copies of literally the same login is different places, then Watchtower isn't the problem, and that's probably something worth reevaluating. Why not put those in a shared vault and give access to everyone who needs it? Otherwise if and when you make any change, you're going to have to remember to update that in multiple places. Food for thought.

    1. Avoid reusing password is definitely crucial, especially when using a password manager. But the current mechanism (is it a mechanism?) is so imprudent and annoying and not a 1Password way. Don't you think it should be "per vault basis"? >_<

    Absolutely not. If 1Password only told you about reused passwords in the same vault, people will miss a lot of them, and then the question becomes "what's the point?" if 1Password doesn't tell you about even reused passwords it's aware of. You'd still have to hunt them down yourself then. After all, a lot of folks have separate vaults for business and personal. So 1Password shouldn't tell them that they are reusing passwords between those? Disastrous. There's a better way.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Can I suggest a new feature: Marking duplicate/reused passwords as OK. I have an entry for icloud and Apple. Both use the same userid and password, so 1Password flags them with the Reused Password warning. However, I want them to be the same, for obvious reasons. It would be nice if you could click on an entry and mark it as "Known reuse", or something similar, so the warnings would disappear.

    @johndavidson: I know I'm a bit late there, but I wanted to touch on this since it's an important point, and it seems to come up occasionally: Why have so many separate logins with the same credentials in the first place? That's also inconvenient for usability, since then you have to choose from a list. You can save multiple URLs in a single login. Give that a try. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I tried consolidating all of the variations for Facebook into a single 1PW entry with multiple website entries, but it's still giving the "reused password" warning. I find this really aggravating, because I would like to know if I have actually reused a password for more than one site, but the way it works now makes this impossible.

    @randy_g: Related to other comments above, both about having multiple login items for the same account and "mysterious" reused passwords: make sure you're viewing all of your vaults, or switch to those you have hidden. 1Password will tell you of any duplicate passwords it knows about, after all. It can certainly be aggravating for any of us to have to dig ourselves out of these holes. I've certainly been there myself. But I think it's much less aggravating than having an important account compromised because of a reused password from another, and 1Password not making you aware of it when it could have.

This discussion has been closed.