Reused Password warning

24

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    Since the Reused Password is irritating and (to me) useless--for one thing, it marks as reused a password from the Password Generator that has also been assigned to a login--how can I turn it off? I do not mind having a way to search for reused passwords, if I choose to, but the constant annoying warning reduces my use of 1Password. I doubt that is the reason for the warning.

    @russtms1: If you don't need those extra items using the same password, delete them. That will "turn it off".

  • AGAlumB
    AGAlumB
    1Password Alumni

    A couple here with multiple entries for the same site, either because they said "yes save it" when the browser plugin asked on a new part of the website, or because they copied the item to a shared vault.

    @fritzophrenic: Indeed, that can happen from time to time. If you'll let us know the sites where you're being asked to save when you already have, we'll see what we can do to make 1Password smarter in those cases. Thanks for bringing it up!

    For the first, there's an "update existing" feature you could use instead of creating a new entry. Also consider just adding the URL as a second website field in the same entry.

    Excellent point. 1Password can't necessarily know the users' intention, so we offer both options when there are existing logins for the site.

    For the second, after copying to a shared vault, is there any reason to keep the first entry around at all? Just use it from the shared vault (and keep the settings to show "all vaults" most of the time). Otherwise the two entries could get out of date and the shared entry will end up just getting in the way.

    Only you can really answer this question for yourself, but generally we recommend having it only in one place. Not only does not having multiple copies of the same thing prevent false positives for a reused password, it also ensures you're not getting mixed up later when you have to update it, potentially forgetting that you'd need to do so in multiple places. If you're able to put it in a shared vault that everyone who needs it has access to, there's probably no need to have another copy elsewhere. :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2018

    At first thank you for enhanced security audit experience in version 7. Therefore, I 've decided to migrate to subscription from a standalone model. Excellent job.

    @InfininteBeat: Thank you so much for the kind words! 1Password isn't perfect; it's very much a work in progress. But it's great to hear that it's helping you secure your digital life too. :chuffed:

    Well, I am not sure wether it has already being discussed here so receive my upfront apologise if it was but I would like to find possibility to link exactly same account multiple entries (e.g. Microsoft OneDrive, MS Outlook account, MS Skype or Google e-mail, YouTube etc) to eliminate warning about reused passwords for such accounts.

    "Linking" won't help, as you'd still have multiple items with the same login credentials. But you can save all of the URLs where you need to use that account in a single login item. Give that a try. :)

    Furthermore, there are some old, no longer used accounts or offline credentials in my basis which I keep backed up further for some reason and which have not been used for years. I would like to see possibility to exclude warnings for such entries.

    It's something we can consider, but again, a reused password is a reused password. You may not having anything sensitive in those accounts, but if you haven't used them for years do you really even know? We don't want 1Password making grey-area value judgements about security: a reused password is a reused password, and that's something 1Password should raise awareness of, not ignore.

  • InfiniteBeat
    InfiniteBeat
    Community Member

    Thank for your response.
    I’ve found solution to bypass false warnings for both groups of items described above.
    Simply put something like “Item_No_Longer_Used#_1” into password entry. Then I put real item password into one of forms in body below marked as password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm not sure I follow, but I'm glad that you found something that works for you. :)

  • johndavidson
    johndavidson
    Community Member

    OK, here is why I have multiple entries with the same password. Apple uses your credentials on a number of sites; Apple store, support, icloud, etc. All of these need multiple entries for the login function to work correctly. Other sites have similar issues. I'm not reusing passwords on different sites, but reusing the same set of credentials across multiple logons for the same company.

  • AGAlumB
    AGAlumB
    1Password Alumni

    OK, here is why I have multiple entries with the same password. Apple uses your credentials on a number of sites; Apple store, support, icloud, etc. All of these need multiple entries for the login function to work correctly.

    @johndavidson: How so? That has't been my experience at all. Have you tried saving multiple URLs in the login, like I suggested above? I've only got one login for each of my Apple IDs. Now if only I had fewer of those. ;)

    Other sites have similar issues. I'm not reusing passwords on different sites, but reusing the same set of credentials across multiple logons for the same company.

    Again, why? Can you give me an example of why it isn't possible for you to use a single item with multiple URLs for the same login credentials? I can't think of one that I've encountered.

  • Donaldd
    Donaldd
    Community Member

    @brenty Thanks for the detailed explanation. So maybe I need to change my way of sharing from "Copy to vault" to " Move to vault" instead to avoid this reused password banner?
    It is a little bit strange to not to keep an original copy of an entry (in my personal vault), especially when the original one contains more information in it ( secure notes etc,). Any suggestions?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Donaldd: You're very welcome! I think that would be best. Keep in mind that even when you move an item, and therefore the original is deleted in the source vault, you can still restore it later if needed. 1Password.com has the Trash like we're all used to, but also item history and even the ability to revert to older versions of items. So I think you'll be in good shape. :)

  • wkleem
    wkleem
    Community Member
    edited October 2018

    @brenty

    Again, why? Can you give me an example of why it isn't possible for you to use a single item with multiple URLs for the same login credentials? I can't think of one that I've encountered.

    There may be some circumstances for reused passwords Both Flickr and Yahoo share the same ID/passwords as Flickr once belonged to Yahoo but not anymore. There still has not been a separation of Flickr from Yahoo yet. I need two site logins, one for Yahoo and one for Flickr.

    Unless a user is still on 1Password 6 for Android...

    I guess you would know that I have 1Password on all devices. Mac is out of date at 1Password v6.8.

  • spindifferent
    spindifferent
    Community Member

    I just updated to macOS 10.14 and then updated 1password to 7.2.1 and now a vast majority of my passwords display the "Reused Password" warning along with the word "Duplicate" next to the actual password. The actual passwords are not duplicates and are typically 12-14 characters each.

    Some passwords do not display the warning, but more than 75% of them do. Prior to version 7.2.1, there were no issues or warnings.

    What's up?

  • Lars
    Lars
    1Password Alumni

    @spindifferent - what version did you update/upgrade from? Did you also perhaps create a 1password.com account - possibly inadvertently - during the process? Open Preferences > Vaults and tell us how many vaults you see there, and their names. If you see one named Primary and another named either Personal or Private, you likely duplicated your standalone data into an account when you upgraded.

  • spindifferent
    spindifferent
    Community Member

    @Lars,

    Thanks for the speedy response!

    I updated from a version that was 2 versions ago - not sure of the exact version number, but the 7.2.1 update mentioned that it was 2 versions newer from the existing.

    I do have 2 vaults; 1 named Private and 1 named Primary. Primary is located on my local Mac drive, and Private (I assume) is located on the cloud. Private is my membership vault; I believe this was created when I initially upgraded to version 7.0.

    The Private vault is the one selected for saving new items.

    I'm not really sure that I need the Primary vault. It contains many of the same items as the Private vault, but it does have fewer items in it than the Private vault.

    Because I have both Primary and Private vaults, is the Primary vault causing the "Reused Password" warning? It didn't before 7.2.1.

  • russtms1
    russtms1
    Community Member

    brenty, I am disappointed with your answer. If I am explaining my situation correctly, and you are responding correctly, every time I generate a password using 1Password's generator, I have to save it to the record for that site, then open 1Password, find the new password under the Passwords category, and erase it manually. Given that, I should either (1) always ignore the "Duplicate Password" warning because it will almost never mean anything useful, or (2) just stop using 1Password's password generation feature. I like the password generator, so we get back to my original request for a way to turn off the "Duplicate Password" warning.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @russtms1: That's an important safety net in case you don't actually save a Login. As I mentioned above, if you don't want the Password items, you can delete them. What OS, 1Password, browser, and extension versions are you using?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @spindifferent: The Primary vault is stored only locally on your device, not part of your 1Password.com account. If you have all of your data in your 1Password.com account's Private vault, you can safely remove the Primary by disabling local vaults in Preferences > Advanced.

  • spindifferent
    spindifferent
    Community Member

    @brenty, @lars,

    Thanks! Issue resolved with the removal of the Primary vault.

    Keep up the great work!

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're very welcome! Thanks for the update. It sounds like you should be all set there, but we're here if you need us. :)

  • randy_g
    randy_g
    Community Member

    Ah, I see. My Primary vault got copied to my Personal vault, so everything was a duplicate. So, about that "multiple URLs in a single login", that sounds like a feature I've wanted basically forever--how does it work? I just keep getting more and more separate logins.

  • Lars
    Lars
    1Password Alumni

    @randy_g - there are a number of ways to cause what you're describing - a Primary and a Personal with duplicated items, but it should never be left that way, due to the increasingly likelihood that the data sets will grow dissimilar over time, with some updated items in one vault and others in the other vault. If you're going from a standalone setup with a Primary vault to a 1password.com account, once your data is imported from Primary > Personal, you should definitely remove that old, no-longer-necessary Primary vault. Or at the very least, at least trash all the items in it, to avoid that duplication issue.

    First of all, set your "Vault for Saving" in Preferences > Vaults to your Personal vault. That will mean new items are by default placed there, instead of potentially going to the Primary vault. Then, in the vault menu at the top left of the main 1Password window, switch to your Primary vault and set the sort order at the top of the items column to Date Modified. This will give you a list of everything you've changed (or added) recently. You can use this to copy anything in the Primary vault that's changed since you created the account, into the Personal vault. Finally, when you're sure you've moved or copied everything relevant over from Primary --> Personal, and there's no more data remaining in Primary that you need but that's NOT already in Personal, you can delete the Primary vault, and you'll be all set.

  • AGAlumB
    AGAlumB
    1Password Alumni

    There is no facility to ignore password reuse, as that's not really a safe thing to do. If you're using the same account in different places though, you could perhaps use a single Login item for that and add multiple URLs though.

  • dylanl
    dylanl
    Community Member

    Thanks for all the answers so far. From what I've seen, there doesn't seem to be a solution for my specific super-edge-case password reuse, so I'll belt it in here and let me know if there is an easy fix.

    Here goes: For this company, I currently have to have two logins with different usernames and different URLs, but the same password. For example:

    Login 1
    Username: user@something.com
    Password: thisSecretIsRad
    Url: http://url.something.com

    Login 2
    Username: domain\user
    Password: thisSecretIsRad
    Url: http://someotherurl.com

    And, as we'd all expect, this gets picked up as a reused password by 1Password. But, there is no way to have a different password on these two accounts accounts – they're the same account under the hood.

    My ideal solution would be to have it all in one login, and have a set of username-url combinations, with the single password for that login, but from what I can see that doesn't seem possible (and doesn't seem like the implementation of that would be trivial either). That said, I could just be missing something obvious. :chuffed:

    At this point, while the re-used password dialog is just floating around on these two logins, I'm still sleeping fine at night. So, it's nothing major, bit I'm always looking to clean things up. :chuffed:

  • Lars
    Lars
    1Password Alumni

    @dylanl - well, you're right...that IS an edge case. :lol:

    In all seriousness, however, this is exactly the kind of thing that we would likely not think of when designing 1Password, precisely because it is so unusual (side note: this is also partly why there's just no substitute for beta-testing among several thousand volunteers, because nobody can think of all potential use-cases). When we run across one of these, some of the questions we ask are: how many people might this affect? How serious is the issue (i.e. - how significantly does it affect those people who do encounter it)? What would it take to properly address (and is it even possible)? Are there existing ways a solution or not-too-cumbersome work-around could be used? Would the steps needed to address this problem create other potential or certain problems for other users? And (of course) are there any security implications of either leaving it as it is, or trying to change it? Whether we address it or not depends on a mix of answers to those questions. If it's an easy solution, one of the developers may spend a few hours or half a day addressing it, even if it's rare enough that not many people will be affected one way or the other. If it's a more-serious issue, especially if we think it might affect a significant number of people, its chances of getting addressed go up significantly, even if it's a considerably more-complicated solution. With this one? I suspect you're correct that it would be a major re-working of all four clients' filling code to allow more than one set of username/URL combos all based on the same password. You can already add multiple URLs to a single Login item, and even launch them specifically out of the main 1Password window by selecting the appropriate URL to use Go & Fill with, but you're right, I don't think it's a trivial step to accomplish what you're suggesting. However, it's possible we both may have missed something, so I'll certainly mention it -- but given that this is the first time I've heard such a suggestion, I'm guessing that unless it IS a trivial solution somewhere that you and I just didn't see, this one's not likely to be on the punch list any time soon. Just trying to be as honest/accurate with you as I can. Thanks so much for the interesting use-case, and taking the time to share it.

  • jgerry
    jgerry
    Community Member

    I have a use case where I need to use the same password in multiple places. Many things I use for work must use the same password. Company portals, and SSO. But they don't all use the same username, just just adding another URL to an existing login doesn't work. Some use my work email, some use my network username, and some use a different from of my network username.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the feedback. We want to be careful what we do since it will affect 1Password users who don't have this specific use case, but it's something we'll keep in mind. :)

  • Lucent
    Lucent
    Community Member

    I'm seeing "reused password" warnings on items with a unique password, but with a previously used password that was not unique. However, these items do not appear in the Reused Passwords view, just the warning appears as a header on those items individually.

  • Lars
    Lars
    1Password Alumni

    @Lucent - if you click on the "other item" box, you'll see where 1Password has the other password stored:

  • davidorman
    davidorman
    Community Member

    This is another request to be able to kill the warning on a per item basis, I am also at a company where I have to use Username, Username@domain.com, and domain/Username which are all the same account and get flagged as duplicates, even though they are all the same account.

  • Thanks for sharing your perspective on this, @davidorman.

    Ben

This discussion has been closed.