Reused Password warning

13

Comments

  • nohat00
    nohat00
    Community Member

    I also have this problem, and I think the inability to dismiss the warning for certain known valid exceptions is pernicious. It's red and bold because it's supposed to be important, but now I see it all the time, and there's no real way to make it go away, so I've become inured to the warning. If I were to have a duplicate password elsewhere the warning would be displayed but I would probably not notice it because I'm so used to seeing the warning and remembering to ignore it on my legitimate multiple-account/same password situation.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @nohat00! Thanks for weighing in. :)

  • Lars
    Lars
    1Password Alumni

    @nohat00 - actually, let me reply in a bit more detail than I just did, because frankly, you make an excellent point that a warning you're forced to ignore too frequently because it's inaccurate, unavoidable or irrelevant can result in you being increasingly likely to ignore it in cases when it might be legitimate.

    We instituted these warnings because password re-use is one of the most dangerous practices users sometimes take that falls in the wheelhouse of what 1Password can help with. We've been telling users and the general public for years to avoid password re-use, as a "best practice," but we wanted to make it a little more prominent within 1Password itself since users may often not even remember where they might have re-used a password. And since it's trivial for computers to find such duplicates, a nice big red warning banner could be quite useful indeed in helping all users reduce their target surface to potential attackers by changing duplicate passwords.

    Yet - as you say - any warning banner one has to ignore daily loses its effectiveness as a warning and becomes just annoying background noise instead. And there's the rub: if we didn't have these warnings at all, then the increasing numbers of newer and less-sophisticated 1Password users might never realize how widespread their reused password problem is...and potentially be vulnerable. So we create the warnings. But then if we don't allow "power users" to defeat/suppress/hide these warnings, they may become inured to their impact...and potentially be more vulnerable. And if we DO allow users to defeat/suppress these warnings, then some of those less-sophisticated users may wind up doing so inadvertently, thinking they're still protected...and be more vulnerable. And a cynic might even say that if someone is a "power user," then they should know better than to re-use passwords in the first place and don't need those warnings anyway.

    To be clear, that last bit is certainly not our belief/position...but I point it out as an example of how coming up with the right decision that works best for the greatest number of people and doesn't leave anyone "out in the cold" is often not nearly as readily apparent - let alone as easy to code - as it might appear. So while we appreciate both power users' general passion around this topic, and your specific point about the impact of a warning being lessened if it's a "boy who cried wolf" situation too often, I'd like to thank people for their patience on this topic as we work toward such a solution that takes into account our security obligations as well as the best interests of all our users. :)

  • fkrauthan
    fkrauthan
    Community Member

    I have a similar where multiple servers behind a secure jumpbox share the same password. Since I manage the passwords in 1Password I now get for all entries this annoying warning banner. A option similar to 2FA skipping would very much appreciated. Call it "IKnowMyPasswordIsDuplicated" tag or something to really indicate that people know what they are doing. But please don't prevent us from hiding in special cases that annoying banner.

  • Lars
    Lars
    1Password Alumni

    @fkrauthan - thanks for your input on this issue. :)

  • placated
    placated
    Community Member

    I'm looking at 1Password as a replacement for Dashlane, as I don't want a lot of extras - just password management.

    Frankly, this warning is a dealbreaker for me. I can see warning about it when inputting a password that is detected to be a dupe, but a persistent nag like this really detracts from a good piece of software. I, as a user should be able to acknowledge this risk and continue to use the software as I see fit to my own personal use cases. I understand that you don't want to lead less technical users astray, but you are doing it at the risk of alienating more advanced users.

    In my specific case, I log into many different websites that are all authenticated via LDAP. On these sites I'm using the same credential, but the site might look at different LDAP attributes that get considered as a user. So I might have a single credential, with a single password, but with differing usernames. The only way I can really do this is to have different credentials with differing usernames, with the same password, perpetually subjecting me to a nag. No thanks.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @placated! Welcome to the forum and thank you for sharing your feedback too :)

  • shmcg
    shmcg
    Community Member

    I'm going to chime in here too. My biggest source of "reused password" warnings is identical logins in multiple vaults. I share my Netflix password with both my husband and my parents. This means my Netflix password is in two different vaults. The login entry is 100% identical (URLs, notes, tags, etc).

    In addition, I also have a lot of passwords I cannot change because the account is defunct or like the above, I have to use the same password with different usernames for work.

    I am tossing my hat in the "please give us a way to disable this on each login" ring.

  • ag_ana
    ag_ana
    1Password Alumni
    edited April 2019

    Thank you too for your thoughts on this @shmcg :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @shmcg: That sounds like a good candidate for saving in the family Shared vault then, to give everyone access to the Netflix account, rather than storing separate copies of it in multiple vaults. Something to consider. :)

  • shmcg
    shmcg
    Community Member

    @brenty I have a shared vault with my parents and a shared vaulted with my husband. For the six items where there is crossover, another vault would add more hassle than value.

  • ag_ana
    ag_ana
    1Password Alumni

    @shmcg Can you clarify what you think would make an extra vault a hassle? Perhaps we are able to give you some tips.

    Once the vault is created and configured, it will show up to all users automatically, and you won't have to do anything else other than moving these 6 items there :)

  • JeffreyBrown
    JeffreyBrown
    Community Member

    Ok, so I have a pinterest login item that shows up in the reused list because of 3 password items that share the same password, all for the same account on pinterest. Are you suggesting that I should I be deleting all password items (that seems wrong) to avoid these false positives? Shouldn't 1password just look at login items for re-use and ignore password items for the same site? I have 762 reused login items, the vast majority of which are only in there because of password items for the same site that I generated.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @JeffreyBrown! :)

    Reused Passwords are items in your current vault that share the same password. As you correctly mentioned, this can also happen when you use the password generator: that password is saved inside the Passwords category, but if you then also create a Login item with the same password, you would technically have two items using the same password (even though, in practice, this is not a reused password case).

    Are you suggesting that I should I be deleting all password items (that seems wrong) to avoid these false positives?

    If you have a Password item that is already included in the related Login item, then yes, there is no need to keep the Password item around.

    Shouldn't 1password just look at login items for re-use and ignore password items for the same site?

    I think 1Password is doing the right thing when it checks under all categories for this. You could have a password reuse problem even if these passwords are not connected to a Login item. Imagine you are storing some encryption passphrases in your Password category: if you use the same passphrase for multiple devices, it seems correct for 1Password to alert you of this, even if these are not website logins.

    I have 762 reused login items, the vast majority of which are only in there because of password items for the same site that I generated.

    Is there any reason why you are keeping the single Passwords items in your vault, even if the login items are already including these passwords?

  • JeffreyBrown
    JeffreyBrown
    Community Member

    Heh, i guess there isn't a reason why I'm keeping them. And you're correct, it's better for 1password to be thorough. I'll remove all of the single passwords and get rid of my reused items.

    Thanks!

    jeff

  • Thanks for the update @JeffreyBrown. :)

    Ben

  • ron101845
    ron101845
    Community Member

    I need to be able to clear this warning, it's useful once, then annoying from then on.

    For example....I've got a grocery store points card. This grocery store has an apparel site (Joe Fresh). The site is completely separate, but the login is my points card.

    So...this warning appears constantly and I find it only slightly less annoying than Apple's forced software update badges.

    Please allow an option to clear this warning!

    If I sound complain-ey, it's only because 1Password is so damn good, that these little things stand out like sore thumbs! < < (that's a compliment)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the feedback -- and kind words about 1Password! I don't have anything to add to what's already been said here, but it's something we're exploring. :)

  • cowboyscott
    cowboyscott
    Community Member

    Late to the discussion here but wanted to chime in.

    I agree with @ron101845. The ever present warning is annoying and intrusive, especially because it's at the top of every login. I understand agilebits desire to make sure our passwords are safe, but give us the option to dismiss this warning or at a bare minimum move it to the bottom of the login so we don't see it every time.

  • @cowboyscott

    You're seeing this at the top of every login? Are you using the same password everywhere? If so I'd have to strongly discourage that practice. That's precisely what the warning is there to help stop folks from doing. :)

    Ben

  • cowboyscott
    cowboyscott
    Community Member

    On every login that has a shared password. Just looking for the option to dismiss (maybe for a time period) or move warning to bottom of the login.

  • Gotcha. :+1:

    Ben

  • dmz33
    dmz33
    Community Member

    So if I want to intentionally use a duplicate password I have to see the warning? Seems a shame that the program overrides the users wishes, even if it's safer not to, even if it's better not to, I still want the ability to reuse it perhaps stupidly, against the better judgement of your programmers and your intended use to force use of your superior generated passwords and locking in a user to your program. So yes, I would like the option to override a program at my behest even if it's wrong, stupid and/or in error.
    Looks like this version has gone too far, so after 10 years I'll no longer be able to use it as a repository of passwords (456 and counting at present) but to be steered into force-use of your better technique. Shame...

  • Ben
    Ben
    edited June 2019

    @dmz33

    To be clear: we don't prevent you from re-using passwords. But we do show a warning when doing so. The point isn't to lock you in. We offer export options so anyone can take their data with them at any time they wish. The point is to encourage better password hygiene, which is really the major point of using a password manager. There are some cases where having duplicate passwords is unavoidable, and we're looking into how we can best address those situations to avoid "warning fatigue." We're just not quite there yet. Either way, whatever you decide, I hope you're able to find a solution you're comfortable with and confident in. Best of luck.

    Ben

  • dmz33
    dmz33
    Community Member

    Yes, I understand and didn't mean to come off excessively gruff, but the warning is a bit intrusive. And I'm not quite sure what you mean by 'better password hygiene, which is really the point of using a password manager'. For me the point of using the password manager is to keep track of all the passwords in my life, not necessarily the quality of the passwords. For instance I have duplicate passwords for sites that I don't really care if they are hacked as I interact with them minimally if ever more than once, and I have pass phrases that are quite long for those important sites that are easy for me to remember but yet long enough (30-50 characters) to slow a computer down. In the end, I'll just have to endure the warnings, it would be nice if they could be a minimized, or made smaller.
    thanks

  • GeezerDude
    GeezerDude
    Community Member

    This issue was raised 9 months ago and you guys are still "exploring". If it's just never going to be an option just say so, because it certainly sounds like you are over thinking this problem. Oddly enough for such a crazy important feature, it doesn't exist on the iphone app.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @GeezerDude: We get a lot of different feedback from different people, so yeah. ;) You may think it's "overthinking", but we've got literally millions of people who will be affected by any change; and one in this area can impact security, so I'd really prefer we're "overthinking" it a bit than the converse. :)

    P.S: 1Password for iOS does support Watchtower notices of some kinds, but we are working to bring some of the newer stuff there as well.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2019

    @dmz33: I can certainly se where you're coming from. And maybe you're not wrong. But do you really know that one of those sites getting compromised, leading to others getting compromised (by using the same password, etc.) will have no impact on you? I certainly can't keep track of that in my head: what information have I given to Site X or Y, which also happen to use the same password as Site Z, which was breached and now the password is known so that anyone -- literally, when the data is released on the internet -- can sign into any of them? Maybe nothing super sensitive. But perhaps something embarrassing, or even just a hassle if I have to track it down and put a stop to it. I've got better things to do that worry about this stuff (and deal with any fallout -- sometimes even just figuring out what that is is the tough part), and I'm sure you do too. So I'd encourage you to use a unique password for each website, even ones you don't think are important, if for no other reason than it's one less thing to deal with. A small price to pay for peace of mind and time in the long run. And, I mean...there's an app for that! :)

  • GeezerDude
    GeezerDude
    Community Member

    @brenty Thanks I appreciate the PS. I'll be finding a new password manager.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I don't follow, but you're welcome.

This discussion has been closed.