Suppress the "Reused Password" prompt

jaredmeakin
jaredmeakin
Community Member
edited November 2019 in Mac

Hi 1Password Support!

I'm hoping I can bring a use-case to your attention that I'm sure you'd typically advocate against. Specifically, disabling the "Reused Password" prompt on select logins.

The use case is this:

I'm a user who likes to store all of his passwords in 1Password—this includes my work credentials. However, a lot of enterprise systems leverage Active Directory for authentication. Often times these systems are protected with two-factor, intranet only access, or other security measures.... my password will always be the same for these systems.

Thus, having these accounts show up as warnings/flags is a false-positive in this scenario.

Possible solutions:

Being able to selectively disable/ignore/hide the "Reused Password" prompt would allow for two things. First, the ability to suppress undesired prompts by the user when it is not relevant. Second, enough friction/difficulty that most end users won't choose to suppress this prompt as a means to subvert good security practices (E.g. not reusing a password).

Thanks - Jared!


1Password Version: 7.3.2 (70302004)
Extension Version: Not Provided
OS Version: OS X 10.14.5
Sync Type: Not Provided

«1

Comments

  • Ben
    Ben
    edited August 2019

    Hi @jaredmeakin

    We'd definitely like to find a way to suppress this warning for multiple logins that are essentially for the same account (e.g. Active Directory, as you mentioned). This is one of the major items I've been advocating for recently. I'm hopeful we can find a solution but we do have a lot of other irons in the fire right now, such as prep work for the upcoming Apple OS releases in the fall. Once we get beyond that hopefully we'll be able to have some development time devoted to resolving this.

    Ben

    ref: apple-2451

  • rlf
    rlf
    Community Member
    edited October 2019

    I just wanted to second the need for a way to disable the Reused Password warning. If you use the Google Cloud Platform, Google will want to use your Gmail account name and password to log into your Google Cloud Platform / Analytics Dashboard. Your Gmail and your Analytics dashboard are on two separate sites with different URLs.

  • @rlf

    A single Login item can have multiple website fields, each with completely unique URLs. But yes, we are still looking into this.

    Ben

  • HinghamHarborMan
    HinghamHarborMan
    Community Member

    +1

    I would love to see this feature for AD auth accounts. Definitely a frustration of mine. For some of the websites I can use one entry, but others I need to put notes with the specific login and keeping all those notes in one entry doesn’t work at all.

    Cheers,
    Josh

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for weighing in with the specific use case. We're trying to come up with a scalable, flexible solution that we can use everywhere, so it really helps to get different perspectives. :)

  • andrewmeissner
    andrewmeissner
    Community Member

    Can I 3rd this? :)

    Even something as short term as adding an "Active Directory" label to the "reused" passwords, just to squash the warnings would be nice.

  • @andrewmeissner

    You can 47th this, but someone else already 3rded it. ;) We're well aware of the need, we just need to figure out a good way of doing this that doesn't hamper the purpose of the feature. We've had some good conversations internally on the subject, and the team is well aware of the need for a solution. I can't make any promises, but I will say that I think we're heading in a good direction.

    Thanks.

    Ben

  • mgenereu
    mgenereu
    Community Member

    Please support different website usernames as well as the URL. I have some sites that use my Active Directory name and some that use my email address. I tried creating sections for each site with labels that match the form/text field ids.

  • Thanks @mgenereu. We're aware that Watchtower's alerting doesn't work well in conjunction with SSO/Active Directory authenticated services. I wish I had more encouraging news to share, but we haven't found a way we can agree on to improve this at this point. Our development team is aware of the problem and the debate about how to handle it continues.

    Ben

  • mgenereu
    mgenereu
    Community Member

    Oh yeah... I wasn't pushing. Just that the username could change per website for the shared password.

  • Indeed, that is one of the difficulties in finding a solution for this. Many folks might need to record up to three different usernames for what is ostensibly the same account:

    • user@domain.tld
    • DOMAIN\user
    • user

    We don't currently have any support in the underlying framework of 1Password for different usernames for different sites, other than by saving separate Login items for each of them. But then you have multiple Login items with the same password, which triggers Watchtower's reused password notification. So we do understand the difficulty, and indeed even run into it internally in some cases.

    Fingers crossed we're able to come up with a solution that works well and is agreeable to the majority of customers who run into this sort of thing.

    Ben

  • afilina
    afilina
    Community Member

    Just give us a button to dismiss the message, that is, to disable the duplicate verification for that item. You can have a confirmation popup reminding the less technical users about the importance of using different passwords.

    I work with a whole lot of clients and most of them use AD, causing up to 10 entires per password. Almost every one of my passwords has a big fat warning on top. This prevents me from noticing the passwords that actually need to be changed, defying the purpose of that feature.

  • Just give us a button to dismiss the message, that is, to disable the duplicate verification for that item. You can have a confirmation popup reminding the less technical users about the importance of using different passwords.

    We don't currently have anywhere to store that sort of per-item metadata, is the problem. We have to build a way to store that information.

    I work with a whole lot of clients and most of them use AD, causing up to 10 entires per password. Almost every one of my passwords has a big fat warning on top. This prevents me from noticing the passwords that actually need to be changed, defying the purpose of that feature.

    I understand.

    Ben

  • JimLeask
    JimLeask
    Community Member

    Another example (as if you need more). Facebook and Facebook Messenger are different apps, but use the same Facebook login/password, so get flagged. How about you give us the ability to explicitly link two records. I could then say in my Facebook record that Messenger uses the same credentials, which should allow you to short circuit the reused password check.

    My 2¢ for what it's worth...

  • Hey @JimLeask

    For that case you can actually add multiple website fields to a single Login item. That would allow you to use the same credentials for both without getting flagged by Watchtower. :)

    Ben

  • kblinhou
    kblinhou
    Community Member

    Hey, @Ben, here's a variation I've not been able to figure out that's another use case for this feature: I teach on a bunch of different machines -- old a new MacOS's, same witn Windows, and ChromeOS. Primary archive is in dropbox. Without a 1password native ChromeOS app, I use the browser plugin -- but the one that ties to a family archive in your cloud. When I copy the very few entries from my primary archive to the family one so I can at least access them on ChromeOS, it calls them duplicates. That doesn't seem to like it ought to cause the same warning, since it's the same credential, just in two archives. Is the feature that you're discussing the one I'm waiting on to solve this type of reuse warning?

  • @kblinhou

    My apologies — I'm not quite following the purpose of the multiple vaults, and thus the multiple copies of each record. We generally don't recommend continuing to use a 'Primary' vault when you have a 1Password membership. The migration guide includes instructions for deleting the Primary vault, which is what we typically recommend. Then everything would be stored in a membership vault, which can be accessed from any of your devices.

    Ben

  • sam_hall
    sam_hall
    Community Member

    I've got to let you know that we're considering other options due to issues such as these. The general consensus in my organisation seems to be that 1password isn't really built for the workplace. We're not seeing much evidence that this might change anytime soon.

  • ag_ana
    ag_ana
    1Password Alumni

    @sam_hall:

    Sorry to hear this! If you are using 1Password is your business, I encourage you to reach out to your account manager at business@1password.com and raise your concerns there. They will be happy to discuss this with you ;)

  • azizmoalim
    azizmoalim
    Community Member

    +1

    I have three 1Password logins for essentially the same account. Surpressing Watchtower for select logins or linking the three would be nice.

    samaccountname@domain.tld
    DOMAIN\samaccountname
    samaccountname

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for chiming in on this as well @azizmoalim! :)

  • REBELinBLUE
    REBELinBLUE
    Community Member
    edited August 2020

    Just leaving my comment here as well, similar situation, the same password on multiple sites due to centralised account management but can't merge them into 1 item with multiple sites as they all have different OTOPs.

    Could we not "just" (I put just in quotes as I am also a developer and know when a user says that it is never that simple...) get a tag like "reused" to suppress it, like there is the "http" tag to suppress the warning about links like your router not using HTTPS? Instead of trying to come up with logic to do it automagically

  • @REBELinBLUE

    It is possible to have multiple labeled TOTP fields on a single item, for what it's worth. :) The tag thing was always a bit of a hack, and the team decided against using that method going forward. Thanks for expressing your interest here.

    Ben

  • REBELinBLUE
    REBELinBLUE
    Community Member

    Yeah but sadly only the first one appears in the box with the username and password and you can't drag them above the website addresses so if you have several websites and several one time passwords they appear quite far down the screen so the usability isn't great :(

  • Fair point. Hopefully we can come up with a better solution in the future, but I think merging to one Login item would be the best I could suggest for now.

    Ben

  • jms1
    jms1
    Community Member

    I'm running into the same exact issue - multiple systems which all authenticate against the same back-end "active directory" servers, but four different usernames: username, username@domain.corp, DOMAIN\username, and first.last@company.com, all using the same password. However, I'm also having a related but slightly different issue.

    Most of the items have URLs attached, which I thought should act as a hint for which item is selected in the browser plugin or menu bar widget, however when I visit any of these sites, even the ones where an exactly matching URL exists on one of the items, the UI shows all of the items which have that password, sorted by the item's titles, with the first one pre-selected. I then have to stop and remember which item corresponds to this site and click on that, all the while ignoring the red banners at the top of all of the items, before I can log in.

    It's not a show-stopper, but it is irritating, and as time goes by it becomes more and more irritating.

    (This is using 1Password 7.6 on macOS Catalina, if that's important.)

  • Thanks @jms1. Unfortunately that is one scenario where we don't currently have a good solution available. If all of these sites could accept the same username, the records could be merged. Having different usernames... Admittedly not a great workflow available at this point. Hopefully our team will be able to come up with a better way of approaching this in a future version.

    Ben

  • 1PNY
    1PNY
    Community Member
    edited November 2020

    I am also ...still... waiting on a resolution to this.

    At the very least give me the ability to turn off CROSS-VAULT duplicate password alerts. I have vaults with different imports of various password managers for historical purposes, as well as my current active live vaults, some of which have passwords. Additionally, I have a family shared vault that has copied records to let family members access them without me losing the original.

    (I also have the Active Directory issue with lots of sites having the same password for a varied username, for my work.)

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you @1PNY, feedback noted :)

    ref: dev/projects/customer-feature-requests#130

  • oxplot
    oxplot
    Community Member

    Can't see it mentioned anywhere, but maybe an interim tag based solution would be useful: add tags to items to avoid watchtower alerts of certain kind.

This discussion has been closed.