Disable Reused Password Notification?
Comments
-
Thanks for the kind words, and your honest feedback on this! We've kind of reached the limits of what we can (and should) do with the current design, so hoping to come up with something that is more flexible and benefits all of the apps going forward. :)
0 -
My ten cents......I am not enjoying the red banner in every interaction, (I have a single sign on for working in a big company as external designer) and this would solve our issue - and as Ben mentions his concern, not over engineer or clutter any interface.
0 -
It's not something we're going to do as that would affect all such warnings, for all affected passwords. At that point, you might as well just disable Watchtower. I think it's worth clarifying that no Watchtower warnings hamper your ability to use those specific Logins or 1Password in general; there is not a modal dialog that you must manually dismiss to proceed, for instance. So while we work on a scalable solution which could allow users to selectively dismiss the passive notifications, you can simply choose to ignore them in the mean time, so we're not throwing out all of the benefits of security notices in general.
0 -
I was just FORCED to upgrade to 1Password 7 because of Safari 13 update. This "reused password" is a serious flaw in the new version. Without question you should allow us to disable this "feature". I use unique passwords for most sites but for some web sites including some VPN Web Sites I reuse the same password. And some that are not important I use the same password which I actually use a lot. Of course I can clear your page but I can not auto paste the user/id passwords. I have started more and more to uses the password feature on my iPhone instead of 1Password but on my Mac I still use 1Password heavily. This restriction now requires me to manually enter the userid/password or use the copy/paste instead of allowing 1Password to paste the fields. Am I missing something? I mean is there a warning override to say yeah I understand so now past the userid/password from this selection?
0 -
@d21mike: Unrelated to this discussion, it sounds like you're in read-only mode without a 1Password membership or license for version 7 to unlock all of its features. If you've already got one of those, just add it to the app and you should be all set. Otherwise, this guide will take you through signing up, migrating your data, and setting up your other devices:
Move your existing 1Password data to a 1Password account
Let me know if you have any questions. And thanks for your feedback on Watchtower notifications! :) :+1:
0 -
Thanks for the update! I'm glad to hear you were able to get setup with a 1Password membership account. If you have any questions let us know. Have a great weekend! :)
0 -
Just a point in question from a security professional - if you are in a public place and log into your 1Password account and a large red banner appears stating you reuse passwords (ie you are not as security savvy as you should be) and some unscrupulous person observes said banner surely that poses a security risk? 1Password are announcing to the world 'this is a person who it might be a good idea to hack, count the keystrokes and perhaps get into their sites'. I am not sure a big red banner is a 'discrete' way of informing users they need to be more security conscious.
0 -
Just a point in question from a security professional - if you are in a public place and log into your 1Password account and a large red banner appears stating you reuse passwords (ie you are not as security savvy as you should be) and some unscrupulous person observes said banner surely that poses a security risk? 1Password are announcing to the world 'this is a person who it might be a good idea to hack, count the keystrokes and perhaps get into their sites'. I am not sure a big red banner is a 'discrete' way of informing users they need to be more security conscious.
0 -
Just a point in question from a security professional - if you are in a public place and log into your 1Password account and a large red banner appears stating you reuse passwords (ie you are not as security savvy as you should be) and some unscrupulous person observes said banner surely that poses a security risk? 1Password are announcing to the world 'this is a person who it might be a good idea to hack, count the keystrokes and perhaps get into their sites'. I am not sure a big red banner is a 'discrete' way of informing users they need to be more security conscious.
0 -
@HIPVOS: It isn't intended to be discrete, but rather to notify the user of a security issue that needs to be addressed. It seems like the greater risk in that scenario would be that you're accessing sensitive information in full view of others. Ultimately it's up to you if you choose to do that, but a banner simply pointing out that you may want to change your password to something stronger, without giving away what the current password is, doesn't give someone malicious anything they can actually use to attack you. Accessing anything you wish to keep private in full view of not only someone malicious but also curious/nosy bystanders alike will pique their interest and draw unwanted attention. I won't even visit isecretlylovenickelback.net in public. :)
0 -
@brenty Personally I wouldn't access anything to do with my passwords in public and, as a matter of interest do not reuse passwords but I teach web security to business users (companies both large and small including several multi-nationals) and it was filtered back to me by one large 'chemist' firm based in Nottingham that a couple of their reps have had accounts hacked 'after' logging into their 1Password in a third-party environment. I promised I would bring it to the attention of 1Password that's all.
0 -
Just like @d21mike I was recently forced to upgrade to 1Password 7 to get the plugin for Safari 13. This obnoxious "Reused Password" box makes me want to go back to 1Password 6. I'll have to give up Safari for Chrome or Firefox but I think I'll get over that easier than getting used to this damn red box in 1Password.
0 -
@HIPVOS: Ah, that makes sense. Indeed, we can't ever recommend accessing any sensitive information on an untrusted device especially, but also in a situation where you'd be effectively broadcasting your secrets to those around you. Rather than having been "hacked", it sounds like they essentially gave away their credentials. The only solution in that situation is to change the passwords of affected accounts (and/or the Master Password/Secret Key if the attacker captured those on a compromised device). It is not possible to take back secrets once they have been in the possession of someone else, only to prevent access to future changes -- which of course is the point of the reused password notice: to let the user know about such a risk factor so it can be addressed.
0 -
I use 1password at work and we have some systems that integrate with LDAP where the login would be
userand some systems that integrate via our SSO page where the login would beuser@domain.com. Both accounts have the same password because they both populate from the same source (Active Directory). I have two different records for LDAP vs SSO so that the correct username is populated on the different pages, but I annoyingly still get the banner. I linked the two accounts but the password banner doesn't go away. This is my only shared password so it is putting the little badge which is triggering my OCD and I want it to go away.0 -
I have been slightly annoyed by this issue only in the cases where there actually isn't password reuse (but 1Password only thinks there's reuses because of what I assume is a 1:1 database model):
- I maintain several Google accounts (personal, work, nonprofit organization), and for each of the I also have an email-type entry in 1Password. 1P thinks each Google account's password is reused once, with the corresponding email-type entry. (To be fair, I suppose in these specific cases, I could just delete the email/IMAP entries, but I also need to maintain several non-Google email accounts, and my own mental model would prefer to have a complete list of all email entries as, well, email).
- I maintain a few virtual server instances at hosting providers, so each of them are server types in 1P. But several of them also have web-based console/shell logins provided by the hosting, so those user/password pairs also get saved by the browser plugins. So in each of those cases, 1Password thinks I'm reusing the passwords once each (but of course, I'm not).
- Things such as airlines and rental cars rewards programs that have PINs, which they also use as the password to login to their websites (ugh, don't get me started on their entire online security postures), so they show up as reused passwords.
I had several other cases that I thought were valid exceptions to the current reused password situation, but they all turned out to be "just combine the two items to maintain multiple websites in one item", or "it's an old entry before company/service rebranded. Now is a good time to clean out some old junk from 1Password". =)
0 -
Thanks for sharing those examples! While I think it's probably good to have an excuse to clean things up a bit, we'll keep those in mind as well. :)
0 -
I feel I have to point out one other thing on this thread. Yes, I understand the rational behind having the warning, and yes I'm annoyed by it. But there's one other thing. I've been a software and network engineer since the 1970s. I've used all kinds of computing devices, and have had more logins than I could ever count. But I've also learned not to place all my trust in any one system, product, or vendor. Sooner or later EVERYTHING fails. That's why I choose to create my own passwords. I have passwords for websites and services to which I turn for technical support and service, forums much like this one here, where the passwords don't have to be particularly secure, because there is little or no impact to a breach, no vital personal information, and nothing to lose. No need for an uncrackable, impossible-to-memorize password. Then I have logins on systems that I need to test, but not use. I keep no valuable data there, sometimes not even my real name. Also no need for a super-secure password. And then there are the important logins. Banking, government, insurance, medical, email, social media. Of course those passwords must be secure (heck, one of them is over 40 characters long). So I have a few complex, very secure passwords that I can remember, and several that are not so secure, and I can still remember.
I want all of these passwords in 1Password, mostly for the sake of convenience. I love that 1Password helps me keep them straight, but I'm not going to trust 1Password, or any piece of software, to be the ONLY one that knows what my real passwords are. I'm not going to put that level of trust in anything. Nothing is infallible. So I choose to make up my own passwords, and I don't feel a need to have a different password for every little website I ever log into. I love AgileBits; they're a class organization. But do I expect that they will be here and completely reliable forever? I've seen too many products and companies come and go.
0 -
@bittwister: Well, nothing is forever. Eventually we'll all be dead and long-forgotten. But we've been around for over a decade now, and intentionally charge sustainable prices for our software so that we continue to do so. But even if we vanished without a trace tomorrow, 1Password has no magical self-destruct that would prevent you from accessing your data and exporting it. So I think a lot of what you said doesn't stand up to scrutiny. And, ultimately, it's not reasonable for us to design 1Password around people creating their own passwords since the vast majority of our customers are using it expressly to not do that. And having "a few complex, very secure passwords that I can remember, and several that are not so secure, and I can still remember" is not something we can recommend since doing so diminishes overall security by not putting everything you've got into on unique Master Password that will become easier to remember and type over time due to use and exponentially stronger than a password even slightly shorter. What you choose to do personally is your prerogative, but it's not something anyone should be encouraged to do, both because we can all do better, and 1Password helps, and because it's a bad habit to get into even if it's for things that seem unimportant. It's actually less work for 1Password to have 1Password create a unique password that is total overkill and more secure...and that's what you're paying it to do after all. ;)
0 -
+1 for I'd love a way to disable/hide the "Reused Password" banner.
Lars, the Word image with all toolbars enabled above is cute but unhelpful in this context. Options exist "under the hood", not "in your face". The Reused Password banner is in my face, huge, bright color, and cannot be turned off. That makes it distracting and offensive, however helpful you folks mean to be. As someone else opined, "my security is my business". I don't mind the warning once, but want to dismiss it. Thanks.0 -
Thanks for sharing your perspective. Happy holidays! :)
0 -
I was just curious if there was ever another feature in 1password that incited as much negative passion as this one?
0 -
@vplewis That makes sense, but I can understand it. They need to make money to keep developing the software. At least there's a reason to going to the sub model.
This seems to be entirely motivated by a purist attitude. The users could be made happy with a day of coding, but someone doesn't want to do it because it is "wrong". It is the kind of thing you sometime (often?) see in the kernel wars on linux but seldom do you see such an unforced error in a commercial product where the goal is make users happy. So seldom do you see software companies arguing that something users hate needs to stay in the product because it is good for them.
Apple kind of did this for a while. They were concentrating on novice users so much they were starting to lose professional programmers and creatives. They've changed course for the most part, but there a lot of people I know who only used to use apple and now don't. Apple is still trying to recover, but of course they have the resources to do it. Although w/o question microsoft and google benefits from the misstep.
It says something that people are getting so angry over the issue. It means people love the product and they feel it is better than competition. I hope they relent and don't become a company guided by a particular religious belief on how security should happen. Most companies like have a very loyal following but tend to be pretty niche. If enough people stay angry, eventually there will be a product aimed at more advanced users who want more control.
0 -
@gek - our version history server is where you'd see the news of progress on this or any other new feature or improvement. This is a historical record of the Release Notes of every update, going back to the very beginning. If you're not already, switching to the beta channel by clicking "include beta builds" in 1Password > Preferences > Updates will be the fastest way to get new updates as soon as they're available.
0
