Windows and Mac apps showing mixed results [short numerical passwords are treated as PINs]

edited March 22 in Windows

I'm not impressed... Also 1Password for windows regenerates a 6 digit vulnerable password every time.

1Password 7 for Windows
Version 7.3.657

1Password 7 for macOS
Version 7.3.BETA-3 (70300003)

Windows

macOS

Windows

macOS


1Password Version: 7.3.657
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Dropbox

Comments

  • With 6 digits, do you mean 6 numbers? If so, the probability that almost **every* 6 figure combination is in all the breaches that exist is quite high to be honest.

  • bundtkatebundtkate

    Team Member

    There's a chance this is the result of your Mac app not having checked vulnerable passwords as recently as your Windows app, @Shawzborne, but given the password in question is short and digits only, it's more likely a difference between how 1Password for Windows check for vulnerable password as compared to 1Password for Mac. I'm confirming that with our Mac team as we speak, but I'll be surprised if they tell me I'm incorrect. Related to @peacekeeper's point that 6-digit passwords are likely vulnerable across the board, 1Password for Windows will exclude a password from Watchtower checks if and only if it's composed entirely of digits, is 6 characters long or shorter, and doesn't have a URL entered in the website field. That last bit is where I believe 1Password for Mac differs – they will exclude ALL 6 characters or shorter all digit passwords regardless of the website field.

    Without going off on a rant about password composition limitations and the security impact thereof, I can see both sides of this. I can't say for certain that each and every combination has been breached, but there's a good chance they're all pwned across the board. As a result, regenerating is effectively a futile effort. So, what's the best choice when any password the site will accept is going to be vulnerable? I personally like seeing these passwords flagged. It serves as a reminder that this is an account worthy of extra attention and caution and that I should monitor it with care. Or, more accurately, look for a different service to accomplish the same task that allows me to choose a secure password. On the other hand, there are cases where you have no choice in the matter and seeing that constant reminder could get annoying when you can't do anything to resolve the problem. I'm not certain there is a right answer for everyone, but hopefully that helps to explain the disparity.

    Regardless of which path we take, there is value in consistency here. I can't opine on which implementation will win out, but I do think this should be consistent between apps. I will make sure both our Mac and Windows team are aware of this, so they can discuss amongst themselves and decide how best to handle these sorts of cases moving forward. :+1:

  • Both 1Password 7 Password generation and authentication/watchtower should be exactly the same clear across the board. I need a much better answer than this.

  • bundtkatebundtkate

    Team Member

    I can't give you any explanation beyond the above, @Shawzborne. You're right that these should be consistent, but the present inconsistency is temporary and the result of slightly different handling of a particular scenario. I did learn from our development team that 1Password for Windows is handling this properly and 1Password for Mac will ultimately adopt that strategy, but in this case, any password you choose or generate that meets the requirements of being 6 characters and digits only is almost certain to be technically vulnerable. Given there are so few 6-digit combinations overall, this isn't really an actionable warning and the only time this inconsistency will exist is in this specific case where you are highly unlikely, if not certain, to be unable to fix it.

  • brentybrenty

    Team Member

    Both 1Password 7 Password generation and authentication/watchtower should be exactly the same clear across the board. I need a much better answer than this.

    That actually was Kate's answer:

    Regardless of which path we take, there is value in consistency here. I can't opine on which implementation will win out, but I do think this should be consistent between apps. I will make sure both our Mac and Windows team are aware of this, so they can discuss amongst themselves and decide how best to handle these sorts of cases moving forward. :+1:

    Anyway, I'll close this discussion and we'll continue to improve 1Password's consistency across platforms. Thanks for your feedback! :)

  • Thank-you team keep up the good work

  • brentybrenty

    Team Member

    Likewise, thanks for your feedback! Even when we're not able to do exactly what you want when you want us to, it helps a lot for us to challenge our assumptions, and/or get pushed to do better. Have a great weekend! :chuffed:

This discussion has been closed.