Suppress the "Reused Password" prompt

edited November 2019 in Mac

Hi 1Password Support!

I'm hoping I can bring a use-case to your attention that I'm sure you'd typically advocate against. Specifically, disabling the "Reused Password" prompt on select logins.

The use case is this:

I'm a user who likes to store all of his passwords in 1Password—this includes my work credentials. However, a lot of enterprise systems leverage Active Directory for authentication. Often times these systems are protected with two-factor, intranet only access, or other security measures.... my password will always be the same for these systems.

Thus, having these accounts show up as warnings/flags is a false-positive in this scenario.

Possible solutions:

Being able to selectively disable/ignore/hide the "Reused Password" prompt would allow for two things. First, the ability to suppress undesired prompts by the user when it is not relevant. Second, enough friction/difficulty that most end users won't choose to suppress this prompt as a means to subvert good security practices (E.g. not reusing a password).

Thanks - Jared!


1Password Version: 7.3.2 (70302004)
Extension Version: Not Provided
OS Version: OS X 10.14.5
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member
    edited August 2019

    Hi @jaredmeakin

    We'd definitely like to find a way to suppress this warning for multiple logins that are essentially for the same account (e.g. Active Directory, as you mentioned). This is one of the major items I've been advocating for recently. I'm hopeful we can find a solution but we do have a lot of other irons in the fire right now, such as prep work for the upcoming Apple OS releases in the fall. Once we get beyond that hopefully we'll be able to have some development time devoted to resolving this.

    Ben

    ref: apple-2451

  • rlfrlf
    edited October 2019

    I just wanted to second the need for a way to disable the Reused Password warning. If you use the Google Cloud Platform, Google will want to use your Gmail account name and password to log into your Google Cloud Platform / Analytics Dashboard. Your Gmail and your Analytics dashboard are on two separate sites with different URLs.

  • BenBen AWS Team

    Team Member

    @rlf

    A single Login item can have multiple website fields, each with completely unique URLs. But yes, we are still looking into this.

    Ben

  • +1

    I would love to see this feature for AD auth accounts. Definitely a frustration of mine. For some of the websites I can use one entry, but others I need to put notes with the specific login and keeping all those notes in one entry doesn’t work at all.

    Cheers,
    Josh

  • brentybrenty

    Team Member

    Thanks for weighing in with the specific use case. We're trying to come up with a scalable, flexible solution that we can use everywhere, so it really helps to get different perspectives. :)

  • Can I 3rd this? :)

    Even something as short term as adding an "Active Directory" label to the "reused" passwords, just to squash the warnings would be nice.

  • BenBen AWS Team

    Team Member

    @andrewmeissner

    You can 47th this, but someone else already 3rded it. ;) We're well aware of the need, we just need to figure out a good way of doing this that doesn't hamper the purpose of the feature. We've had some good conversations internally on the subject, and the team is well aware of the need for a solution. I can't make any promises, but I will say that I think we're heading in a good direction.

    Thanks.

    Ben

  • Please support different website usernames as well as the URL. I have some sites that use my Active Directory name and some that use my email address. I tried creating sections for each site with labels that match the form/text field ids.

  • BenBen AWS Team

    Team Member

    Thanks @mgenereu. We're aware that Watchtower's alerting doesn't work well in conjunction with SSO/Active Directory authenticated services. I wish I had more encouraging news to share, but we haven't found a way we can agree on to improve this at this point. Our development team is aware of the problem and the debate about how to handle it continues.

    Ben

  • Oh yeah... I wasn't pushing. Just that the username could change per website for the shared password.

  • BenBen AWS Team

    Team Member

    Indeed, that is one of the difficulties in finding a solution for this. Many folks might need to record up to three different usernames for what is ostensibly the same account:

    We don't currently have any support in the underlying framework of 1Password for different usernames for different sites, other than by saving separate Login items for each of them. But then you have multiple Login items with the same password, which triggers Watchtower's reused password notification. So we do understand the difficulty, and indeed even run into it internally in some cases.

    Fingers crossed we're able to come up with a solution that works well and is agreeable to the majority of customers who run into this sort of thing.

    Ben

  • Just give us a button to dismiss the message, that is, to disable the duplicate verification for that item. You can have a confirmation popup reminding the less technical users about the importance of using different passwords.

    I work with a whole lot of clients and most of them use AD, causing up to 10 entires per password. Almost every one of my passwords has a big fat warning on top. This prevents me from noticing the passwords that actually need to be changed, defying the purpose of that feature.

  • BenBen AWS Team

    Team Member

    Just give us a button to dismiss the message, that is, to disable the duplicate verification for that item. You can have a confirmation popup reminding the less technical users about the importance of using different passwords.

    We don't currently have anywhere to store that sort of per-item metadata, is the problem. We have to build a way to store that information.

    I work with a whole lot of clients and most of them use AD, causing up to 10 entires per password. Almost every one of my passwords has a big fat warning on top. This prevents me from noticing the passwords that actually need to be changed, defying the purpose of that feature.

    I understand.

    Ben

  • Another example (as if you need more). Facebook and Facebook Messenger are different apps, but use the same Facebook login/password, so get flagged. How about you give us the ability to explicitly link two records. I could then say in my Facebook record that Messenger uses the same credentials, which should allow you to short circuit the reused password check.

    My 2¢ for what it's worth...

  • BenBen AWS Team

    Team Member

    Hey @JimLeask

    For that case you can actually add multiple website fields to a single Login item. That would allow you to use the same credentials for both without getting flagged by Watchtower. :)

    Ben

  • Hey, @Ben, here's a variation I've not been able to figure out that's another use case for this feature: I teach on a bunch of different machines -- old a new MacOS's, same witn Windows, and ChromeOS. Primary archive is in dropbox. Without a 1password native ChromeOS app, I use the browser plugin -- but the one that ties to a family archive in your cloud. When I copy the very few entries from my primary archive to the family one so I can at least access them on ChromeOS, it calls them duplicates. That doesn't seem to like it ought to cause the same warning, since it's the same credential, just in two archives. Is the feature that you're discussing the one I'm waiting on to solve this type of reuse warning?

  • BenBen AWS Team

    Team Member

    @kblinhou

    My apologies — I'm not quite following the purpose of the multiple vaults, and thus the multiple copies of each record. We generally don't recommend continuing to use a 'Primary' vault when you have a 1Password membership. The migration guide includes instructions for deleting the Primary vault, which is what we typically recommend. Then everything would be stored in a membership vault, which can be accessed from any of your devices.

    Ben

  • I've got to let you know that we're considering other options due to issues such as these. The general consensus in my organisation seems to be that 1password isn't really built for the workplace. We're not seeing much evidence that this might change anytime soon.

  • ag_anaag_ana

    Team Member

    @sam_hall:

    Sorry to hear this! If you are using 1Password is your business, I encourage you to reach out to your account manager at [email protected] and raise your concerns there. They will be happy to discuss this with you ;)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file