Re-Used Passwords

Andrew42

I find it very annoying that Watchtower or whatever it is that seeks reused passwords monitors the Passwords folder. This means that everytime I create a new log in and have 1P generate the password the item is immediately flagged as having a reused password. I know that I can go to Passwords and trash the entry, but, frankly why should I have to? Am I doing something wrong?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Greg

Hi @Andrew42,

Sorry for the inconvenience!

When you generate a password with the help of a password generator in 1Password extension, it is automatically saved as an item in the Passwords category of your vault. It works as a backup plan, if you happen not to save a Login item you generated a password for. If you select All Items view in 1Password, you will see those password items alongside your Login items (you will also see a notification from Watchtower about it).

In the future, we want to add an automatic cleanup function to 1Password for Windows, which will remove any redundant password items after you create a new Login item with the same website/password combination as the password item. We also want to add an extra manual tool to let you clean up old password items that follows the same rule (as we did on Mac already).

Please let me know if it answers your question. If you have others, please keep them coming. Thanks! :+1:

Stay safe,
Greg

Andrew42

Yes it does. I hope you add the clean up function quickly. I understand the logic of having a backup in case the new password doesn't save. I just wish Watchtower could ignore anything in the Password category.

MikeT

Hi @Andrew42,

In 1Password 7.4, Watchtower's Reused Passwords already ignores any redundant password items as long as the website/password combination precisely matches an existing Login item in the same vault. If the saved website is different, then you'd have to trash the password item anyway. The cleanup tool would work on the same thing; it will only remove the password item as long as it has the 100% matched website+password combination.

A lot of people used Passwords to store items that doesn't related to a website, like your Windows account password, PIN numbers for combination locks, etc. Ignoring it completely for Watchtower is not an option.

Andrew42

Now, Mike, you’ve confused me. Today I created a brand new login using 1P to create the password. I saved the login per the rules and IMMEDIATELY I received the notification that the password was one that had at least one more example in my vault. I went to the passwords category, deleted the instance and the warning disappeared. I then wrote my original post. What have I missed?

bundtkate

You probably missed the URL associated with the Password item. @Andrew42. As I'm sure we've all experienced on many occasions, some websites do silly things. One of those silly things is having you sign up on a different domain than you sign in. Or having you change your password on a different domain from the one you sign-in on. Microsoft itself is actually a great example of this where it's actually not that silly because there are so many MS services you sign in to with your MS account that it's easy to create your Login item on one page (say Outlook) and change it on another (say accounts.microsoft.com) because of how the domains for these services are structured.

Even if this site did nothing silly at all (and wasn't Microsoft), you can also run into this with a simple focus issue. You're in the process of changing a password and some notification or another gets your attention. You click on it, attend to whatever it wants, go back to changing your password and generate your password with another app rather than the browser in focus. That gives your Password item no website instead of the website you were looking at, so Watchtower doesn't know what's up because that URL is chosen based on what 1Password can read about where you're changing that password.

Regardless of the whys and wherefores of the matter, though, the bottom line is that the URL for that Password item (or, more specifically, the domain) was probably different from its associated Login item. If you'd like, you can peek in your trash and give it a check. Even restore it if you want. If the URLs don't quite match, that's the answer. If you do restore it, you can even edit the password item and give it your Login item's URL to confirm it's being properly ignored. I gave this a test myself juuuust in case so I'm fairly confident all is well there, but feel free to take a peek yourself. :chuffed:

Andrew42

@Bundkate; I'll bet that what it was. Thanks for explaining it to me. Had I a $ for every time that I have signed up to a site and found later than the url saved was for the initial sign up page rather than the actual login, I'd have had enough money to educate both my kids. I know this happened with this site so I don't need to go rooting in the trash. Thanks again.

sam_hall

Cool, sounds like MikeT is saying we can add a bogus website for all the duplicate password entries we don't want Watchtower complaining about (hmm, unless they actually have a web interface, in which case we're still out of luck). Our corporate vaults are so over-flowing with duplicates because of the way some systems use different LDAP username formats or otherwise, systems/databases/servers are cloned in their entirety but we still need to be able to find the account for them in 1password. Without a way to link or group such login entries with a single password, the feature provides no value in it's current state. For example, in a vault with 1000 passwords, Watchtower currently says about half are re-used. Would be good to get another attribute we can use to support this ignore duplicate feature.

bundtkate

Are you saying the usernames are different for all or some of these items, @sam_hall? Generally, when the same credentials are used for multiple sites because they're all technically the same account, my suggestion is to add the whole list of websites to a single Login item. Where that breaks down, though, is when usernames vary and I know that some SSO systems make this a pain. One thing I've seen some folks do is, where possible, have these internal systems remember your username and fill using a single Login item for all of them. This Login item will have the whole list of websites so it matches properly, but only contain a password with the username left blank. That can, at times, cause some filling troubles because 1Password will clear the username, but not always and I know in some of those cases (perhaps even most) our extensions team has been able to help folks teach 1Password to leave the username alone.

Ultimately, it's an awkward problem. SSO systems and 1Password have the same goals here of making secure practices that much easier for y'all and yet they don't play terribly nice together. It's something that need a solution, but there's no single simple and elegant solution to all of the problems it creates. I think the password-only item comes closest at the moment, but that doesn't work universally. Excluding these sites from Reused Passwords would help usability of that one feature, but doesn't solve the problem of updating all of these items when you change your SSO password and also does nothing to make your undoubtedly messy vault a bit tidier. Some way of linking all of the items together might sort updates and Watchtower troubles, but still leaves you with an excess of items from something specifically called a single sign-on. Anyway, that's our problem to solve and not yours, but the point is that it's something we're aware of and constantly thinking about. It's just not an easy problem to solve. Hopefully some of the above helps for now, but I certainly hope we find a better and more holistic solution in the longer term. :chuffed:

sam_hall

"Are you saying the usernames are different for all or some of these items", yes exactly. Some but not all. I've seen other people using 1password in the workplace make the same observation, it seems to be a common issue. I'd refer to that as "same sign-on", where one set of credentials gets you into multiple sites but you still have to actually enter the credentials into those sites. We prefer and try to encourage email address format, but some legacy systems only support username, and some require domain\username format.

As the guy working behind the scenes to make actual "single sign-on" SSO work for the end users, I still need to be able to login to all the backend services and keep track of credentials that may be temporarily duplicated, forked or even stored long after a server or service is shutdown just in case we need to bring is back up again. We selected 1password as the tool to manage these credentials because it has a lot of strengths in terms of security and sharing vaults, but in other ways it also works against us. For instance, I'd really love to totally disable the mini-client. I don't know about other people, but for me it just gets in the way. I keep forgetting that I need to right-click the tray icon and select the full app option. If I want to auto-fill a password for a site I use the Ctrl+\ hotkey to bring up suggestions and if it's not there I go fix the 1password entry to make it auto-fill without having to search.

bundtkate

Well, I'm afraid I can't fix the SSO issue generally, @sam_hail. As I mentioned, it's a pickle and not one easily sorted. Or maybe it's more of an onion? It's got layers. Jokes aside, though, I do have some tips that might help with some other stuff you mentioned.

First, Ctrl + Shift + \ to open the main app. This is perhaps my favorite thing we've ever added to 1Password. Sure, it's a small thing, but I have to use the main app a ton and if I could actually throw out my mouse and only have a keyboard I'd be quite the happy camper, so this gets a huge 💙 from me.

For those services you need access to from time to time, but don't use a ton, you might consider dumping them in an archive vault and excluding it from All Vaults:

1. Create new vault.
2. Move stuff over.
3. Choose 1Password > Settings > Vaults and uncheck that vault from All Vaults.

This essentially keeps these items out of the view you probably spend most of your time in – All Vaults. When in All Vaults you won't see these items anywhere. They won't be suggested in your browser or shown in Watchtower or visible in any way beyond being able to see the vault in the vault switcher. When you need them, though, a quick Ctrl + D and a click on that vault will bring them to the surface so you can use 'em as needed when you're forced into these legacy systems. There when you need 'em, but mostly out of the way since that's not something that happens often.

I doubt any of this is totally revolutionary, but it's all stuff I've found has helped me – my archive vault is actually just a test item vault, but the principle is the same – and I hope some of those tidbits make your life easier and help 1Password get out of your way just a little bit more. :chuffed: