Suggestion - Ignore "Weak" passwords

OLLI_S
OLLI_S
Community Member
edited August 2016 in 1Password 4 for Windows

In the "Weak Passwords" I have some entries.
Some of them I can not change (like the web-mail password of my karate teacher or the WLAN password at work).
So it would be great when I could tell 1Password to ignore this special entry (right click the entry in the view "Weak Passwords" and select "Ignore this Weak Password").
So I see here in the list just the entries that I can influence (where I can change the password).


1Password Version: 4.6.0.604
_Extension Version:
Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • MikeT
    edited August 2016

    Hi @OLLI_S,

    It's something we have in mind for a future update, we're just not sure how to store this data yet since it has to be persistent or you'd be doing this on all of your devices.

  • dszp
    dszp
    Community Member

    +1 for me on this, stuff like PINs and other forced-weak passwords means I basically have to ignore the password strength indicators without manually thinking about each account. If I could turn off displaying strength for either any entry or better, a field in any entry (password may be complex but custom field with PIN might not be, maybe?) that would eventually make the strength indicators useful!

  • Hi @dszp,

    We do agree, it is something we have to go back to the drawing board and redo to make it more "flexible". It's one of these features where we didn't foresee some of the edge cases.

  • OLLI_S
    OLLI_S
    Community Member

    What about adding a checkbox "Exclude from Password-Strength-Check"?
    This checkbox is stored in the password vault, so it is also available on all other devices.

  • Hi @OLLI_S,

    We are cautious about adding extra options like this, we had something like this in the past and turns out to cause more confusion and problems than it helped, so we've cut it out.

    What if you have both complex passwords and PIN/weak fields in the same item, they're both the same field type, do we add the same checkbox for all password fields? If one checkbox per item, it means any other passwords in this item are ignored as well.

    We've tried a few ideas but they've all too complex to use. We will investigate a better solution but it is not something that's very high on our list right now.

    My guess is we may add a field type that indicate a concealable type but one-time use, so that you could change your weak password to this type and it is skipped in all our Security Audit processes.

  • OLLI_S
    OLLI_S
    Community Member
    edited August 2016

    Did I get that right: one way would be to define a new field type for passwords that will be skipped?
    So users can copy the existing weak passwords (that can not be modified) into that new field?

    If I did get that right then please add a one-click solution (marking the password, copy it, click on the new field and paste it are multiple actions required from the user.
    A one-click solution would be better (maybe via the context menu).

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, you can add a custom field and store the password there since Security Audit only pays attention to the standard Password field. Granted, custom fields cannot be filled, but depending on your preference, that may be more desirable that having to look at it in Security Audit all the time.

    As Mike mentioned, sites with mandatory weak passwords are an edge case. I'm not sure that engineering a "one-click" solution is a great idea for this one specific thing when we can do a lot more good for many more people by improving 1Password in other ways, but it's something we'll continue to evaluate.

  • OLLI_S
    OLLI_S
    Community Member

    @brenty
    These fields are used more often than you might think.
    In my old password manager I have these passwords for all PIN numbers (bank account, SIM cards for my phone, different authenticators), for websites where I have access but can not change the password (like the email account of my karate teacher).
    In total about 20 entries.

    I need some of these passwords quiet often to log in, example the web mail of my Karate teacher.
    Or the web mail of my brother.
    Here I could list other examples...

    When you implement such a "new field type" that @MikeT mentioned above, would this also work for logging me in automatically at websites?
    Or is this only possible with "password" fields?

  • markwoon
    markwoon
    Community Member
    edited August 2016

    Another vote for the ability to ignore password strength checks for specific accounts.

    Would it be possible to just hide it behind and "advanced settings" type button? That way those who need it can use it, and those who might get confused will (probably) never even see it.

    Edit: you don't really need a new way to store this data, you could just use tags...

  • AGAlumB
    AGAlumB
    1Password Alumni

    When you implement such a "new field type" that @MikeT mentioned above, would this also work for logging me in automatically at websites?

    Or is this only possible with "password" fields?

    @OLLI_S: As I mentioned above, custom fields cannot be filled. 1Password doesn't know anything about them, other than that they exist. They are custom, after all, so they can include whatever information you want. 1Password won't know what do do with them the way it does with standard Login, Identity, and Credit Card fields which have filling logic associated with them. It's definitely a problem worth solving, but it's not something we have a solution for at this time — especially given the infinite possibilities of what people might want to use custom fields for.

    Another vote for the ability to ignore password strength checks for specific accounts.
    Would it be possible to just hide it behind and "advanced settings" type button? That way those who need it can use it, and those who might get confused will (probably) never even see it.
    Edit: you don't really need a new way to store this data, you could just use tags...

    @markwoon: You're right that that would be one way to deal with it, but I'm not sure that's the best solution. It's certainly worth considering, but tags are useful because they serve an organizational function. Adding baggage like this to tags may dilute that focus and lead to bloat...and the same can be said for adding a bunch more "advanced settings" that most people don't need or want. It adds additional complexity to the app, and a larger burden on the user to know what's going on in the software they're trying to use. But if there's enough interest, I'm confident that we'll be able to find a good solution — especially with the help of feedback from users like you folks here! :)

  • OLLI_S
    OLLI_S
    Community Member

    @brenty
    So I need to keep my passwords in the original "Password" field, so they can be used for logging me in in web forms.
    I just need a way to tell 1Password to "Ignore Password-Strength for this entry".
    This could be a checkbox below the password field, if the user checks it, this is stored in the password vault.
    If it is not checked, no data is stored in the vault.

  • AGAlumB
    AGAlumB
    1Password Alumni

    On its face it seems obvious, but any change like that we make needs to not break things for other versions of 1Password, whether that means another platform or legacy versions using the same data format. Adding a checkbox in the GUI is easy. Making actual changes with how things work is much more complex, especially when there are so many 1Password users on various devices. It isn't something that should be taken lightly.

  • OLLI_S
    OLLI_S
    Community Member

    The most important thing is that you know about this problem and that you are thinking about a solution.

  • Hi @OLLI_S,

    Yes, thank you for bringing this up. It may not seem like it but we are always thinking about these issues, we just cannot fix them all at the same time. In many cases, the changes we've been making would allow us to address other issues down the line when all the changes line up.

  • neex
    neex
    Community Member

    I, too, would appreciate a way to filter certain items from the "Weak Passwords" audit.

    While I can see how this could be construed as an edge-case category, consider this: I know of a U.S. state with more than 10 million residents that mandates using a 4-digit PIN in order to login to its online DMV system. Per user, I bet this issue is more common than it may seem.

    Also, in my case, I tend to ignore something if I can't trust it to provide accurate or pertinent information. If the audit always reports on false positives, such as a "weak" password that I have no ability to change, then when that audit counter shows a little number badge in the sidebar, I, frankly, don't pay attention.

    With that being said, I understand that certain features must be prioritized over others.

    In any event, I think the easiest implementation would be to add a flag to the record that denotes whether the Weak Password audit should look at the corresponding "password" field.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I, too, would appreciate a way to filter certain items from the "Weak Passwords" audit.

    @neex: Thanks for letting us know! :)

    While I can see how this could be construed as an edge-case category, consider this: I know of a U.S. state with more than 10 million residents that mandates using a 4-digit PIN in order to login to its online DMV system. Per user, I bet this issue is more common than it may seem.

    :scream:

    Also, in my case, I tend to ignore something if I can't trust it to provide accurate or pertinent information. If the audit always reports on false positives, such as a "weak" password that I have no ability to change, then when that audit counter shows a little number badge in the sidebar, I, frankly, don't pay attention.

    That's an excellent point! I think this is called "fatigue" or something. But really it reminds me of "The Boy Who Cried 'Wolf!'" We can do better.

    With that being said, I understand that certain features must be prioritized over others.

    Indeed, and I also wanted to add that ultimately it would be most beneficial (and least confusing) to 1Password users if we roll out improvements to Watchtower across all platforms. The first challenge is determining what is best, the next is determining how it should be implemented in each version, and finally doing the work.

    In any event, I think the easiest implementation would be to add a flag to the record that denotes whether the Weak Password audit should look at the corresponding "password" field.

    I think that sounds perfectly reasonable. And it would have to be compatible with all current versions, and not break compatibility with older ones.

    I really appreciate you (and everyone else) taking the time to weigh in on this. I know it isn't a super critical thing, but Watchtower is a good tool for helping us improve our security. And making it better can help even more. Cheers! :)

    ref: WT-16

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi,
    I want just to add my vote to change the behaviour of the “Weak Password” filter.
    I have a lot of PIN passwords which I can’t change, because it is the site responsibility.
    Just a flag in the account (e.g. This password won’t be included in the weak password search).
    For the compatibility for older 1Password app, if this flag field doesn’t exist, apply the filter.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @soucisyl: Thanks for letting us know! We'll see what we can do to make it more useful to everyone. :)

  • Hi @sbarnea,

    Thanks for adding your voice to this discussion. As Mike and Brent have already said in this thread, it's not that easy unfortunately. This field would have to be synced and understood by all 1Password apps.

    Still, thank you for the suggestion, we're going to discuss this with the team!

    Oh and: keep the feedback coming! :)

    Cheers,

    Alex

  • GeniusRedacted
    GeniusRedacted
    Community Member

    I would like to add my vote to this too.

  • Thanks for your vote!

    There's still no news on this.

  • GeniusRedacted
    GeniusRedacted
    Community Member

    Thank you for letting us know that this issue has not been forgotten.

    I also appreciate that this discussion has not been closed yet like similar discussions in the past.
    (Closing discussions about unresolved & longstanding issues creates a negative impression.)

    Keeping an issue open in 1discussion improves the likelihood of people becoming aware of the issue.
    This has advantages to the developers as well as it reduces the number of discussions that they have to update about the same issue.

  • MikeT
    edited December 2016

    Hi @GeniusRedacted,

    You're welcome.

    We try not to close any threads unless it is really hostile but you may notice a large number of closed threads because the forum archive all threads after a year or so of no activity. This is to make it easier to find more relevant threads in the search here. We have a lot of threads about old bugs and old workarounds/suggestions that are not relevant to today's versions and there isn't an easy way to bulk-archive the threads selectively, it has to be a date we select and all threads are closed prior to that. Unfortunately, Vanilla has bugs where you can't reopen threads again after it has been archived. We're looking into a better solution for this.

  • We constantly reevaluate the tools we use for customer support and your suggestions are very welcome, @sbarnea. Thank you.

  • GeniusRedacted
    GeniusRedacted
    Community Member

    @MikeT, @AlexHoffmann, & all -
    Thank you all for the additional & insightful information!

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • neex
    neex
    Community Member

    Another thought in the vein of this feature request: If we might one day be able to exclude items from the Weak Password audit, it would also be quite useful to do the same for the Duplicate Passwords audit.

  • Hi @neex,

    Thanks for sharing that suggestion with us, it is something we might do for all smart filters; add a flag to the item to exclude itself from specific filters or make the filters smarter by maintaining a list of excluded items to ignore.

This discussion has been closed.