incorrectly showing duplicate password warning
L.S.,
1Password just updated to 7.2 on my iMac (Retina 5K, 27-inch, Late 2015). Now I am getting an "duplicate password" warning for most of the items in my Vault, incorrectly so. Something to look into I would think.
Wil Dieteren
1Password Version: 1Password 7 Version 7.2 (70200017) AgileBits Store
Extension Version: Not Provided
OS Version: macOS 10.14
Sync Type: Not Provided
Comments
-
Hi @WilDieteren
If you have multiple vaults, it may help to enable all of them in the All Vaults preferences, then checking the Watchtower > Reused Passwords section in the app.
When we perform the search for Reused Passwords we search every item in every vault. However, Watchtower's display only shows the items from the currently available list of vaults. So, if you have one of the items in Vault A, and a duplicate item using the same password in Vault B. But your current view only shows items from Vault A, then you'll see the warning, but you won't see the other item with the same password (in Vault B) because it's hidden from view.
This is a bit of a wonky situation, one we are aware of, but we thought it'd be better to show these warnings than not at all. So, currently working as designed, assuming your situation is similar to the one above, but not exactly an ideal working as designed. We'll hopefully make some improvements to this in the not too distant future.
0 -
I still use a vault stored in DropBox as well as a vault in 1Password.com which I keep in sync. If I understand your answer correctly I am getting warnings for all my Passwords, which makes the warning essentially useless for me. Hope this will resolved in a future update.
For now how can I revert back to 7.1?
Wil Dieteren
0 -
@WilDieteren - I wouldn't recommend it. 7.2 contained a database schema change that means earlier versions are essentially unusable without using an older copy of the data as well. Depending on the changes you've made, those changes will not be reflected in any attempt to restore the previous version.
0 -
While I see this as an improvement from a security standpoint, I agree that
This is a bit of a wonky situation
I have two issues with it right now (with suggestions):
- A general UX issue. To address the confusion where
current view only shows items from Vault A, then you'll see the warning, but you won't see the other item with the same password (in Vault B) because it's hidden from view.
perhaps you could either go ahead and show the other item in the list but "greyed out" in some way. And where clicking on that entry would add to the orange "Reused Password" banner a note that this item is in a hidden vault.
- A personal usage model issue. One of my vaults is "Defunct" where I place old Items that are either expired, logins to sites I have deleted the account (but want to keep a record of when), and some copies of current Items where I made some major changes and just want the old version of the Item for reference (a poor man's versioning system). It's this last case that's the problem. While this is my corner condition, the ability to exclude a vault from WatchTower would be helpful (to me). Note: I wouldn't want a setting that would ignore all hidden vaults (the 7.1 and earlier behavior) because, as I stated at the beginning, this new behavior is a security win.
0 -
@rlh - thanks for the suggestions! Those are well-thought out. I don't know that we'll do exactly that, but a revised version that allows some greater finesse/flexibility with the warnings from Watchtower while still preserving the overall advancements in security and notifications is definitely something we're working towards. As always, we really appreciate you and others taking the time to think about these things comprehensively and share your ideas with us. :)
0 -
@Lars Do you have any suggestions for resolving this issue for me? I do not want to delete the vault stored in Dropbox, which as far as I can tell is the only way to resolve the issue. Would it be possible in a future version to choose which vaults to check, with the default being all vaults, or an option to only check the vault being used?
0 -
@WilDieteren - I don't, at present. We don't recommend users keep active duplicates in different vaults, but of course it's your decision to organize 1Password in whatever way seems best to you. We're looking into ways to make this more adjustable in the future, but I don't have anything to announce on it just yet.
0 -
I also have this issue - and I too have an old vault that I keep unused passwords in. Maybe we could have an option to restrict checks to the current vault?
0 -
I'll just add my 2 cents (US, or $.03 CA). It is very easy for me to hit this situation, for example:
- Visit a website (in Safari in my case).
- Register to create a new account.
- Use Generate Password (in 1PasswordX for me) to make a password and fill it in.
- Create the account.
- Allow 1Password to create a new Login when prompted, but change the target vault to the one I share with my wife.
- The new Login has the duplicate password warning.
- The only way I found to get rid of the warning was to move the Password item to the Trash.
There is no way to tell 1Password "this is not really a duplicate", or "I know, but trust me".
I'm glad you are working on it. Please be aware that warnings are good up to the point there is just too much noise. Then users will start ignoring them or switching applications. Of course I won't be one of the latter :)
Thanks
0 -
@agent86 - if you're visiting websites in Safari, how are you using 1Password X? Currently, there is no 1Password X client for Safari, which would mean you're visiting the site in Safari, but then generating a password in 1Password X in some other browser that's running simultaneously (Chrome? Firefox?). We're looking into ways to accomplish something along the lines of what you're suggesting, but I've nothing to announce on that score just yet. Keep an eye on the release notes in future updates, and apologies for the inconvenience in the meantime.
ref: apple-2044
0 -
Sorry Lars. I was hasty about calling it 1Password X. I switch between browsers a lot. But I believe the sequence I described is correct, and not particularly browser or extension-dependent. Thanks. I look forward to future updates.
0 -
PLEASE change this. I'm using only one vault which I keep in Dropbox. The red "Reused Password" warning is driving me nuts. At the very least, give me the choice of switching it off.
0 -
Concur. I have several cases where I have multiple instances of the same login (example: one URL for the issuing bank for my travel rewards credit card, a second URL at a slightly different domain for the site where you redeem those rewards, each requiring the same credentials). A user option to ignore the duplicate warning for a particular entry seems appropriate.
0 -
@Full Score - if you're using only a single, Primary vault and you're seeing this warning, then that means you've got generated Password items that match passwords you've saved for Login items. That was a brief, unfortunate bug we had in an earlier version of 1Password, but it should be relatively easily solved. Click the "Reused Passwords" section of Watchtower and you'll see any instances of, well, passwords that are used across more than one item. If it's the case I just described earlier, you may be able to use Help > Tools > Remove Redundant Generated Passwords to weed most or even all of the Password items out. If any remain, you can delete them individually. Hope that helps! In a worst-case scenario, if you're actually using the same password across multiple sites, and you just don't want to see the warning banner about it, you can turn Watchtower off.
0 -
Welcome to the forum, @HillbillyInBC! We're examining ways to make this more configurable while not making it easy for less-sophisticated users to accidentally turn off a feature they thought was enabled. For now, I don't have anything to announce, but it's definitely on our radar. In the meantime, thanks for your patience.
0 -
Thank you, Lars. Removing Redundant Generated Passwords does nothing; there weren't any. Unchecking the three boxes in Watchtower preferences also does not remove the red error warning.
I want to be able to use the same password on a large number of sites; I'd like the ability to choose to switch off this annoying warning message.0 -
@Full Score ah, OK -- if you're intentionally re-using passwords, then I don't have any solution for you immediately. As I mentioned, we're looking into the best way to allow users like yourself who are intentionally re-using passwords to be able to turn this warning off, while not giving less-knowledgeable users the ability to turn off a feature they a) want and b) thought was turned on. Thanks for your patience.
0 -
Thank you, Lars. There's a danger that 1Password is becoming a nanny-app where decisions are taken out of the hands of the end user in the name of security. I would have thought it somewhat easy to add a preference enabling the user to switch off various unrequired features without changing the default settings.
0 -
I would have thought it somewhat easy to add a preference enabling the user to switch off various unrequired features without changing the default settings.
You might be surprised: we added the option a while back to set the Touch ID timeout in 1Password for iOS to "never" in part due to user request...and we're still getting regular panicked emails from users who only use 1Password for iOS on a single device, and who enabled Touch ID because it's easier than typing a password, then set the timeout to "never" because it's still easier...and then promptly forgot their Master Password, because now they no longer had to go through the memory-strengthening exercise of having to type it out (and thus having to remember it), and who wound up losing their entire 1Password database because Touch ID crashed. Often, it's considerably trickier to find a way in the code to balance the wishes for flexibility of the power-users with the need to prevent newer users from getting themselves into serious trouble.
In my above example, is it those users' "fault" that they forgot? Sure, arguably. But try telling one of them that. The bottom line is: they trusted us with their most sensitive data and we gave them a set of options that allowed them to shoot themselves in the foot. They feel betrayed, or at least let down. And as a security company, permanently losing access to their passwords is the absolute last thing we want to happen to any of our users. Of course there's some personal responsibility involved in using 1Password, just as there is in using anything...but we're just not going to be enabling a raft of features that allow for very bad outcomes like this, if used slightly improperly. Or, at the very least, we're going to set a very high bar for allowing users to enable any such feature. 1Password is not a "Pro tool" in the sense that it isn't aimed at ONLY professionals. There is no "lite" version of 1Password; our main animating principle here is: excellent security should be available to - and usable by - everyone. And by "everyone," we mean including the people who aren't willing to get past a steep learning curve to understand how not to unintentionally get themselves in serious trouble inadvertently.
There's a danger that 1Password is becoming a nanny-app where decisions are taken out of the hands of the end user in the name of security.
I'm aware that potentially misusing an "ignore Re-used Password banner" feature out of ignorance would probably not lead to anything nearly as dire as what I've described above, but the principle is the same: good, easy-to-use and hard-to-misuse security should be available to and comprehensible to, everyone. We're always going to err on the side of making sure it's as difficult as possible to use 1Password inadvertently in a way that results in security issues or loss of data. If that means some folks in the power user crowd feel it's limiting their options/abilities or just find it too annoying, well, that's why there's competition in the password management space. We want 1Password to be something the average person wouldn't be leery of recommending to their mom or grandma, and for the most part, we think we hit that mark. There are numerous alternatives out there that I would no more recommend to my own 77 year old mother than I would telling her she should set up PGP whole-disk encryption on her PC.
0 -
So what you are essentially saying is "if you don't like how it works go find another password manager". Very unsatisfactory.
0 -
@WilDieteren - that's not really what I'm saying, no. To elaborate a bit on it, we'd love to have everyone as 1Password users, for reasons both altruistic and selfish. But we're also quite aware, especially as our user-base has grown in size, that there is literally no way to make 1Password be all things to all people. Or even a perfect match for all people -- mostly because people want different things. We often find ourselves answering requests in the same day from two different users who literally want the exact opposite of one another. Who should we satisfy in such a case, and who should we disappoint? We can't make both happy, at least not by fulfilling one of their wishes.
The answers to such dilemmas are frankly not anyone else's problem, and I don't mention it here to attempt to solicit sympathy for the choices we sometimes have to make. Quite the contrary: we love making 1Password. But it does require that we make certain choices about how things are and are not going to work, and we know quite well any decision we make is going to delight some users and irritate others. How badly? Well, that's for each individual user to decide. We would definitely not like to lose you or Full Score or anyone else as a customer, so we're glad to have this forum as well as our email support and various other outlets for you to get in touch and let us know what you'd like (or not like) and why. Frankly, another thing experience with a large user base has shown us is that we don't have a monopoly on good ideas -- often someone will raise something we hadn't thought about from a particular angle, but which winds up becoming part of a feature or a decision about the way we'll do (or not do) something. But sometimes user ideas/suggestions won't be taken up after careful consideration, too, and at the end of the day, if the choices we've made seem on balance to any of our users to add up to "so annoying/ill-considered/wrong in my opinion that there are better choices available out there for password management," well then we (sincerely) wish you well and hope you find something that better fits your needs.
0 -
Lars - your example above refers to iOS - and is an extreme case to cite. I am principally using 1Password on a Mac and am simply asking for the ability to switch off certain warning messages, nothing that would seriously affect a newbie, and certainly nothing as dire as in your example. It would appear that you're trying to justify the unjustifiable. I want the ability to change something cosmetic which is visually unpleasant and unnecessary. Why you would try to turn this from a parking ticket into a federal crime is beyond me.
0 -
@Full Score - I chose an intentionally extreme example to illustrate what can happen when a seemingly-innocuous change gets made that has unintended consequences. I agree that changing the Reused Passwords behavior isn't likely to result in such a bad outcome, but there are multiple considerations. One of them is that any easy, quick fix we could apply would be likely to be Mac-specific, meaning that (for example) a tag that allowed you to suppress the warning would be visible (the tag, I mean) on other platforms you might use 1Password on, but the behavior, being macOS-specific, would not match. A real solution will be cross-platform, and that's much harder to do properly than adding a "band-aid" fix for items in 1Password for Mac only. We're definitely looking into making this less annoying, but that's also kind of the point: it's annoying, not putting anyone at risk of data loss or security issues. We'd like to improve this issue as well, but we want to do it comprehensively, and having to endure a warning temporarily (until we can address it comprehensively, cross-platform) that would be preferably suppressed also is not "federal crime" level. Thanks for your patience. :)
0 -
There are a few related threads that demonstrate a disconnect between how people want to use multiple vaults and how the vendor intends us to use it.
The two top related requests is see on the search:
1) the ability to sync a password across vaults:
2) Don't call the exact same item in two different vaults a duplicate passwordThese are two sides of the same coin. The vendor answer is, don't duplicate entries across vaults.
Arguments about preference settings aside, the key issue appears to be, will 1Password support duplication of entries across vaults or just allow it and let users suffer the consequences of not supporting this as a construct.
Using the tome about about touch, etc. it would appear the monster was created by allowing the duplication which breaks other features. So either don't allow it or build the support for it. Personally, I really like it as it solves a problems that where not considered when 1Password moved to the LastPass centralized model. It seems to me to be a market differentiator you would want to keep. But clarity in the plan would help.
0 -
@Curt Cole - thanks for weighing in. :)
...will 1Password support duplication of entries across vaults or just allow it and let users suffer the consequences of not supporting this as a construct.
We already allow this; it would be far more problematic for us to attempt to code 1Password to prevent it entirely. But that doesn't mean we think it's a good idea, necessarily.
FYI, A beta update addressing some of the issues being reported about password reuse will be available within the next few days. We’d love to hear your feedback on the changes when they roll out.
To install the beta version, please visit our Downloads page, or click this direct link: https://app-updates.agilebits.com/download/OPM7/Y
Thank you for using 1Password!
0 -
While I understand the importance of not reusing passwords, which is one of the many benefits and reasons for me using 1Password in the first place, the "duplicate password" warnings seem very error-prone. The passwords that are flagged as "duplicates" are the passwords that 1Password has randomly generated.
On multiple occasions, I've changed the password for a site that was being flagged as a duplicate just to make the warning go away. A few weeks later, I noticed that 1Password started complaining again that the site was reusing a password.
Is there a way to disable the duplicate password warnings? They are annoying and not useful for me because all of my passwords are randomly generated by 1Password. I have no reused passwords.
0 -
@Michael Mercurio - if you are willing to either download the latest beta (7.2.2.BETA-4) or wait until the stable release of 7.2.2, that particular aspect has been addressed.
0 -
Hi Lars,
I can confirm that using the latest beta you linked to [Version 7.2.2.BETA-4 (70202004)] addresses most of the reused password warnings (391 down to 50). This is good news, thanks!
However, most of the existing entries that are identified as reused are a login item and the corresponding password item saved within 1Password. If I go ahead and delete (move to trash) the password item (the password is already saved on the account in the corresponding login item), the reused warning then goes away.
It seems unnecessary to identify reused passwords when the website (domain) is the same for the generated password and the site on the login item. Or am I doing something wrong?
0
