Unnecessary notifications of weak or reused passwords or Inactive 2FA.

enshoguy
enshoguy
Community Member

I have a number of services that are inextricably linked and have the same password, but the username varies depending on which service and URL is used to access. Fine, I understand from previous posts that separate items need to be created for this. However, since upgrading to 1Password7 (and going down the whole 1password online route - very nice btw), 1password complains that I am reusing a password. "Don’t use the same password on multiple websites. Generate a unique password to improve security."

If you're not going to be able to have different logins on the same password entry, can you please create an option to disable this alert for specific sites?

Likewise, I have a number of "weak" passwords used for internal systems, passwords I cannot change, but for services that are not accessible from the internet. It would be useful to disable the "Weak passwords are easier to guess. Generate a strong password to keep your account safe." for these sites.

Having weak password notifications for services I don't care about, or reused password notifications for sites that I cannot do anything about is distracting and detracts from genuine notifications.

Finally, I get Inactive 2FA warnings for a number of sites that don't actually allow me to setup 2FA. Again, the warnings are an unnecessary distraction and I'd like to be able to disable the warnings for specific password entries.


1Password Version: 7.2.1
Extension Version: 7.2.1
OS Version: macOS Mojave 10.14
Sync Type: 1Password Families

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @enshoguy! You're definitely not the first to request this ability, so thanks for bringing it up. At this time, we don't have plans to allow users to defeat these warnings. They exist so users can see where there are reused passwords or weak ones. And while I understand your use-case, we need to make sure we don't give users the ability to defeat security measures they think are enabled just because they don't like seeing warnings. I'll definitely bring your thoughts up with the development team, though; thanks for taking the time to write them out. :)

  • enshoguy
    enshoguy
    Community Member

    Like I write in my first post, there are instances where there is literally nothing I can do to fix the issue. wikipedia for example only allows 2FA for a restricted subset of users. OpenDNS, despite the 1password warning to the contrary, gives no option whatsoever to enable 2FA.

    One way of tackling this is a two level system for disabling alerts. Firstly an 'advanced' option to enable the ability to disable alerts and then the option to mute alerts for specific entries.

    If the above is enabled, you could have a new watchtower category for reviewing muted alerts, but perhaps this is too complicated.

    I appreciate that you don't want users to be able to defeat security measures just because they don't like warnings, but you should consider the use case that constantly having a list of (invalid) warnings you can do nothing about can obscure genuine security issues.

  • danco
    danco
    Volunteer Moderator

    The 2FA issue is odd, as 1PW gets its list of sites permitting 2FA from a standard list of such sites. Anyway, this one is easy to deal with. Just add the tag 2FA to the item, and it will no longer appear in the list. This is also what one needs to do if one has set up 2FA but done so outside 1PW.

    Weak or reused passwords is another issue; as you can see, AgileBits are thinking about it, but so far have not found a solution they consider satisfactory.

  • enshoguy
    enshoguy
    Community Member

    I don't know that I would consider the 2FA issue odd. Twofactorauth.org make it clear on their website that for both wikipedia and opendns, 2FA is not generally available to all users, but 1password doesn't make the distinction between sites that offer 2FA for all users or just a subset.

    Thank you though, adding the tag works fine. It would surely be simple enough to add a similar tag for weak or reused passwords. That gets it out of my watchtower list, but still gives me a tag category to periodically review if I wish to do so, and it's a much simpler solution than the one I proposed in my previous post.

    Don't get me wrong, I find the genuine warnings extremely useful. I've diligently gone through the watchtower categories to enable 2FA on all sites that support it and created more complex and unique password as appropriate.

  • Lars
    Lars
    1Password Alumni

    @enshoguy - we're looking at ways we can continue on with the advances made by Watchtower while allowing users more flexibility for those sites for which they truly cannot change the password or use 2FA, etc. I appreciate the feedback, and I will pass it along, I just don't have anything to report at this time in terms of specific changes in the pipeline for this.

  • enshoguy
    enshoguy
    Community Member

    I appreciate the responses from yourself and Danco. I've never bothered to sign up previously to any forum for any software I've used. I really like 1Password, it is now an essential part of my working life and I hope it will continue to evolve and improve hence my feedback.

    Thank you, I will wait and see what happens.

  • hesspaul
    hesspaul
    Community Member

    I think it's a larger issue than just users who can not change a password. I've seen Watchtower warnings asking me to change passwords that I had just recently set up, but 1P didn't seem to realize that my password was newer than whatever breach it was reporting on. I'd very much like the ability to acknowledge a warning with a little 'x' box on it, and then it would turn green and collapse to maybe a single line that doesn't get into the way.

  • staze
    staze
    Community Member

    I literally just signed up for this forum to ask about these. For example, my email account and using freebusy.com. Obviously freebusy.com has my email account password so it can access my calendar. =/

    The inactive 2FA is also a little overzealous since some of the sites listed only support SMS 2FA, but there's no way to tell 1password that you already have that enabled. =/

    There really should be a way to acknowledge the warnings. Even make it difficult. like clicking a button, then having it require you to type in "I AGREE" or whatever. I get you don't want it to be easy so it doesn't prevent good password management, but it also serves to "hide" valid warnings when you're constantly ignoring the ones you don't care about. Like, I see 10 "reused passwords" that are all expected. That increasing to 11, I might not notice. But going from none to 1 would be noticeable.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @staze!

    The inactive 2FA is also a little overzealous since some of the sites listed only support SMS 2FA, but there's no way to tell 1password that you already have that enabled. =/

    There is, in fact: you can add the tag 2FA to any site for which you want to suppress the Inactive 2FA warning.

    With regard to re-used passwords, we're looking into ways to do this in a more-elegant way that works cross-platform, instead of being a Mac-specific band-aid like a special tag. We're not unsympathetic (at all, remember, we're 1Password users also!) to the annoyance factor of seeing these warnings, but they're in no way a data-loss or security issue. That doesn't mean it won't be addressed, but it does mean that it isn't likely to have a rush-fix bandaid applied to it. Thanks for your patience in the meantime, as we work toward a solution for the issue. :)

  • Lars
    Lars
    1Password Alumni

    @enshoguy - thank you so much for the kind words. A lot of people work very hard to make 1Password the best it can be for you folks, and although we don't expect to be thanked, it's always kinda awesome when someone takes the time to say that 1Password has helped them or made their lives easier. :)

  • Lars
    Lars
    1Password Alumni

    @hesspaul - thanks for the suggestion. :)

  • staze
    staze
    Community Member

    Hey @Lars: Thanks! So why wouldn't we use something similar for reused passwords? Or maybe the ability to select multiple items in "reused passwords" and then right click and "acknowledge" or "link"? Just a thought.

    Thanks!!!

  • Lars
    Lars
    1Password Alumni

    @staze - because doing that would be a Mac-only solution. More and more users are using multiple platforms, and as a result, we're less and less inclined to take advantage of OS-specific features that are available on one platform but not another to solve (or work around) problems. A '2FA' tag, for example, added to a Login item in 1Password 7 for Mac to suppress the "Inactive 2FA" warning from Watchtower will work for Mac...but not everywhere. On other platforms, you'd see the 2FA tag in the item, but be surprised/annoyed all over again that it did not operate the same way to suppress the warning like it did in 1Password for Mac. We're looking increasingly at solutions that not just can but DO function reliably across multiple platforms, instead of piecemeal in just one. Thanks for your patience as we work towards such a goal in this case as well.

  • staze
    staze
    Community Member

    Oh, I had no idea these were not platform agnostic. I figured the data is the data, and 1password on the mac/windows behaved identical to tags. Bummer. =/

    And no worries. You guys are doing a lot of improvement all the time, so no complaints at all. =)

  • Lars
    Lars
    1Password Alumni

    @staze - thanks for the kind words. And it really depends: sometimes, it can be done server side and then it IS platform agnostic. That's actually what we're increasingly shooting for, these days, as more people become 1password.com users. But it's not always simple or even possible to do that, and even when it is, that still doesn't take into account those who are not using a 1password.com account. Thanks for your patience with us as we work to continue to improve 1Password.

  • RosemaryOrchard
    RosemaryOrchard
    Community Member
    edited January 2019

    Hi! I've just run into a similar issue today. I have the same problem as in the original post: internal websites at work require different usernames, but all have the same password (as they're connected to the same backend), yes we should unify the usernames - but it would be very nice if the "linked accounts" feature would perhaps not be quite so bright red for this (a grey instead? As you've acknowledged the accounts are indeed linked?).

    Another use case I have: I have email accounts for a few email addresses with the hosting provider, I dutifully created an email account in 1Password so I would have the IMAP and SMTP server fields, etc. However, there's also a web interface - and 1Password suggested saving the login. Now it tells me I'm reusing the password when I'm not re-using the password at all. Again, I linked these entries together :). A "simple solution" (dangerous for me to say having never seen your code base!) might be to offer a website section in the email account. Here the user could specify the web interface URL along with which username to use (e.g. just the handle or the full address) - that would remove my duplicate entry, and not numb me to the duplicate password warning ;)

    I really do love 1Password by the way!

  • Lars
    Lars
    1Password Alumni

    @RosemaryOrchard - yep, the email account vs webmail sign-in conflict is one issue we're still grappling with, and there are a few others (bank accounts, etc). I wish I had something more definitive or even informative to say to you, but the truth is I just don't right now. We'll continue to evaluate it, and hopefully have some progress in upcoming iterations. Thanks for taking the time to share your suggestion for having a website/URL field in the email account category itself with us. We really do appreciate every bit of feedback and every suggestion of this nature, since we're quite aware we don't have all the answers and we frequently learn things from our users. So thanks for being a part of that. :)

This discussion has been closed.