duplicate passwords flagged when there aren't duplicates?
The other day I noticed that 1Password was flagging certain passwords as reused, but when I clicked on "Reused Passwords," not all of the entries were grouped in pairs or more (i.e. some were single entries)! 1P is supposed to group entries that use the same password, isn't it? Is this a bug?
1Password Version: 7.2.1
Extension Version: Not Provided
OS Version: 10.13.6
Sync Type: 1Password
Comments
-
@odysseus - it's difficult to say for certain without seeing your setup. Reused Passwords searches ALL of your vaults. How many vaults do you have, and are all of them set to display in All Vaults? Or do you have some of them set to NOT display in All Vaults view? If so, it may be that the duplicate items are in vaults you have set not to display.
0 -
That was it! I had one vault set not to display. It's a bit weird to indicate that a password has been reused without giving the user any indication of where it has been reused.
What's strange is that I could swear that this just started happening. The developers decided that it was a good idea to check for reused passwords, even between vaults that aren't displayed?
0 -
@odysseus - I'm not actually certain off the top of my head when specific changes occurred, but yes, we've been making an overall effort to tighten security in recent releases. Most of our early users are very technically adept, so we don't need to tell them not to reuse passwords, and they already know what makes a good strong password, etc. Newer users these days are often from backgrounds where they don't have as much experience with these types of things as our longer-term 1Password users, so we've made warnings for things like re-used passwords, compromised logins and unused 2FA accounts more prominent and harder to defeat/dismiss. We do have some changes coming in future versions that hopefully will balance some of the desires of long-time users to whom this stuff is already second-nature with the need to make sure newer users are getting the full measure of security assistance 1Password can provide.
0 -
Thanks. There should also be a way to turn off 2FA warnings for web sites that don't use OTP (they may use trusted device notifications, for example).
0 -
That's great -- is it documented somewhere?
0 -
@odysseus - sure, all over these forums. :lol:
Seriously, we don't document this feature because once again, it's one of those Mac-only solutions that we'd rather people not get too heavily invested in, since it's not a comprehensive approach, and the problem it's solving isn't one that will cause data loss or security issues anyway. If someone writes in complaining that they just can't stand having to see that banner on a few sites, we'll let them know. But we aren't going out of our way to publicize it at this time.
0 -
A related issue - 1Password told me today my bank's password had been pwned, so I changed it using 1Password's own auto-generator -- 16 characters, the longest the bank allows.
1Password told me the new password was a duplicate. When I had the same experience with my wife's account, it told me her new password was also duplicated?
The odds of having duplicates on two out of two auto-generated passwords seems like it should be pretty low. Am I missing something?
1Pwd 7, Mac, Mojave, Chrome
0 -
@jmpsfs - your bank allows only a 16-character password? Arrrrgh. Well, nothing you can do about it, except use the maximum length you can in this case.
My guess without being able to see more closely is that you've got both a generated-password item and the Login item, which is where the "duplication" exists. If it was generated by 1Password, you're right, the chances that it would be a randomly-generated duplicate of one of the other passwords already in your 1Password database are even smaller than my chances of winning the $2B Mega Millions jackpot today. So, likely, it's just a duplicated item. Switch over to Watchtower's
Reused Passwordssection and look for that item. I'm guessing you'll find more a Password item and a Login item. If the password is the same between them, you can safely delete the Password item. If that's NOT the case, let us know.0 -
I keep getting this warning "Don’t use the same password on multiple websites. Generate a unique password to improve security."
How do I turn this OFF?
Yes, I have tons of duplicates among my 560 logins.
I don't care that I do.0 -
That was it. Thanks.
I'm also having problems with the behavior of ver 7, especially when a site (Amazon, normally, since that's where I sell books so I'm in an out of it a lot) asks only for the password. In ver 6 I could just press cmd-\ and the password would populate without difficult. Now I get the entire 1pwd dialog and more often than not it calls an entirely different site. Mint is the normal example, perhaps because it's another site I visit regularly.
Do the added benefits of 7 outweigh these inconveniences, or can they be reduced? I'm willing to downgrade to 6 but would need to know how, if that's the answer.
Thanks
0 -
Yes, I have tons of duplicates among my 560 logins.
I don't care that I do.I'm sorry there's no way currently to turn off this warning on an item-by-item (or even global) basis. We're looking at ways to effect such a thing in a cross-platform manner that also doesn't give users the ability to inadvertently shut off a feature they thought was protecting them, but I've nothing to announce on that right now. Thanks for your patience in the meantime.
0 -
Do the added benefits of 7 outweigh these inconveniences, or can they be reduced? I'm willing to downgrade to 6 but would need to know how, if that's the answer.
Only you can answer that question with certainty, but I can say I'd strongly recommend against downgrading to 1Password 6 for Mac. It's not that version 6 was bad, it's that time moves on very quickly in the digital world, and reverting to a previous version is almost never a good idea, as you continue to upgrade your version of OS, your hardware, your browser and related technologies. In fact, it's a recipe for even greater headaches. Especially with mission-critical software that contains some of your most important data.
Regarding Amazon, do you have more than one login saved for it? Either way, you might wish to re-save your credentials manually for Amazon in a new Login item. Instructions for that are here. Make sure you discard your original Login item for Amazon afterwards (after making sure you've captured all the data necessary), and see if that helps.
0 -
1Password now says that I have 54 reused passwords. In fact, I have none. When I bring up WATCHTOWER it shows that each password is unique. But I still have the red "Reused Password" on every single password. How do I turn this piece of sh*t off??? Worst thing 1Password has ever implemented. When I have to ignore the red banner, it makes the red banner useless.
0 -
Welcome to the forum, @tbosserman! I'm sorry for the inconvenience. I know it's frustrating, but I need to ask you refer to the Forum Rules and Guidelines and keep the language family-friendly in here, please.
Have you looked at the Reused Passwords section of Watchtower, or do you just see these banners in your regular use of 1Password? I'm asking because if you look in the Reused Passwords section, it may give you some clue as to what 1Password thinks is being reused. Also, do you have multiple vaults, with some of them hidden from the All Vaults view? If so, you may see items in there which appear as reused but show no other duplicate item...because the other item isn't being displayed if you excluded it from All Vaults.
A beta update addressing some of the issues being reported about password reuse will be available within the next few days. We’d love to hear your feedback on the changes when they roll out.
To install the beta version, please visit our Downloads page, or click this direct link: https://app-updates.agilebits.com/download/OPM7/Y
Thank you for using 1Password!
0 -
I think I know what Watchtower is doing: When my team created online vaults I created a private vault and 1Password sync'ed my "primary" (local on-disk) vault to the Private online vault. So now all passwords are duplicates. But you can't delete the primary on-disk vault (it literally says "Primary vault cannot be deleted") so as near as I can tell I'm left with no options except to stare at a red banner all day.
0 -
@tbosserman - I'm sorry for the trouble. What you're experiencing is a bug: you CAN delete the Primary vault, just not the way you've been trying (that's the bug, which is addressed in an upcoming release). For now, visit Preferences > Advanced and UN-check the box marked "Allow creation of vaults outside 1Password accounts." That should remove your old Primary vault. Obviously, don't do that if you still have data you need there; move any such needed data over to your 1password.com account vault(s), then give it a go.
0 -
Thank you, that got rid of most of them. Watchtower is still unbelievably buggy, making it near useless. It still shows some as dups which are not dups. You folks should not have forced something this horrible on your customers without providing a way to disable it.
0 -
@tbosserman - thanks for the feedback.
0 -
"@odysseus - there actually is a way to turn off the 2FA warnings: just add the tag 2FA to any item in 1Password that has such a warning."
It seems that all 2,000+ of my Password entries are marked with this red banner as Reused Passwords, and they are NOT reused passwords. In fact, most of them were generated by 1Password itself.
I did this and it did not eliminate the "Reused Password" scolding! I do not duplicate passwords, but ALL my passwords and logins are marked with this "Reused Password" scolding. How can I eliminate these annoying scoldings appearing all over like a pox!!!
The way this is set up really seems like a design defect. Wouldn't it be simple to have the trigger for the warning check both the Password field AND the Login name field, in combination, before pasting up this red scold? If there is a match, then it is not a reused password but merely a duplicate entry.
0 -
I did this and it did not eliminate the "Reused Password" scolding!
Right. That's because that advice applies only to the Inactive 2FA warnings, not the Reused Password warning. Did you perhaps recently switch to a 1password.com account and also not remove your previous standalone vault? If you open Preferences > Vaults, what do you see there? How many vaults, and what are their names?
0 -
Lars, thanks for offering to assist me. What I see in Preferences > Vaults is a checkbox for my name and then several subordinate, indented checkboxes with the names of my vaults; then I see several non-subordinate checkboxes with similar names. Is this the problem? If so, how do I solve it?
PS - the checkboxes with similar names are unchecked.0 -
@NateS - indeed, that's likely to be the problem: you migrated to a 1password.com account - which is a good thing - but you left your existing standalone vaults in place (so your data was copied but the old data not removed; hence, duplicates).
We can't see your actual data, so the best thing for you to do would be to switch to each vault in turn and make sure the data in the vaults that are NOT part of your 1password.com account is already copied over into your account. The indented vaults under your name are the account vaults, the non-indented ones are standalone vaults. Just make sure everything's been transferred, and move over any data that hasn't yet been copied.
Then, you can remove the older standalone vaults one by one by switching to that vault in the Vault Menu, then choosing Vault > Delete (name of vault). Make sure you do the Primary vault last, because you need to use a slightly different procedure for that one. When you're down to just the Primary vault, open Preferences > Advanced and UN-check the box marked "Allow creation of vaults outside 1Password accounts." That should get you where you need to be. :)
0 -
Lars, thank you very much for this explanation and these instructions. After moving over to membership, I was keeping the old vaults in 1Password just as a recourse in case something didn't get copied. I didn't realize that they would continue to show up in 1Password membership. I now understand from your message that they must be deleted from inside 1Password, but before I do so can you advise me as to how I can retain them elsewhere on my computer as a recourse in case something didn't get copied over or in case I inadvertently updated or added some new entries there, thinking I was making the updates or additions to the new membership versions?
I guess it's my fault that I didn't follow the instructions to delete these immediately, but considering the fact that I have over a thousand entries accumulated over the years, it was laughable to me to read the instructions that told me to delete them --after you are sure they have all been copied.-- so I guess I just hung onto them as a security blanket until I forgot I had to delete them. Seems like a better design would simply hide them in 1Password or at least automatically copy them to a secure permanent archive.
0 -
This new warning is really annoying. I too have multiple vaults which sometimes intentionally duplicate items between them:
- I have a work vault that duplicates some entries from my personal vault. This allows me to access certain accounts at work without exposing my entire personal vault to the office workstation (with network backups, etc).
- My parents (family account) have multiple vaults which contain some overlapping/redundant entries. (Sorting these out is on my todo list.) Big red warnings about duplicate passwords between these vaults is just likely to add confusion.
- I use an offline vault as a local backup copy/snapshot of my main personal vault from a particular time.
Ideally I should be able to disable certain warnings from the advanced menu. Or else the duplicate password warning should not apply to entries in different vaults, or entries with the same website domain.
I generally like your efforts to improve password hygiene, but I shouldn't be forced to change my workflow (using vaults in various ways) due to this new feature.
Thanks!
0 -
@NateS - be glad to help! FYI, 1Password makes daily backups of your data when you use it in standalone mode, and these are not deleted. So even if something went horribly wrong with the import/migration process, you wouldn't have any real problems, just restore from the most recent backup and you'd be right back to where you started. Not to mention, the "would you like to delete" pop-up only occurs AFTER a successful migration of your data, so if you're seeing it, then by definition there weren't any problems.
Anyway, go to Preferences > Advanced and UN-check the box marked "Allow creation of vaults outside 1Password accounts." That will remove your older Primary vault. If you have additional secondary vaults, they must be removed before you try the above; Primary must always be last-removed. To remove other vaults first, just go to the Vault menu and switch to each vault in turn, then choose Vault > Delete (name) vault. Hope that helps! :)
0 -
@grgz - we really don't recommend people copy the same item into multiple locations, because that creates the very real possibility (likelihood, even) that changes to one copy will not be reflected in any of the others (since, as separate copies, they do not sync with one another). This can result in you having incorrect or outdated information when you need it, or not being certain which version of an item is the correct one. It's your choice how you want to use 1Password, of course, and you can do this...but we don't recommend it (or, really, support it).
I have a work vault that duplicates some entries from my personal vault. This allows me to access certain accounts at work without exposing my entire personal vault to the office workstation (with network backups, etc).
1Password data is always encrypted on disk. The only way your data could be of any use to your employer would be if they installed keyloggers that track every keystroke you type (which would capture your Master Password), or they have unusually invasive, root-level access to your device, in which case, I wouldn't run any personal data on it whatsoever.
That said, we've made some adjustments to how Reused Passwords warnings are displayed, in the most-recent beta. If you're willing to try that, you can grab a copy here and let us know what you think. Or, if you'd prefer not to run beta software, you can wait until the 7.2.2 official release is out, which shouldn't be much longer.
0 -
Thank you! The beta does address most of my concerns, as it no longer complains about duplicate items in multiple vaults.
I'd still like to add my vote for an advanced option to hide the warning either globally or per item. I think there are legit cases where I might intentionally decide to share a password between two specific items -- even while understanding that it's generally not recommended.
0 -
Lars "Anyway, go to Preferences > Advanced and UN-check the box marked "Allow creation of vaults outside 1Password accounts." That will remove your older Primary vault. If you have additional secondary vaults, they must be removed before you try the above; Primary must always be last-removed. To remove other vaults first, just go to the Vault menu and switch to each vault in turn, then choose Vault > Delete (name) vault. Hope that helps! :)"
Okay, I meticulously complied with these instructions, leaving me with only the vaults created online. Yet watchTower says I still have 879 Reused Passwords. I don't understand this. To my knowledge, I have never ever reused any password since I first bought 1Password then known as something like 1PSWD and started using your password generator in the early days back when it seemed like everyone else was using silly things like the name of their dog, but not me!
0
