How to change all identical credentials shared by multiple URLs?

Hi,

I recently migrated from LastPass. In LastPass' model, I had a bunch of "distinct" logins per URL for company internal sites that all used a SSO / LDAP authentication model. So the username/password portions are all the same, but cover a variety of URLs.

Unfortunately, there are two different sets of credentials, and there isn't really a rhyme or reason to which specific URLs use which set of credentials. So I do need some way to track "URL X uses credentials A" and "URL Y uses credentials B."

When I migrated my passwords from LastPass, each existing URL-credential pair got imported as-is. So far so good.

Now, my IT department is still in the 20th century, and requires password rotation every few months. Here is the problem: I need to update the password on all accounts that shared the same username+password, to the new password′. In LastPass, when I logged in with the new credentials on a single site, it would prompt me to update the password for all matching sites. 1Pass doesn't seem to do that, so I have a bunch of stale credentials.

I'm looking for a good way to either:

  1. Update all username+passwords that match exactly, or
  2. Merge all usernames+passwords that match exactly in some way that tracks the set of URLs the merged credential applies to

I'm struggling to find anything about this in the FAQ or forum already, but I'm sure someone has asked it before. Thanks!


1Password Version: iOS latest
Extension Version: Firefox/Chrome X latest
OS Version: FreeBSD (browsers), iOS
Sync Type: Don't know

Comments

  • MrCMrC Community Moderator

    @c__ ,

    In the Desktop version, you can add the distinct URLs to a single record, and click the one you want to Open and Fill. I'm not sure about 1PasswordX.

  • @MrC ,

    I don't think 1Password makes a desktop version for Linux or FreeBSD, unfortunately.

  • MrCMrC Community Moderator

    Understood @c__ - I just haven't played with 1PasswordX enough yet to know if you can add (i.e. there is a UI to add/use) multiple URLs. The underlying record data structures are the same in all versions of 1Password.

  • @MrC sure, that makes sense. I think the 1PasswordX extension is pretty limited — it isn't capable of editing credentials, for example. Instead it sends you to the 1password website, which (as someone with some familiarity with computer security, the web, and javascript's trainwreck history re: cryptography and security) makes my skin crawl a little bit.

  • brentybrenty

    Team Member

    @c__: Since the purpose of 1Password is to not reuse passwords, we haven't built it with updating login credentials for multiple items in mind. I realize that in this case you may not be actually reusing passwords, but 1Password has no way of actually knowing that, and having it work differently would encourage password reuse overall.

    1Password does, however, allow you to add multiple URLs to any Login item for just the use case of having a single account you need to sign into in different places. This also works with 1Password X and the 1Password.com web interface. I don't understand your comments here though:

    I think the 1PasswordX extension is pretty limited — it isn't capable of editing credentials, for example. Instead it sends you to the 1password website, which (as someone with some familiarity with computer security, the web, and javascript's trainwreck history re: cryptography and security) makes my skin crawl a little bit.

    Browser extensions are also Javascript and, no surprise, run within the browser environment. So I'm not sure what threats would apply to 1Password.com but not 1Password X. Can you elaborate?

    Many of the precautions we take for security can and are applied equally to both -- for example, CSP and penetration testing. Ultimately, if your computer is compromised, neither would be safe to use anyway, as with a native app.

  • Since the purpose of 1Password is to not reuse passwords, we haven't built it with updating login credentials for multiple items in mind. I realize that in this case you may not be actually reusing passwords, but 1Password has no way of actually knowing that, and having it work differently would encourage password reuse overall.

    Sure; I'm not asking for the exact same solution LastPass used here and in fact I think LastPass's solution to this was utterly stupid. I like your model a lot better.

    As you surmise, they're not "reused" between distinct sites in any way. They're just the same LDAP credentials used to authenticate to multiple URLs in the same organization. Unfortunately, the way they were imported, they show up as distinct credentials rather than a single credential with multiple URLs.

    1Password does, however, allow you to add multiple URLs to any Login item for just the use case of having a single account you need to sign into in different places. This also works with 1Password X and the 1Password.com web interface.

    Ok, that sounds like exactly what I want. How do I do that automatically, or at least somewhat automatically, from 1Password X? I have 100s of these things and clicking around 100s of times doesn't sound fun.

    Browser extensions are also Javascript and, no surprise, run within the browser environment. So I'm not sure what threats would apply to 1Password.com but not 1Password X. Can you elaborate?

    I don't really want to litigate this, both because it's totally irrelevant to the issue I'm having with your software and because I'm not any kind of browser or javascript domain expert. (I work primarily with C in the operating systems space, kernel and userspace.)

    My understanding, which may be incorrect or incomplete, is that browser extensions have the following distinctions from websites:

    1. They are delivered via a different and potentially more secure distribution system, which at least leaves an audit trail;
    2. They have a different trust domain / privilege level than ordinary website-delivered javascript;
    3. They are not subject to the same kinds of code injection issues that ordinary browser javascript is.

    But as I said, I'm no domain expert. Maybe these guys have more of a clue?

    I would greatly prefer a native application for Linux/FreeBSD. But you do not provide one. I hope to investigate using the CLI, and/or the Windows client under WINE when I get a chance. But I have not had time to do so yet.

  • brentybrenty

    Team Member

    As you surmise, they're not "reused" between distinct sites in any way. They're just the same LDAP credentials used to authenticate to multiple URLs in the same organization. Unfortunately, the way they were imported, they show up as distinct credentials rather than a single credential with multiple URLs.

    @c__: It sounds like you just need to add those URLs to a single Login item, and then delete the redundant Logins. Does what make sense?

    Ok, that sounds like exactly what I want. How do I do that automatically, or at least somewhat automatically, from 1Password X? I have 100s of these things and clicking around 100s of times doesn't sound fun.

    I'm not sure what you mean by "automatically". We really don't want 1Password making assumptions about where login credentials should be used. It should only offer to fill them at a URL matching what you have saved in the Login item. This is an important phishing protection.

    My understanding, which may be incorrect or incomplete, is that browser extensions have the following distinctions from websites:

    You make a lot of really good points, especially with regard to distribution. Unfortunately malicious and/or shady browser extensions are not uncommon. So it's important to only install one you trust, from a trusted source, and verify that you're not granting it permissions you might not want to. There are definitely risks with both, just as there are with native code running on your computer, just slightly different ones. We build all of our apps -- web and otherwise -- from the solid foundation of our security model, and we stay agile so we can respond quickly to any changes in the landscape. Apart from our own efforts in this area, we participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them.

    I would greatly prefer a native application for Linux/FreeBSD. But you do not provide one. I hope to investigate using the CLI, and/or the Windows client under WINE when I get a chance. But I have not had time to do so yet.

    WINE unfortunately has only very rudimentary .Net support, so 1Password for Windows will not work there. The CLI app is useful for automation though -- and perhaps you could utilize that to try to deal with some of the "extra" items mentioned above. It's not something we're able to do right now, but I'd love to see us have a native Linux app as well. Thanks for letting us know. :)

  • It sounds like you just need to add those URLs to a single Login item, and then delete the redundant Logins. Does what make sense?

    Yep.

    I'm not sure what you mean by "automatically".

    Automatically identify identical credentials; present them to me to yes/no for deduplication into the same credential item. If I approve, add the URL to the one item and remove the duplicate. Maybe the CLI would be the best way to do something like this, I'll take a look.

    WINE unfortunately has only very rudimentary .Net support, so 1Password for Windows will not work there. … It's not something we're able to do right now, but I'd love to see us have a native Linux app as well.

    Ah, that's unfortunate. On the other hand, I think .NET has started moving to having pretty good Linux support, so maybe a Linux native client wouldn't be too much additional work?

    Thanks!

  • Hi @c__,

    Sadly I don't think any of the existing, purpose built features in 1Password will help here but for the motivated person the CLI should definitely be able to handle this. The scenario is so narrowly focussed that I suspect while it would be neat, its usage would be so infrequent that 1Password would benefit from developer time elsewhere.

  • brentybrenty

    Team Member

    On the other hand, I think .NET has started moving to having pretty good Linux support, so maybe a Linux native client wouldn't be too much additional work?

    I think it's still far too early, but I agree that there's some interesting stuff happening for Linux in Redmond lately -- words I never imagined I would say. :lol:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file