Improving Security Audit
I've been exploring the Security Audit feature and cycling my old passwords. I realized a few pain-points in the process and wanted to write in and share them with you to hopefully make this process simpler for me and others in the future, and to improve a product I like so much.
- Many sites still don't allow for strong passwords: many times, characters like
{}[]();are not allowed. It'd be great if there was a way to specify at some point in the password-recipe that you needed to disallow / only allow certain special characters. What I do now is use 1password, and then go through and replace special characters with known, acceptable characters._,-,#and@seem to be safe on most sites. - Security Audit is telling me that I haven't updated my Social Security Number in 4+ years. I'm okay with this ;) Same with credit cards and Bank Accounts. It'd be great for sensible defaults of which categories are included, or at least a way to choose which categories are included in settings (though I'd prefer sensible defaults).
- There are some sites which do not your password to be changed at all. I don't mean that I have to say I forgot and reset it via email: I mean there is no way possible to do this without contacting technical support (maybe not even then?). These are few and far between, but it'd be nice if there was a way to exclude an item from Security Audit (effectively, a way to
touchthe password in Unix parlance, such that you could update the date without changing the password). Currently, I'm adding a space and then removing it in a subsequent edit which works, but is time consuming. - Anything you can do to make the process of changing passwords faster would be ideal. Once I find the screen with the "Current Password" and "New Password" x2 fields, I still need to take all of the following steps:
- Click 1Password in Safari
- Hover over the login for that site
- Click "Copy" next to the password (or use the keyboard to do the same), then paste into the Current Password field
- Click 1Password again
- Hover over Generate Password and click fill
- Save my new password
- About half the time, I need to then go back to 1Password and update the password myself because it doesn't do so automatically. I've not discovered a rhyme or reason for why some save and some do not
Also, if the password I tried to use was too long, contained "illegal" characters, etc. then I have to do that entire process over again!
It'd be wonderful if 1Password had a "change" button in the Site's password listing if you were currently on that site or something. It would ideally do steps 3-7 automatically: fill in the old and new passwords automatically, submit and save.
Finally, I've written in about this before but I think it's worth mentioning again: I really think 1Password should attempt to categorize sites' password restrictions such that when I go to generate a password on a given site, 1password already knows what the maximum acceptable length is, which characters are allowed, etc. This would make the password setting and resetting process much quicker.
It'd also be a killer differentiating feature in the world of password managers, and help to encourage people to think less about their passwords which is the point of all this anyway ;)
Thanks again for a terrific product!
EDIT: grammar; added part about credit cards and bank accounts also being included in Security Audit in #2 above.
Comments
-
Forgive me for answering only your easy questions and leaving the remainder for others more expert. :)
- When you use the password generator just check Pronounceable and you'll be able to specify whether or not to use special characters (as well as some other things).
- Others have also requested this sort of control so you are not alone in wanting it.
- Again, others have previously requested the ability to exclude certain specified items from the security audit so, again, you're not alone.
Sorry that there's only one real, concrete answer among that lot...but perhaps it's better than nothing while waiting for someone else to contribute!
Stephen
0 -
Hi @abrad45
To respond to some of your points.
- It is something that could be improved, we're just trying to figure the best way of presenting this ref: OPM-1378
- No disagreement here either :wink: ref: OPM-1004
- Like Stephen_C I see your point
- This one has the potential to be more tricky. When we look at any reasonably well made page we understand what it's asking. If you were to look at the code underneath you'd probably want to tear your eyes out. It's why sometimes you're forced to use our guide for Saving a Login Manually as only then can 1Password gain an insight into which of the many fields present (many invisible to us as the user) we need it to fill and that's just for a login page. As you can imagine, it gets more tricky with pages to do with changing your password. That isn't to say we don't want to improve how it works, just the more I learn the more I realise why it's tough.
As a side-note, don't you just love sites that don't even tell you about password restrictions and you have to work them out. As somebody who doesn't develop web sites I wonder if we couldn't have more standardisation for certain aspects to make all of this easier. I'm probably being completely naive in that of course.
0 -
@littlebobbytables you've got an amazing username. I laughed aloud. Thanks for that.
I'm a Web Developer by trade so I fully realize that it's not as easy as just asking for the "new password fields" and the "old password field." With that being said, usually 1password does guess correctly and when I ask it to fill a new password, it does it in the password and verify password fields.
As far as creating passwords goes, I really wish that sites would just tell you when you set a password and when you are logging in again what those restrictions are. For instance, if you know that you don't allow passwords longer than fifteen characters, set
maxlength="15"on your password field. If you know you don't allow certain characters in your password, tell the user on the front end. For users who don't use 1Password, this tool can allow them to remember which password they may have used. For users who do use 1Password, it allows us to verify that the password we have on file may be correct if we're having login troubles.Also, if a site has very poor password requirements and makes this information readily available on the login page, they'll likely be shamed into improving things (either by concerned users or malicious attacks on poor passwords) :stuck_out_tongue:
0 -
Hi @abrad45
I'm glad I could make you laugh. Having amused you I do feel compelled to tell you that I started off as merely a customer of AgileBits before I was given this massive opportunity to join them. When I did I assumed I would have to retire my previous forum username but was told others loved it and I could keep it if I wanted. That's why others have nice normal usernames while I get to sport this homage to the great Randall Munroe. I actually have his new book making its way to me now, something I'm looking forward to reading. That's enough shameless plugging of xkcd now haha.
I completely agree with you and I'm sure most here at AgileBits do too. It would make like so much easier if sites stated their password requirements. I still remember Microsoft's doozy where it turned out something like only the first 8 characters of a password were actually being used (that was from a while ago of course) or the hassle I've had with an NFL subscription where in three different locations where the same login is required I've eventually managed to discover, with significant cursing, that each had different restrictions on allowable passwords. Seriously, same login credentials but one refused to accept a password allowed in the other two places and another that only worked with certain sized passwords - utterly mental.
0 -
@littlebobbytables here're my favorites from my password resetting experiences:
0 -
Strength: Unacceptable :o That really did make me laugh... for all the wrong reasons.
0 -
I thought I'd give this a little bump. I'd really love the ability to either manage the entries appearing in the security audit or for there to be a little more sense in it. I can't change my National Insurance (UK version of Social Security) number, and those little codes on the back of my credit cards are pretty sticky too, so I don't really want to see them in the audit - it's not a risk. Similar PINs for rewards cards and bank credit/debit cards.
Similar, though slightly different, are wireless networks. I'm not in control of most of them, I just have a record so that when I inevitably have to reset my network settings or replace my iPhone I've not got to snoop around looking at the backs of my friends' routers.
I've actually been on a bit of a passwords crusade too, trying to shame websites into fixing their poor password practices or broken implementations. Starting as I do with the defacto stance of maximum complexity and length, I then work backwards to work out what each site finds acceptable. Where I find, as in some cases, that the reality doesn't match the stated restrictions or no restrictions are stated at all, I challenge the website to fix it. I've had little to no success!
0 -
@smallcheese We're definitely looking into improving Watchtower & Security Audit to be a bit more flexible. Especially with being able to say "Hey, this one isn't really a risk". There's a lot of design and optimization to do for that behind the scenes, so it unfortunately is not really a quick thing to do. That said, we really want this, too, as we run into the same things ourselves.
0
