How do I disable the warning of a reused password?

2

Comments

  • VinnyTroia
    VinnyTroia
    Community Member

    +1 It's annoying if i use the password on THE SAME site but have different URLS.. .like the main login and the forum.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @VinnyTroia: I hope you're not talking about this forum. ;) Definitely use a unique password on each website if you can. If, however, you legitimately have to use the same login credentials across multiple websites, you can simply add multiple URLs to the login. Cheers! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sbarnea: I disagree with both the content and tone of your comments. I hope you'll consider your words more carefully going forward. There's no need to be aggressive or hostile, especially when we're talking about some merely informative text in an app.

    Tags are something we've considered, but the point was raised that this isn't really what tags are for. We'd like to offer something that's more flexible and intuitive if we can.

  • bourque
    bourque
    Community Member

    Another vote for allowing a method to disable the warning for re-used passwords. Case in point, since you're a Canadian company, have a look at Air Canada and Aeroplan. Different websites, same password for each (until they separate in another year ...)

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @bourque! We don't have any kind of formal "vote" system, mostly because taking a poll isn't how we decide what to work on next. But I do appreciate you taking the time to stop by and weigh in on this issue. Thanks! :)

  • bourque
    bourque
    Community Member

    While I appreciated that what you decide to work on isn't democratically determined, the voice of your customer is incredibly clear in this thread: yes, you have multiple kinds of users to satisfy, so keep them happy by providing a warning in the case where they weren't aware there was a duplicate. At the same time, enable your power users some control to say, "yep, thanks for telling me, but in fact this duplicate was intentional, and necessary."

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, about a dozen people have weighed in here. And thousands of people have requested various other features. This is definitely on our radar, but we need to listen to all of our customers, not just a few who are passionate about this in particular. I'm sure we'll do something in this area in time though.

  • tkambler
    tkambler
    Community Member

    Get rid of it now. Stopping fixing what is not broken.

  • The Doctor
    The Doctor
    Community Member

    ^^ just my humble opinion, but that's probably not the best way to encourage a productive dialogue.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I don't disagree. :) I'm not sure I understand what we were "fixing" that was "not broken", as 1Password is an app whose job it is to help people improve their security. Hence the warnings about bad passwords. But, as mentioned previously, we're exploring ways to make the feature more flexible without stopping 1Password from doing that job.

  • EarthAura
    EarthAura
    Community Member

    Hi, first off, I'm really glad you're exploring ways to remedy this issue! It has been bothering me ever since the banners appeared so I thought I'd weigh in with my view on the banners in general.

    I think the biggest issue with the banners (especially the red password re-use one) is how prominent they are, they really stick out and in 1P Mini they take up a large chunk of the content which distracts from what the user (me) wants to access (e.g. copy password). I realize there are work-arounds, like creating only one item in 1P with multiple URLs, but that's not always possible. For example, when you duplicate a password that's in a server-item, but you also want it accessible when you visit URL X and Y (login item). Another case is team vaults where you don't control all the content in there. Then there's also "insecure" websites, what to do when you don't control the domain and there is no support for HTTPS?

    Another argument against the banners, in my view, is that they simply duplicate the functionality of watch tower. For me personally, it would be ideal if there were no extra banners in the items. Instead I would keep on top of them via watch tower.

    One idea that might be good considering your goal (helping people secure their passwords) is to create a "password review", say, your vault has X unresolved issues which you can't dismiss without a review. During the review you select certain items to fix, and others you confirm are as intended. After reviewing, there would be no more unresolved issues (assuming you didn't leave some open) and there would be no more reviews until, say a new item was added to your vault that was a re-use/insecure/2fa etc. If the banners were kept in this setup, there would be a way to dismiss them via review, which would make me happy :smile:.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yeah it's tough. We really can't win here. We really want those banners to be prominent. Otherwise they're easy to ignore, and that kind of subverts their purpose. For that reason, the banners likely aren't going away. We'll continue to iterate on them though, and having a way to remove them in cases where they are not actionable would be good. I like the concept of a "review", but having it not be dismissable would be a problem, at least with what I'm envisioning from your description. Even though some folks may not like their appearance, the banners at least don't stop anyone from getting stuff done; they're just a constant reminder of a security issue that should be addressed. Anyway, cool ideas, and we'll figure out what will help the most people without harming others. Cheers! :)

  • steffen
    steffen
    Community Member
    edited January 2019

    Happy New Year!

    To be honest I'm increasingly confused. In my case (which may or may not be representative for many other customers), the banners are 99% wrong. Wrong in a sense that they "detect" re-usage of passwords for one and the same website (such as different forums and logins at adobe.com) - i simply can't have many different passwords for one and the same account. As a concept is that too hard to understand?

  • @steffen

    No, that isn't hard to understand at all. I think the question then becomes why you have multiple login items for the same account / credentials? Does a single login item not work? It is possible to list multiple website fields on a login.

    Ben

  • steffen
    steffen
    Community Member

    Thanks Ben. I didn't know that this solution exists. Tried for adobe.com and confirm it works. Does it mean that i would have to go through all such items in my 800+ password list, item per item? Or is there a global mechanism for consolidating (that's what you're suggesting?) login items for multiple websites?

  • The Doctor
    The Doctor
    Community Member

    @Ben I'm not familiar with this approach as well...can you provide workflow and/or point to help page for it?

    That doesn't solve the underlying issue I have with the banners, but it would be helpful for other reasons :-)

  • Lars
    Lars
    1Password Alumni

    @steffen - there's no "global mechanism," mostly because we don't know what you'd intend 1Password to do in too many cases. 1Password is VERY conservative with your data, because, well, it's some of your most important data, and we don't want an automatic process combining or even deleting some of it because of assumptions we make that are different than the ones you'd make. I'm a little surprised, however -- are there really that many sites for which you have multiple logins, like this? I can understand a few, but I've just never heard of someone who has 800 of them. Maybe I don't get out enough. ;)

  • Lars
    Lars
    1Password Alumni

    @The Doctor - there's no specific set of instructions on our website for this, but for example, you can put both gmail and google URLs into the same 1Password Login record, so that you can click either one if you want to launch that specific URL, instead of having two records, one for "Gmail" and the other for "Google Account" or whatever -- which would trip the Reused Password banner/warning.

  • Lars
    Lars
    1Password Alumni

    @sbarnea - did you have a question about or issue with 1Password for Mac that wasn't addressed above? That's the purpose of this particular forum. I'm not quite sure what you're referring to: do you see any ads on here? If so, I'd worry about malware you acquired elsewhere injecting them on your Mac, since we don't have any, here or anywhere else on our website(s). This forum uses Vanilla as its backend, and while we can indeed change what format/content the email notifications users receive contain, what we've found over time is that if we include the full body of the post in the notification, too many users who aren't familiar with bulletin-board software would think they were responding by hitting "reply" on the email itself, and then be angry they didn't receive a response.

  • The Doctor
    The Doctor
    Community Member

    I'm not quite sure what you're referring to: do you see any ads on here? If so, I'd worry about malware you acquired elsewhere injecting them on your Mac, since we don't have any, here or anywhere else on our website(s)

    @lars gets better at witty and sarcastic replies (92)....you'd fit right in at any of our family gatherings ;-P

  • Lars
    Lars
    1Password Alumni

    @The Doctor - heh. While I do appreciate a well-turned witticism (mine or anyone else's), the above wasn't meant as a barb. I can make assumptions that @sbarnea was joking - which fortunately, it seems he was - but it's hard to be 100% sure, and I really try not to be sarcastic with users who are having problems and just want a solution or some answers. You never know what people's understanding of something might be, and what seems obvious to one person (especially someone like me or Ben or brenty, who do this all day, five days a week) might be much more opaque to someone else. So I try to remember to be kind and to not make assumptions unless I'm certain I understand what someone meant.

    Also, I just went through the holidays with my own family here -- plenty-o'-sarcasm there. ;)

  • Lars
    Lars
    1Password Alumni

    @sbarnea - I actually don't have the keys to this forum. I have staff member-level privileges, obviously, but I don't make the decisions about what kind of templates/info we use for things like that. But I'll certainly run it up the flagpole one more time. No promises, of course, but even for things where there's no real new ground and we've been through it before, it's never a bad idea to revisit the thinking around existing decisions occasionally. Keeps things intentional and flexible. :)

  • ryanro
    ryanro
    Community Member

    I will add my vote allow users to turn off (or control) these really annoying, unhelpful warnings.

    I've been a user of 1password since the beginning. I just upgraded to 1Password7. Furthermore (for the first time) I added all my family and moved (as Agile Bits wants) from purchased software to an annual account. So I'm a "good customer" -- upgrading versions, adding new users, moving to the recurring revenue model.

    The original point of 1Password was a balance of convenience and security.

    Convenience - a single password to remember, ease of managing all the passwords centrally, access everywhere.
    Security - encourage use of multiple (and more complex) passwords, encrypt the passwords.

    What happened is that the product designers have decided that convenience is not important, only security is. They made that decision for the users.

    Here are two examples:

    1. Warnings that I can't turn off. Warnings are fine, but let people turn them off. Any other software I use with warnings always allows some configurations of them. I am baffled by the design choice made here by the designers. I think they live a fantasy world (where everyone does things "right") vs the real world where people must balance security and convenience.

    2. The "secret key". With 1Password7 each family member has to have a long, impossible to remember key. I've had to print all those out and store them in a file cabinet. (paper printouts required! In 2019!) And I've had to store those online in case we need them when traveling. So actually I have both less security AND less convenience.

    I used to love (and recommend 1Password). Now, sadly, I can't recommend it. Having just set it all up for everyone over the holidays I'll keep it for a bit because I need to find some time to start all over. But one day I'll get round to it.

    Or maybe 1Password will hear the complaints of all their customers and start to make the software more convenient again?

    Here's hoping...

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ryanro: Actually, the purpose of 1Password has always been to make doing the secure thing more convenient. But I do appreciate that can be a deceptively small distinction. Apparently not everyone uses the same definition of the word "convenient". ;)

    For many people, it is considerably more convenient to have software let them know about things that would help them. Certainly not everyone feels that way, but we have to consider the broader 1Password userbase. The people commenting here would mostly classify as "power users" who, by nature, actively seek out ways to capitalize on their use of technology -- and in 1Password's case, that means consciously staying on top of security issues wherever possible. Folks like that are self-selecting for managing this stuff themselves. But as much as we love "power users" (and count ourselves among them), 1Password isn't just for that type of user: it's for everyone who wants to improve their online security. And since most people pay for software for expressly the purpose of making less work for them, it behooves us to have 1Password follow suit and help surface things that can help people make decisions about their data, without having to hunt and gather themselves.

    To address your specific points,

    1. Warnings are not hurting you, but being unaware of security issues does actually hurt people every day. So for now we're erring on the side of least harm.
    2. The Secret Key only needs to be entered when you sign in on a new device, and can be accessed on any device you're already signed in on. So, except in the case of you losing access to all of your devices at once, you really don't need to make an effort to keep it with you.

    Anyway, I'm sorry that you and some others find these things irksome, and we'll see what we can do to make these features more flexible in the future. But we need to take the wider world of 1Password users into account -- especially the ones who could use a hand with this stuff, and got 1Password for that reason. Thanks for understanding. :)

  • Marcu
    Marcu
    Community Member

    I don't understand way you keep telling guys that 1P needs to satisfy all users?! We are talking about a big red permanently intruded banner! What kind of customer is satisfied about this? (except those ho have about 3 or 4 passwords stored in the app and the banner is not visible)
    I'm pretty sure that no power user nor a simple privat user (I'm one of them ) has saluted your move. The banner ist not just put there to annoy users to death (in my case is nearly true) but also is disturbing your overview of the app and lead to hide/blocking details that is needed to be copied in that moment! A scenario, I had to copy/paste some stuff from 1P Safari extention and I couldn't see that important portion and was unable to copy because your beautiful banner was in the way! Is that really between life and death that the big red banner needs to be also included in Web browsers extentions?
    Like most users stated here, in some cases is nearly impossible to change the password.
    From enterprise companies that the administration won't have/allow/can't change the passwords to users all the way to novices user ho just have 1 simple password for 2 animated websites that most of the time his kids are watching the login needed content thru the Smart TV which btw 1Password will is no help in that moment so the kids needs to manually type in the password every time they switch on the TV! Or should I also need to tell my kids that 1password is forcing us to change the password!!!

    If you guys are saying that the banner will not be removed, then...will remain just 2 option for most users. Live with it or walk away. Me...? Surely I'll walk away to your best friends from Dashline, but just to finish, I really hope that you guys from 1P to never remove that banner and then to see your self and calculate how many clients remained and how many left like me because of your arrogant, stupid ambitiously move to proclaim your self in a position that is impossible to be yours and to force users to change their dublicate passwords.

    Good luck

  • AGAlumB
    AGAlumB
    1Password Alumni

    I don't understand way you keep telling guys that 1P needs to satisfy all users?!

    @Marcu: Literally no one has said that. But we do need to focus on work that helps a majority of users rather than a tiny fraction -- like self-described "power users", who don't even agree with each other -- or we don't have a sustainable business, we all have to do something else for a living, and then 1Password ceases to exist. That's pretty straightforward. I don't really think that 1Password displaying notices for security issues is harming you -- certainly not to the point of death, as you claim -- but if this is absolutely a deal-breaker for you, I do think it's best you use something else that's a better fit for your own temperament. As mentioned multiple times already, we'll continue to iterate on the design, but being rude and calling names isn't going to make us give you exactly what you want when you want it. If you're not able to hold yourself to some basic standards of conduct (which you agreed to earlier today when you joined), you will need to spend your time elsewhere:

    Forum guidelines

    And no matter what we'll continue improving 1Password over time for those who use it. Take care.

  • steffen
    steffen
    Community Member

    @brenty. That's all correct except that teaching customers is a bit awkward (please remember, we're not asking for a free service, just to allow us to keep using what we've paid for). Some of us a grown up (with families etc) and perhaps no longer need to be lectured...? I wish there were a bit more pragmatic reaction than mainly defence. Thanks for considering.

This discussion has been closed.