[FEATURE REQUEST] ignore localhost from Vulnerable Passwords section

I have a few passwords saved for http://localhost that appear in the 'Vulnerable Passwords' section because they appear on 'haveibeenpwned.com'. I understand that you can add tags such as 'http' to ignore https suggests etc however i tried adding 'localhost' tag but doesn't remove them from the section. Are there any tags i can add to ignore them?


1Password Version: 7.3.1
Extension Version: Not Provided
OS Version: OSX
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    There are not. It's certainly something we can consider adding some other kind of option for, but our priority is to help people avoid password reuse because it is never a good thing. Thanks for bringing this up!

  • peteringram
    peteringram
    Community Member

    Yes i totally agree with that but as a software developer many like me have insecure localhost passwords. I really like the way adding tags for http, 2fa work so i think this would be a really use use case for adding a similar tag that affects the categorisation.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2019

    Totally. Just keep in mind that while that may be the case for you and I, we have to consider all 1Password users, especially when it comes to security. We've come to the realization that we've been abusing tags for stuff like this and that isn't really a good long-term solution, so we want to come up with something better. Thank you for your feedback on this. :)

  • deviantintegral
    deviantintegral
    Community Member

    I've had other cases where this comes up and some way to ignore an item would be useful:

    • Passwords for physical devices like garage door openers, where presumably every number combination exists in the haveibeenpwned database (since they are typically limited to 4 numbers).
    • Passwords I don't have the ability to change (typically with work, where the best I can do is say "you should really change this" but can't enforce it myself).

    Any chance of adding a feature request for this?

  • Hey @deviantintegral! The feature request has been noted, but there's nothing new to share on this front at this time. Thank you for raising the issue again. :smile: I feel your pain with not being able to alter certain passwords — as much as my in-laws' Wi-Fi password stinks, I can't get them to change it, so I have a warning in my own Watchtower alerts for something like this.

    One thing I will say is that unless you have a website value added to your item, you shouldn't be seeing Watchtower warnings for PINs of six or fewer digits. If you are, can you share an image of what your item looks like, of course redacting the sensitive information, but still showing the overall structure of the item, so we can better understand what you're seeing here?

  • deviantintegral
    deviantintegral
    Community Member

    Ah, it's the 6 digit limit! My voicemail is currently set to an 8 digit random number, and it triggers the weak password warning.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah. That's a first for me. Thanks for sharing!

  • kbrice
    kbrice
    Community Member

    How about for web sites that requires an insecure PIN? I still want the URL there, but I can't fix it, and ideally I don't want the PIN event sent to the service while still getting protection for my secure passwords.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the additional example :+1:

This discussion has been closed.