Reused password warning

lotsofjoy
lotsofjoy
Community Member

For work, I have two different sites that work off of the same password. Literally, if I change the password on one of them, it automatically changes for the other. And I have to change that password every 90 days.

Now, every time I change it and try to make both entries work (with the same password) I get the annoying Orange box that tells me
REUSED PASSWORD
Don’t use the same password on multiple websites.
Generate a unique password to improve security.

and I can't figure out a way to make it go away.

Someone please tell me that there is a way to tell it that I KNOW it's the same password and it needs to shut up about it? :D ;)

Thanks!


1Password Version: 7.2.4
Extension Version: 4.7.3.90
OS Version: OS 10.14.2
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @lotsofjoy - unfortunately, there isn't currently a direct way to suppress this banner, as there is with the Inactive 2FA warning and the Unsecured Website banner. One thing you might consider doing is adding one of the sites into a secondary website field in the first item, then deleting the second item. That would remove the banner, but it would also mean you wouldn't have a dedicated item for the second site. There are trade-offs either way. If it helps, we are looking into ways to make these warnings suppressable on an item-by-item basis, but I don't have anything to announce on that score just now. Thanks for your patience and sorry for the inconvenience.

  • angellusmortis
    angellusmortis
    Community Member

    One thing you might consider doing is adding one of the sites into a secondary website field in the first item, then deleting the second item.

    This really only works if all of the applications/sites share the same username. From my experience, it is pretty common to use LDAP, AD, or SSO to synchronize password across various applications, but then those individual applications may still have their own slight variations of usernames.

    Like a good example is your Enterprise WiFi taking DOMAIN\username, your email account taking username@domain.com and your bug tracker or something taking just username.

    Being able to remove the Reused Passwords banner for these items would be really great. The first suggestion that comes to my mind is the Link existing functionality. Perhaps if two accounts are linked as related items, the banner should not appear?

  • Lars
    Lars
    1Password Alumni

    @angellusmortis - it's definitely not a perfect solution, but it will work in many cases -- just not the ones you outlined (and a few others). However, as I've mentioned a few times in multiple threads on this topic, we're looking into more-durable ways to allow users to manage these warnings without defeating the entire point of having them present. Stay tuned to the updates and their release notes for new developments on this issue, and thanks for taking the time to share your insights on this issue with us. :)

  • angellusmortis
    angellusmortis
    Community Member

    Thanks for the feedback. All I care about is that you guys are working on a solution to manage the warnings.

  • Lars
    Lars
    1Password Alumni

    :) :+1:

  • mOUs3y
    mOUs3y
    Community Member

    Or should I just save a single entry called "work domain account" and just use that to fill in websites i know use the same account?

  • Lars
    Lars
    1Password Alumni

    @mnOUs3y - you would need to be sure to add the correct URLs to the various services into the Login item, and you would have to click the specific URL you need to launch that site and fill the credentials, but yes, that should work for most setups.

  • jeremywsherman
    jeremywsherman
    Community Member
    edited March 2019

    Like a good example is your Enterprise WiFi taking DOMAIN\username, your email account taking username@domain.com and your bug tracker or something taking just username. (angellusmortis, 29 Jan 2019)

    I came here looking for a solution to precisely this issue: Kinda-sorta-single-sign-on that can't agree on what the username should be.

    If I could pair the Websites with their Username, I would be able to get away with the suggested solution.

    As it is, I think I'm going to wind up with exactly 3 different entries duplicating the SSO password, one for each of the variants angellusmortis called out: realm\user, user, and email.

    If things improve around this in future, or we gain a way to "indirect" the password ("password is the password from this related login item"), I'm all ears. :)

    Edit: I see this isn't a new request: https://discussions.agilebits.com/discussion/comment/487522#Comment_487522 came up with the same two workarounds.

    My original search for this was something along the lines of 1Password ActiveDirectory LDAP reused password warning, and it had no hits then, but it should now. ;)

  • @jeremywsherman

    Thanks for adding your thoughts on this. We have some ideas we've been brainstorming on to try and address this. I can't make any promises at this point but we do have one idea that seems to have bubbled to the top and I think we may be able to give it a try. I'm sorry I'm not in a position to be more specific than that at this point. Hope to have more in the near future.

    Ben

  • gek
    gek
    Community Member

    @Lars @Ben Any update on this. I also run into this with an LDAP backed yellow page system where the same password is used on many different systems and components. I have different entries for each system because I place security notes in each entry. I'm sure this is the case in many production unix shops.

    I'm not upgrading until it can be fixed because it is such an annoyance. Any time frame when it might get fixed.

  • @gek

    I couldn't guess at a timeframe; it'd be pure speculation. We're in the process of building the underlying framework that we're hoping to use to build this feature on top of. There is a fair bit of work to do so I would not expect to see it available in a stable release in the short term. That said, we do recognize the impact this situation has and are keeping that in mind as we set our development priorities.

    Ben

  • Lars
    Lars
    1Password Alumni

    @gek - asking the same question in multiple threads also won't increase the likelihood of getting an answer that suits you, nor increase the speed at which you get your answer; it just slows support times for everyone including you. This seems to be the only issue you're interested in commenting about here, and that's fine -- but please remember that there are other users who need our assistance as well. Thanks.

  • gek
    gek
    Community Member

    @Lars Why are you so defensive and negative towards my question? I am interested in getting this resolved but haven't checked your site or posted anything for around 4 months. I'm trying to get a product I generally really like to meet me needs. I put one line in another thread and a detailed response here--not a huge burden on your support staff. If you have an issue dealing with me for whatever reason, can I ask that you try and hide that fact from me?

    And I got a really great response from @Ben that makes me really happy about your product and looking forward to a future resolution.

    I'm going to go away for another 4 months or so. Thanks for your help.

  • Lars was just asking for the same curtesy that is expected in any support operation. Asking the same thing in multiple places or through multiple venues causes twice as much work for us, which slows down the process for everyone. I'm sorry you interpreted what he was saying as being defensive - he was just explaining the situation and requesting the rules be followed:

    Unless requested to do so by an AgileBits Team Member, please do not contact us about an issue by multiple support channels (e.g. both the forum and email). Doing so slows down the support process for everyone by causing duplication of effort.

    Thanks.

    Ben

  • gek
    gek
    Community Member

    Hi @Ben and @Lars,

    I didn’t ask the question in multiple support channels, I asked in two threads that were over three months stale. I don’t come here that often, I’m not sure what kind of CRM you have and had no idea if @mentions were going to become action items for you. I think posting two posts in 4 months doesn’t constitute abusing the system even if they were asking the same question and it was pretty salty to write a call-out post just for that. It is easy to feel angst and let that show in post, but professionals can hopefully resist the urge.

    To my point, @Lars said get “an answer that suits you,” which clearly implies that I didn’t like the answer given and keep asking to try to get something different which clearly wasn't the case. Also, why bring up that it is the only question I’m interested in. It is true, but why bring that up? Saying it is fine, makes it seem like it possible that only being interested in one thing might not be fine to some people?

    And when @Lars says that I should remember that other users need assistance as well, I don’t quite understand. I placed one extra post in one extra thread one time. Except for that, I’ve been coming back every 4-5 months for updates and otherwise am silent. Am I really gumming up the works to an extend that needs to be called?

    There was no other point of @Lars post except to let me know that he wasn’t pleased me with me. There was no information about the issue in the post except his displeasure with me. I’m not sure why my post was disliked so much, I don’t think it was rude, but I do think somehow it caused ire, because @Lars's response was only to show displeasure. What’s the point of that from a customer service agent?

    Anyway, I like your product and use it a lot. Glad you have plans to change this feature for all the users who need to deal with situations where it doesn’t work.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gek: Thanks for the feedback. The reality is that it slows down the support process for everyone when we're responding to the same person in multiple places, both because it takes time to read multiple posts and write multiple responses, but also just as far as it causing confusion for everyone involved. Could some of this additional back and forth have been avoided if none of us had mentioned that? Perhaps. But then you might not have been aware, and I do think it's important that people are aware of the rules and considerate of others as a result. I apologize if Lars offended you by bringing it up. I know that wasn't his intent, but I'm sorry if his suggestion came off that way. I'll leave it at that, but if you need help with 1Password too please let me know.

  • Lars
    Lars
    1Password Alumni

    @gek

    There was no other point of @Lars post except to let me know that he wasn’t pleased me with me. There was no information about the issue in the post except his displeasure with me.

    I'm sorry my words made you feel that way; I wasn't displeased with you, and my intention wasn't to be defensive or negative. Our jobs here in this forum are to answer user questions and help those who are having problems, and we're happy to do it! There aren't a ton of rules for posting here because the main focus is on helping people with an application that stores some of their most important data, because it's a problem for most people if a problem makes that data unavailable even temporarily.

    One of those rules, however, (as Ben mentions and links to above) is not asking the same question in multiple places because it slows down the process for all users of getting the solutions and answers they need. Not everyone reads through those guidelines (heck, I'd guess most of us don't, when we sign up for things; it's frequently a lot to get through), so when we see this kind of multi-posting happening, we remind people and explain why we ask everyone to refrain from it. That's all that happened here. If it truly had been "two posts in 4 months," none of us would've mentioned it at all; that's entirely ordinary and unremarkable. But you posted the same thing in two threads on July 10 (which is what I linked to). That's why my initial reply didn't mention anything like this reminder (but my reply here did): because at the time of my initial reply, I hadn't yet seen the multiple postings. So, please feel free to continue to check in with us on this or any other issue, at any time, and we'll give you the best answer we can. :)

  • In any event: we're well off the rails here. Question asked and answered: this is something we're hoping to address in a future update, but aren't in a position to make any promises.

    Ben

This discussion has been closed.