Reused passwords - finds the same password in Logins and Passwords folders

Hi,

I'd like to use the same password twice as little as possible. To figure out this I could have been using the Reused passwords folder, however it will list all passwords in the Logins folder that also has the same password in the Passwords folder. This makes no sense as the Passwords folder contains passwords generated by 1Password itself.

So, let’s say I go to Netflix.com and generate a password using 1Password. This password will be stored in both the Logins and Passwords folder. From there the Reused passwords folder will generate a warning saying this is a reused password (!)...

How can I filter out the Passwords folder?


1Password Version: 7.3.684
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • The fix here will ultimately be to tidy up any Password items that have corresponding Login items, @Hoggorm, but that's not something we've automated just yet. You're absolutely right that most use Password items only when they're automatically created by the Password Generator, but that's actually not their only purpose. Many folks (myself included) use these items to store passwords that don't have corresponding usernames. For example, I have one storing the password for our security system. It's just local so it doesn't have a username. I also have the passwords for our wifi routers stores as Password items so it's easier to find just that one bit of info than it is sorting through everything I save in my Wireless Router items. We want Watchtower to find reused passwords for these sorts of items and right now we can't differentiate those from the items saved by the Password Generator.

    This is absolutely something we want to improve, but we want to do it right – by cleaning up the automatically created Password items for you. That's something that will be coming in a future update. For now, I recommend periodically tidying them up yourself. What I do to make this less onerous is I try to do this at least once a month (more often , if I'm up for it) and remove all Password items older than one week. I figure if I haven't needed that Password item for a week, I probably won't need it at all. So, I select my default vault for saving, select the Passwords category, sort by date created, and delete everything a week or older in one fell swoop. Since I actually make use of Password items beyond those automatically crated, I also make sure those Password items I do need are in a different vault so that I don't accidentally clean them up along the way, but also don't have to think too much about what I'm tidying.

    I know it's not perfect, but I hope this helps and I look forward to bidding this system farewell when we've improved this process down the road. :chuffed:

  • Hoggorm
    Hoggorm
    Community Member

    I see. Not the best solution, but fair enough I guess. It is a workaround.

    Thank you

  • Hoggorm
    Hoggorm
    Community Member

    Maybe it could be possible to include an option to ignore certain password duplicates?

    For example, I have one item that shows up with the warning that the password is reused. This item however is the same, it is just two different URLs I can use to log into the relevant account. One example could be Google and YouTube. It shows up as reused but is the same as the same login details are used both places.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Hoggorm: In your case, it sounds like you just need to save both URLs is a single Login item, since it's literally the same account. That would solve it for you. ;)

    I don't think it's a good idea to ignore duplicate passwords, otherwise we're all back to square one as far as bad password hygiene...but we are evaluating options as far as allowing notices for specific items to be dismissed. Thanks for the feedback. :)

  • pogues
    pogues
    Community Member

    I would like to add one more item to this. I have a few email accounts set up in 1password. I also have the same email account setup as a login for the web so I can access this from machines where I do not sync my email. These are exactly the same account so need the same password, however, I cannot (to my knowledge) add a URL to the email account to enable me to do away with the login item. For this some kind of tag so I can mark specific items to not appear as duplicates would be useful.

  • It actually makes sense that those should be excluded by default to me, @pogues. Although you're right that there's no website field for an E-mail Account item, we already do have rules in place to exclude passwords "reused" for the same account in different items (in quotes because these obviously aren't genuinely reused) by not flagging items that have the same username and URL as well as the same password. You are in the same situation here – you're not reusing a password, you simply have two items for the same account because each item serves a different purpose (fillable Login item for webmail, more detailed E-mail Account item for e-mail clients).

    There may be a good reason we don't do this that isn't coming to mind and we'd need to come up with a new way of matching these up since we can't use the website URL like we do for Logins, but I've gone ahead and brought it up to our development team. This obviously doesn't guarantee changes will be made nor if they are that they'll be made soon, but I think it's a worthy discussion to have at the very least. Thanks for taking the time to share. :chuffed:

  • rbur004
    rbur004
    Community Member

    Having a way to tag two password entries as using the same underlying authentication system would be nice to have, so they don't show up in the duplicates report.

    I have 15 duplicates showing up, but they are all legitimate (and they all have URLs).

    • eventbrite.co.uk, evenbrite.com and eventbrite.com.au all have the same credentials.
    • Koordinates.com and data.linz.govt.nz have the same credentials, the former serving data for the latter.
    • account.ui.com and account.ubnt.com are the same place.
    • ...
  • Are these items where you could conceivably add these sites as additional website fields in a single item, @rbur004? In the case where you have the same Login across site regions or simply different pages with different domains where you need to sign in to the same site, my recommendation is to use one item with multiple website fields. That way, you can still fill across those pages, but you won't see duplicate password warnings because they're all part of a single item.

    There are definitely good reasons to have two items using the same password at times and this isn't a solution for every one of those, but it should work based on your examples. Give it a go and see if it does work for you. If so, you'll get to eliminate those warnings and tidy up your vault a bit in one fell swoop. :chuffed:

  • rbur004
    rbur004
    Community Member

    Thanks. I didn't know that that was an option.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of bundtkate, you are welcome! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • laugher
    laugher
    Community Member
    edited November 2019

    I also use the Passwords category to hold passwords that I don't have a corresponding login name for but...

    • Could you not have Reused Passwords watchtower flag passwords that are saved but not generated?
    • Could we move the passwords that don't have a corresponding login name to a category called "Saved Passwords"?
    • Could we move those that are not saved into a "Generated Passwords" category?

    Its also cleaner that way. I have to do a search in the Passwords category today in order to find that password I considered unfiled amongst all the generated ones I don't actually end up using.

    That way, Reused passwords will only trigger those that are duplicates in "Logins" and/or "Saved Passwords"? I for one am happy for "Generated Passwords" to be automatically cleaned up as an option. For example, flush it to trash every 60 days.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I also use the Passwords category to hold passwords that I don't have a corresponding login name for but...

    @laugher: If they need to be filled, a Login would still be more appropriate, as that's the use case we design around; if they don't, a Secure Note might be good.

    Could you not have Reused Passwords watchtower flag passwords that are saved but not generated?

    It's an interesting idea, but that's not the direction we're going with generated passwords for various reasons, and that would exclude many passwords that absolutely do need to be changed, especially for people who recently started using 1Password and have passwords they made up themselves for websites, which makes reuse common.

    Could we move the passwords that don't have a corresponding login name to a category called "Saved Passwords"?
    Could we move those that are not saved into a "Generated Passwords" category?

    We're very resistant to adding even more categories, for good reason -- many of the ones we have already are of questionable utility. You should look at what we're doing with the Password Generator History in 1Password X. That's more the direction we're going with this. :)

    Its also cleaner that way. I have to do a search in the Passwords category today in order to find that password I considered unfiled amongst all the generated ones I don't actually end up using.

    I hear you. That's where using Logins or Secure Notes -- or, really anything else -- would be better.

    That way, Reused passwords will only trigger those that are duplicates in "Logins" and/or "Saved Passwords"? I for one am happy for "Generated Passwords" to be automatically cleaned up as an option. For example, flush it to trash every 60 days.

    I would love it if we could do that someday. But as it stands we've got millions of users who have generated Password items, and having them "cleaned up" would almost certainly result in loss of data that some people need.

  • laugher
    laugher
    Community Member

    @brenty Generated passwords which has questionable value. I'm pretty sure about 95% of the generated passwords are either now defunct for me or already expired and no longer in use. Just because you have junk in your inbox doesn't mean you should leave it in there as a status quo. You need to jump in there and clean it up!

    Tagging newly generated passwords with an expiry flag unless the user marks it as "Saved" is an important step to stop it from piling it with even more junk making the cleanup task if there is one in the future, much bigger than it already is.

    Just my 2c I guess.

  • AGAlumB
    AGAlumB
    1Password Alumni

    You don't want to see my inbox, and likely many others'. :lol: Anyway, you may feel that feature is not valuable to you, and I respect that, but I regularly talk to people who are really grateful for the generated password safety net when it helps them avoid getting locked out of an important account. But if Password Generator History continues to be a success, that will help a lot. Time will tell. :)

  • laugher
    laugher
    Community Member

    @brenty I'm not going to jump onto the membership wagon just yet to see what direction you folks are going. One of the obstacles is that geographical isolation/zoning I talked about in the other thread. If you ever sell a licensed version of 1Password X and allow the vault to be hosted in another cloud provider, I'll try it then.

    I can only speak from my own experience and experience of others around me who use 1Password. A lot of them just leave that folder/category growing out of control. Respecting your own perspective of course, this is just another perspective from a user and the OP who also appears to be in the same boat (or he wouldn't be complaining about Duplicate Password issues).

  • AGAlumB
    AGAlumB
    1Password Alumni

    I understand completely. Thanks for sharing your perspective. :) We don't currently have plans to offer a "standalone" version of 1Password X though, as that is problematic for both technical and licensing reasons.

    The topic of this discussion however is about a known limitation of the current Windows app, which does not automatically clean up the generated Password when the Login is saved. That's something we'll be improving in an update. :+1:

This discussion has been closed.