Disable "duplicate password" feature for some logins or a tag

24

Comments

  • Sebastian Rasch
    Sebastian Rasch
    Community Member

    OK fair enough but why do you have ready-made email account items then to begin with? I think those are nicely organised because you can search specifically for only email accounts and you don't have to create all the necessary fields yourself in a login item. Anyway, it gets confusing from here and I guess it is down to preference in the end.
    The best solution would be to let us hide the double pw warning in certain cases. Or at least make the warning WAY smaller.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2019

    why do you have ready-made email account items then to begin with?

    @Sebastian Rasch: Good question. The answer, of course, is that not everyone uses webmail. And when we first created 1Password, most people didn't at all. Ultimately it is a matter of personal preference, but I wanted to give some insights that might help you. :)

  • aporcano
    aporcano
    Community Member

    I am a new user who has been using KeepPassX and Apple Keychain for some time. I am just getting to know 1Password and so far I'm not liking what I'm seeing here. There are some good things and I'm trying to give it some time, but there are multiple things happening in this thread that are a concern. For example (and sorry to call you out by name here) @brenty has disagreed with users when they were making a valid point that the app encourages items to be saved separately rather than adding as a URL to an existing item. This is where the app leads you, but instead he was quick to point out that the user did so on their own. I think just missing the point. There has also been several points where users are being told that they should adjust their expectations or preferences to suit the software. Sorry...Apple Keychain and KeepPassX are free and if I'm going to go out of my way to pay for a product I expect that product and the people that support it to work harder to make sure I can use it the way I want to use it. If I want to disable a warning, then let me do it. I own cars, a house, raise 3 kids and manage a team of people. I think I'm good with making a decision about when it's OK to dismiss a warning from your enlightened software. Come on guys. If you want to keep customers fix this issue and stop preaching to your users.

  • Thanks for taking the time to share your perspective @aporcano. We're certainly looking at ways we can improve. We do feel it is important that we warn people about practices that put them at risk – that is what many customers are paying us for. That said, there is always a fine balance which we're trying to find and we aren't arguing that we've found it.

    Ben

  • aporcano
    aporcano
    Community Member
    edited August 2019

    @Ben thanks for the reply. I don't see anyone posting on this thread saying that warning someone is a problem. It's the fact that the software won't let you make a decision to accept risk and move on. I hope you guys figure this out soon since people have been posting about this for several months now. If you cannot find your balance, then I'm not sure it makes sense for me to stop using free products that worked reasonable well in favor of a paid product that isn't flexible.

  • @aporcano

    Ultimately we're not ever going to be the perfect fit for every use case. Going forward what I imagine possibly changing with regard to this feature is that we'll have the ability to specify that two or more login items are for the same credentials e.g. SSO, Active Directory, etc, where the same username & password allow you access to multiple systems. I don't suspect we will make it possible to disable the warning regarding unrelated yet duplicate passwords. That's what I mean by balance.

    I would be curious to hear what the desire to keep passwords for separate services the same is, though. The main point of using a password manager is to use secure unique passwords for each service. It is sort of a square peg, round hole situation to use 1Password to store duplicate passwords with no intention of making them better. You'd be defeating at least half the purpose, and as such likely aren't going to be getting the value you'd be paying for.

    Ben

  • aporcano
    aporcano
    Community Member

    @Ben I would prefer to have both the ability to link items together to tell 1Password that they are the same login and the ability to dismiss a warning from watchtower because last time I checked nannies were still for children. That said...if I had to choose only one of these solutions I would go for the linking. Is there any rough date when users could expect this functionality?

  • @aporcano

    We don't have plans to do the latter at this point. The former is something we'd like to do but we don't pre-announce upcoming features. As such I can't speculate about if or when that will happen. The best I can say is that it is something we've discussed at length internally and that it is something that I'm advocating for (passionately). We have quite a few irons in the fire with the upcoming Apple OS releases (iOS 13 / macOS 10.15) and so I wouldn't expect to see any movement until we're though that at the earliest.

    Ben

  • MJCypher
    MJCypher
    Community Member

    +1 for this gap. I'm in the trial for 1Pass, looking at switching from Dashlane and this is a big gap for me. I work in IT and log into hundreds of vCenters and other web based management interfaces with my work (AD Domain) account.

    As for the defeating the 'defeating the purpose' issue - I can't imagine that any less than half the users of 1Password work at a company that uses a domain for IAM purposes. I'd be mind blown if any less than 90% of those users use that domain credential to log into 2 or more webpages within the company, thus generating this obnoxious warning. If this 'feature's' purpose is to encourage users to be more secure by not reusing passwords, then the only way to possibly satisfy this feature's purpose is to go back to using local, decentralized password architecture which has a 0% chance of happening in a company larger than 20 people.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The vast majority of 1Password users do not share this use case. But I hope we'll be able to come up with something that can help with this in the future as well. Thanks for your feedback. :)

  • vlado29
    vlado29
    Community Member

    Hello there, are there some plans already to have this "Reused Password" "feature" disabled on request?
    I recently moved from 1Password6 after using it happily for years (upgraded because it is not supported in new Safari anymore...), and this red banner is driving me crazy... I have also actively persuaded lots of my colleagues to go for 1password in the past, and every single one of them is also annoyed by this feature.
    As others here I (and other colleagues) use 1password as a kind of "service" or "server" repository (for servers in the office and also my own ones), because I need to have access on multiple workstations. And of course we use centralised passwords for lots of services, therefore for almost every service I see the red badge...
    I fully get your idea to teach people best security practices, but why don't you simply create some kind of advanced-advanced settings menu where I can turn on/off what I want? Some of your users are really power-users with lots of experience, but with attitude like this you are actively driving them away from your product (I am considering another products just for this, it gets on my nerves seeing it the whole day...)
    You could still "enforce" kind of periodic audit for duplicate passwords, but there is no point in showing the warning all the time (I can imagine someone with duplicate passwords for a reason will probably either switch to different product or their brain will start to ignore the red warning, so it will miss the purpose anyway).

  • Lars
    Lars
    1Password Alumni
    edited October 2019

    Welcome to the forum, @vlado29! There are indeed plans in the works. :)

    I fully get your idea to teach people best security practices, but why don't you simply create some kind of advanced-advanced settings menu where I can turn on/off what I want? Some of your users are really power-users with lots of experience...

    They are indeed, and we hear your concerns. But I think you'd be surprised - particularly if you take what you see on this forum as your guide - to learn how tiny a fraction of our overall userbase are "power users," however. That's not to say we don't take your wishes into account, but more to observe that warning most users that they're reusing passwords or have unsecured websites or passwords that have been disclosed in a breach, positively affects more users than the number who are annoyed at having to see a banner they'd prefer not to see.

    As to why we don't simply provide an "advanced preferences" toggle/checkbox/preference for such settings, there are a few reasons:

    • If we provide it, too many non-power-users will find it and potentially set it in a way that defeats its protection, without really understanding what they're doing or why they it's not advisable to do so
    • 1Password is not and never will be a "Pro" app in the way that some applications are designed for working professionals in a field (think: Photoshop). Such "Pro" apps have every conceivable option/feature/toggle/checkbox available, because working professionals often need such options, and are comfortable tweaking the UI/feature set to only that which they need and nothing else. The best of these apps hide the options behind preference panes or other non-obvious ways to reach "advanced preferences." The worst of them wind up looking like this:

    That's the kind of UI - whether displayed in plain sight or hidden behind an "advanced preferences" screen, that will drive non-technical users to conclude that the app in question is simply "too advanced" for them. We believe strongly that good security should be available to everyone -- and that means it needs to be non-intimidating and easy enough for everyone to use, as well.

    • Finally (and perhaps most importantly), the solution we've got in the works right now will allow for server-based individual user preferences in a shared vault/account. For example: a team of 20 shares a vault. Each person can set aspects of each item...but most of these preferences appear for everyone as soon as someone sets them. Favorite an item? It shows up in everyone's favorites. With a server-based approach, everyone will be able to set a preference that 1) will work across all native 1Password clients plus the web interface and 2) can be different for different users in a Shared vault. As you might imagine, that's a considerably more-intricate thing than just adding a Mac-only checkbox to hide or defeat a banner. Thanks for your patience with us as we work toward this solution, and keep an eye on updates and their associated release notes for news of progress on this issue.
  • Markus73
    Markus73
    Community Member

    I've a similar problem. In my case there are two entries, a wireless router entry and a login entry. The admin password is stored in both and the username only in the login entry. But apparently only the login entry can be used for autofilling when I go to the router IP in the browser. Is there a way to allow the router entry to behave like a login entry if I add username/website information when it comes to autofilling? Then I could get rid of the separate login entry.

  • ag_ana
    ag_ana
    1Password Alumni

    @Markus73:

    Only Login items and Password items can be autofilled I am afraid, so if you need that feature, you might want to remove the wireless router entry instead.

  • AGAlumB
    AGAlumB
    1Password Alumni

    You can add any custom fields you need to though. ;)

  • 1Password_phippster
    1Password_phippster
    Community Member
    edited November 2019

    I wanted to check-in on this. As I just upgraded to v7, the big red warnings are messing up my workflow and requiring me to scroll the item on my smaller screen in order to view the one time passwords. The password isn't really re-used because it's an active directory password. I appreciate the fact that I can view re-used passwords by navigating to Watchower -> reused passwords. I don't mind a small flag on the item itself, but the warning is so big in v7 that it's taking longer to login than in the previous version. Can I turn off the warnings in the item or reduce it's size so my task at hand (logging in) takes priority?

  • @1Password_phippster

    At the moment: no. That said we are well aware of the need to be able to do that and are advocating to make that possible (particularly for cases like Single Sign On/Active Directory).

    Ben

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @Macster18! Thanks for adding your perspective to this discussion. :)

  • 4irplan3
    4irplan3
    Community Member

    I'd like this feature disabled as well. It's extremely annoying and frustrating. I'm sure everyone has a ton of websites that require a login but they wouldn't give any semblance of thought if their credentials got compromised.

    I know well enough to use secure passwords for important things like my banking information.

    I also absolutely don't care if someone compromised my account to a history discussion forum and used that password to gain access to... two other forums and a junk email address I use to sign up for said forums.

    I understand the rationale behind this feature, but putting an obscure button under two submenus and a giant red warning "DO NOT DO THIS" in app preferences shouldn't be that difficult to accomplish for users that are annoyed.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you as well for taking the time to share your feedback too @4irplan3!

  • GoodBits
    GoodBits
    Community Member

    +1 more. I occasionally have the same password for two very interrelated purposes. Would like to be able to tag to ignore, much like you allow for 2FA. Please confirm, that's currently not possible for the other WatchTower sections, right?

  • Lars
    Lars
    1Password Alumni

    @GoodBits - it's available for the Unsecured Website section as well: you can add an http tag to websites where you know they don't have an HTTPS sign-in page (though this is horribly insecure). But for now, there's no way to suppress the Reused Passwords warning. We're working toward a comprehensive, server-based approach to this that will also allow individual user permissions on a given item in Shared vaults, but so far I don't have anything to announce as far as timelines or a roadmap for this feature. Thanks for taking the time to share your wishes on this, however! We appreciate it.

  • bretep
    bretep
    Community Member

    Would love to see a solution to this problem. Specifically Microsoft Live and Skype have different login names, but sync the password. I've linked both of the accounts using the "Related Items" field in 1Password, but still get a big red box.

  • ag_ana
    ag_ana
    1Password Alumni

    @bretep:

    Thank you for sharing your use case with us :+1: We will continue working on this to find the best possible solution.

  • bene
    bene
    Community Member

    I would also vote for such a feature. I know it's in the making but it doesn't hurt anyone if I am telling you again :)

    At ETH Zurich (Academic Institution) we use a system based on nicknames. For example if my name was "Susan Miller" the mail login would be sumiller@ethz.ch but the login to some other services is just sumiller. The password is by design the same so my Watchtower is notifying me on duplicate passwords I have no control over, while I am potentially missing some important ones...

  • GoodBits
    GoodBits
    Community Member

    +1 more. I occasionally have the same password for two very interrelated purposes. Would like to be able to tag to ignore, much like you allow for 2FA. Please confirm, that's currently not possible for the other WatchTower sections, right?

  • Thanks for the input folks.

    @GoodBits

    HTTP and 2FA are the only such tags. :+1:

    Ben

  • Michichael
    Michichael
    Community Member

    Echoing the other users annoyances. Watchtower is already a useless feature for any competent human being, give us the option to disable it. Shouldn't be hard to add a boolean option to hide a warning that my AD credentials are, shocker, re-used for other AD integrated applications.

    C'mon now. This is a great enterprise product, don't make horrible design decisions like this.

  • Thanks @Michichael.

    Ben

This discussion has been closed.