Weak Password for Pin code

I get a lot of warnings about Week Passwords. That is because I have used the password field type in order to store my pin codes. Pin codes are normally not very large often just 4 digits.
Are there anyway that I can tell 1Password that this "password" is okay to be weak? Or would it be possible to have a new field type that can contain a pin code that acts like a password so it has to be revealed like the Verification Number field type for Credit Cards.


1Password Version: 7.1.567
Extension Version: Not Provided
OS Version: Win 10
Sync Type: Not Provided

Comments

  • Hi @SoftAllan,

    Thanks for writing in. This will be addressed in a future update, we'll add a rule not to include all digits up to 6 characters for weak passwords and reused passwords.

  • gordcook
    gordcook
    Community Member

    @MikeT

    This will be addressed in a future update,

    How is this update coming along? I'd like to be able to clean up my WatchTower report.

    In the meantime, what is the criteria for weakness? How long would a PIN need to be in order to remove it from the Weak Password category?

  • Greg
    Greg
    1Password Alumni

    Hi @gordcook,

    Weak Passwords are items with passwords that are easy to guess. At the moment, your PIN/password should be at least 11 characters long in order not to show up in Weak Password category.

    As for the update: we bumped into some bigger hurdles along the way, so it is taking longer than expected. We will release beta when it is ready, but I do not have any timeframes for you at this point.

    Let me know if you have any other questions, we are always here for you. Thank you!

    ++
    Greg

  • JKauhanen
    JKauhanen
    Community Member

    How are those hurdles looking? I know a 4 digit PIN is a weak form of identification, but that's what my local library wants to use and I want to use my local library. What I don't want is looking at the Weak Password warning I get from 1Password about this. How about a feature that allows me to tag PIN code entries, and entries with that tag are excluded from Weak Password warnings?

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's something we may consider. Thanks for the specific example!

  • [Deleted User]
    [Deleted User]
    Community Member

    1Password X has a a built in PIN generator. It's weird that 1Password generates passwords that it then insists on calling weak!

  • It generates PINs, @lmcm, but the expectation is that these aren't used as passwords. If a Login item has a website associated with it, then these will be flagged as weak, but if it's an actual PIN used as an extra step of identification on a banking site or for something like your garage door and doesn't have a website, those will be ignored. Now, that said, we know that some sites make poor security choices when it comes to passwords and, sadly, that is just life. You may well use 1Password to generate those weak "PIN" passwords, too. That they were generated doesn't make them a good choice, but we have to accept what sites we have no choice about demand of us and we may as well make the best of it we can by at least not using our birthdays. :wink:

  • daver3k
    daver3k
    Community Member

    @bundtkate - Sorry to revive an old thread, but this is also an issue I've been running into for the past year or so and have finally worked up the energy to try and get it sorted. I'm replying specifically to this assertion:

    If a Login item has a website associated with it, then these will be flagged as weak, but if it's an actual PIN used as an extra step of identification on a banking site or for something like your garage door and doesn't have a website, those will be ignored.

    I use several smart cards that have 8-digit PINs; these smart cards have no associated website. I am currently storing them in 1Password as type "Password" (as opposed to creating a "Login" for them). The values that are stored are title/name - let's say "Smartcard X PIN" - and the PIN itself, as a masked password. This still shows up as a Weak Password under Watchtower. Even if I convert to a "Login" which has no username or website associated, it is still flagged as weak. What is the correct way to categorize these? I'd strongly prefer to not create Login items for them as there are no associated usernames, passwords, or websites. Ideally a "PIN" item could be added, or a "pin" tag applied, which would allow users to keep a PIN masked but not considered a password and thus out of the Watchtower weak list.

    Is there a solution for this? If not, please consider me as yet another member looking for a way to store PINs without a Watchtower flag.

  • No worries about reviving, @daver3k. 2019 me (was that really just a handful of months ago?) skipped a detail relevant to this discussion that so happens to explain your experience – we're defining PINs as being 6 digits or fewer. So, you've got 8 and it's thus not meeting those criteria. Password or Login, it won't matter. Given this is a PIN associated with a card, are these smart cards similar to bank cards in any way? Basically, how/when are you using this PIN? It might make sense to store it with some additional info as a different item type (neither Login or Password), but that would depend on what other info you might reasonable store alongside it.

  • daver3k
    daver3k
    Community Member

    Thanks for the quick reply @bundtkate - AgileBits is much better at this responsiveness thing than another company I'm struggling with right now, and it is both refreshing and greatly appreciated.

    The smart cards in question are used for both physical and logical access. When used for logical access, they use an identity certificate on the card, much like a United States Department of Defense Common Access Card, or CAC. There really is no extra information to store - a title ("Building Access Card", "Administrator Network Card", etc) and the PIN are it. On at least one of the cards, I do have a choice to set a six-digit PIN, but I have chosen to use eight digits for better entropy, though both cards become locked out and require a hardware reset after ten (10) incorrect PIN entries and thus a six-digit PIN is likely sufficient. The other card requires an eight-digit PIN. All that having been said (well, written anyway), you mentioned that it might make more sense to store it in another way, and I am willing to try it. I would strongly prefer to keep it masked.

    I do see that a six-digit PIN is not flagged in Watchtower, as you noted above - it seems to me this resolves the issue for most (all?) of the other users in this thread. I don't expect a feature to be implemented just to make a single family-plan user happy, but: has there been any more discussion of perhaps adding a "pin" flag, much like "2fa" which goes on to all the sites that refuse to switch away from SMS-based OTPs? I am all about longer passwords, even using 10-word Diceware passwords for encryption keys, but sometimes an eight-digit PIN is required. I wouldn't care, except that having zero weak passwords tells me at a glance that I have no weak passwords, but having more than zero makes me compelled to click into them every so often and confirm that I don't accidentally have "p@ssw0rd#1" protecting my bank account.

    Anyway, thanks again for your responsiveness. I've only been a 1Password user for a year, but you guys continue to impress with both product and support.

  • We have some regret over adding those tag flags, to be honest, @daver3k. It was one of those things that seemed like a nice, user friendly way to give y'all some options when you're stuck at the time, but ultimately they're a bit hacky at best. I actually rather disliked them personally because I do need to use the 2FA flag on occasion, but I also already had Logins with active 2FA I'd need to save/disable if I got a new phone tagged with a 2FA tag so I had to totally change my organizational structure when we made this change. It's only a small fuss, but a fuss all the same and perhaps bigger for others with more data to manage. Short version? We feel we should have built something with the actual job of excluding things rather than using tags for a purpose beyond their intent. End of the day, though, that's neither here nor there at least until we have some time to consider alternatives.

    Anyway, thank you for the additional details about the card! Alas, I'm afraid I agree with you and there really isn't another good fit. I was really hoping it might have an ID number that would make storing it as a Credit Card or Identity item a bit more of a rational choice, but about the only reasonable alternative I can think of is a Document item with an image of the card and the PIN as a custom password field and that's not going to fix your problem. Given that, I think I'd go the hacky route. Disclaimer first – this is going to look just fine in view mode, but weird in edit mode and we're putting these PINs in fields that will be completely ignored by Watchtower so if you want any of Watchtower's functions to work for this field now or in the future, don't do it. If that's okay with you:

    1. Edit one of your Password items.
    2. Copy the PIN.
    3. Create a new Password type field below the default – click the green +, choose password, paste.
    4. Delete the PIN in the original password field.
    5. Save.

    That should exclude it. I'm abusing the rules here a bit – we only check the first password field so we're leaving that one blank to trick Watchtower into skipping the item entirely. As I said, hacky, but it'll work. :+1:

  • daver3k
    daver3k
    Community Member

    @bundtkate - This is a perfectly acceptable workaround. The PINs don't change often enough that I really care whether they are a few pixels lower in the Edit screen. This solves my issue. Thank you!

  • I'm glad it works, @daver3k! For what it's worth though, you might want to hold off on thanking me just in case. This is the sort of stuff I do myself because if my 1Password ever goes pear shaped, I can probably fix it myself, but any time you do something weird, there's some chance we'll break it because we didn't think of it when making a change. We wouldn't do anything that would jeopardize the data itself so I wouldn't worry too much, but I'm the paranoid type so just keep an eye on 'em and let us know if anything looks funky down the road.

This discussion has been closed.