Watchtower: Reused passwords (esp. w/r/t SSO)

Alex Hill
Alex Hill
Community Member
edited September 2020 in Mac

I have a work account in which I have to use different usernames in different situations, ie "username" on one system and "employer\username" on another system (both accessed through a web browser; the first is also my email username and password). They're the same account, so the same password. Is there a way to handle this cleanly? What I currently do is I have two separate entries in 1Password, one with the first URL and username "username"; the other with the second URL and username "employer\username".

That works fine, except 1Password gives me a giant red warning that the password is duplicated and lists the entry in the Watchtower. Also, if I have to change the password, I have to do it in both entries.

I tried the "link items" option in the entry to link the two items. They show up as linked, but that doesn't convince 1Password that it's OK that the passwords are the same.

Is there a cleaner way to handle this?


1Password Version: 7.3
Extension Version: 7.3
OS Version: OS X 10.14.4
Sync Type: iCloud

Comments

  • Tribruin
    Tribruin
    Community Member

    I brought up a similar situation. I have several systems a work that use different domains but all use our AD account for authentication. I would like to be able to link accounts so that 1Password knows the password is supposed to be the same (or even better, allow one entry to be a main password and link each entry's password to the main password.)

  • Hi folks,

    There isn't currently an elegant way to handle this for sites that require different usernames. We have done some brainstorming on the topic and hope to be able to offer a solution in the future. :+1:

    Ben

  • Tribruin
    Tribruin
    Community Member

    I see the topic came up a few years ago, but all the discussions have been closed. I wanted to re-open this topic and see if Agile Bits would consider looking at this feature again.

    With the expansion of both LDAP integration and AzureAD (along with other SSO providers). It is becoming more and more common to have single common password for multiple websites. In a company that has a hybrid AD environment, it is like that you have a single AD account, but, depending on where you are logging in, you may use either a username (user) for LDAP integrated sites or fully qualified name (first.last@company.com) for SSO integrated sites. Either the way, the password will be the same but the login id will be different. As a result a person will have at least two login entries. If, as I use 1P, keep separate entries for separate web sties, I end up with multiple entires all with the same password.

    This is inconvenient for a couple of reasons. (1) 1Password now keeps nagging my that I have a reused password and (2) when I change my AD password, I have go and update all the various login entries to update the password.

    Ideally, I would like to see some way to link the passwords to a master entry. So when I change the password on the master entry, it is automatically updated on the child entries.

    At minimum it would be nice if there was a tag, like the 2FA, that would surprise the "Reused Password" warning. I know I am reusing my password.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Tribruin!

    Thank you very much for taking time out of your day to to share this feedback! We appreciate every idea that could make 1Password even better.

    I can see how this could be useful to you, so while I cannot make any promises, I can tell you that I have shared your feedback internally :)

    Once again, thank you and have a wonderful day!

  • mmoud
    mmoud
    Community Member
    • 1 from me for this feature. I am in same boat where all my logins are shared as all connect to active directory. Please add this
  • Thanks for chiming in @mmoud. :)

    Ben

  • DaVince
    DaVince
    Community Member

    Hi,

    I'm running into this as well right now. Has anything come out of the brainstorm session?

    It seems to me that a decent solution to this would be to allow multiple username fields, and display autofill suggestions as individual items in the list, as if they were two separate entries.

  • ag_ana
    ag_ana
    1Password Alumni

    Not yet @DaVince, sorry! But thank you for your feedback! :+1:

  • FreeeG
    FreeeG
    Community Member

    I have a similar problem where some logins require a domain to be appended to the username.

    Usecase 1:
    username: usrnm1
    password: pwrd1

    Usecase 2:
    username: usrnm1@domain.com
    password: pwrd1

  • Thanks for sharing @FreeeG. We're aware of those cases (as well as the less common DOMAIN\usrbn1). Hopefully our development team will be able to come up with a solution. :+1:

    Ben

  • lpopesco
    lpopesco
    Community Member

    I have a similar issue here. With the same domain password, I can either log in as:

    id1234
    myname@company.com
    domain\id1234

    Would be great if I could consolidate all of these separate 1password logins into a single one.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for sharing your examples as well @lpopesco :+1:

  • vasbinde
    vasbinde
    Community Member

    I also have a similar situation, where three separate work systems use the same password, but three usernames in different formats:

    • DOMAIN\username
    • username@fullcompanyFQDN
    • emailaddress@OfficialCompanyFQDN
  • Thanks @vasbinde. We have seen that type of setup before and are looking at how we might best address that use case within 1Password. :+1:

    Ben

  • stvkpln
    stvkpln
    Community Member

    Before I ramble on here for a sec, I just want to say that I do appreciate the commitment from all of the employees who are active and engage with the community; it's a big part of why I remain a loyal customer (even if I don't post often / hardly ever). You guys are awesome, and since I'm taking the time to post on this topic, I wanted to take a moment to say thank you for everything you do!

    I've been going through the forums this evening because this has been my one recent quasi gripe about 1password. Something that may or may not be getting lost here is the underlying problem that exists... in the corporate world, these passwords are typically rotated on a 30-90 day timeline; this means that every 30-90 days, we have to go and update any number of login items in 1Password.. hoping we don't miss one. It's a very frustrating endeavor.

    As has been posted throughout the forums for the last year or so (I didn't go too far back on principle), this has come up and I feel like there's what I feel -- as somebody who isn't intimately familiar with the underlying architecture of how vaults or what sort of relation there is between items -- has a few different ways I think would be clever ways to handle this particular problem...

    1. Give us the option to link multiple login items to a single password item so when we have to rotate a corporate password, we only have to update in one place
    2. Allow us to have multiple 'profiles' under a login item that allows for different groupings of websites to use different different username formatting

    I have a ton of empathy for the plight this creates for a company who prides itself as being security-focused and not wanting to do things which have potential to open up any number of Pandora's boxes (I work for an IT systems integrator!), but this issue (if you want to call it that) is a reality of the landscape as far as authentication in a world where organizations are adopting more services that use some sort of federated authentication capabilities, but each of those authorization providers use their own unique value for declaring what the username is.

    To add another to the list, here's some examples of the credential nuance I have to deal with (in some cases, multiples of this because we have two different domains):

    • username
    • username@fqdn
    • domain\username

    The brilliant irony of this is that I can name one large OEM where, due to different BUs doing different things, I literally have to use all three of those above formats just to get into different products from that same company... I'd be happy to share those details around that, if it'd be useful in understanding why finding a way to solve for the many (users) to one (password -- no pun intended!!) is important.

    Keep up the awesome work, and I will hope for a solution to this at some point to make my life less terrible!! :)

  • Give us the option to link multiple login items to a single password item so when we have to rotate a corporate password, we only have to update in one place

    That's a very interesting thought. :) I'm not sure we'd come across that yet. I'll make the suggestion. :+1:

    if it'd be useful in understanding why finding a way to solve for the many (users) to one (password -- no pun intended!!) is important.

    I don't think there is any question of that among the team at this point. It is more a question of 'how' and 'with what resources.' There is a fair bit of disagreement on the former which makes it difficult to nail down the latter.

    Keep up the awesome work, and I will hope for a solution to this at some point to make my life less terrible!! :)

    Thanks so much for the kind words. ❤️I share this hope. It is certainly no fun to still be having these conversations many months after originally being brought up. I will continue to advocate that we come to some agreement on what the path forward for addressing this will be and then make strides to implement that solution.

    Ben

    P.S. As an aside:

    in the corporate world, these passwords are typically rotated on a 30-90 day timeline; this means that every 30-90 days

    I realize it does absolutely nothing to help here, but for what it's worth, this practice of forcing users to rotate passwords have been discouraged now by the same people who originally published the recommendations.

  • rbohlmann
    rbohlmann
    Community Member

    I would love to see this. I just started with 1Password and was trying to do this but found out it is not possible. It would be awesome to create a single 'Password Item' and then multiple 'Login Items' and simply point the password to the already created 'Password Item'. This would be a great feature.

  • I've merged a couple of threads on this same topic. :+1:

    Thanks for your input here @rbohlmann. That may be something we can consider.

    Ben

  • MarkAShell
    MarkAShell
    Community Member

    Ben, et al,

    I will just add my vote to encourage 1PW to come up with a clean solution to this “issue”. I run into this all the time with my work logins - different format user names, but the same SSO password. I would be an advocate of allowing an optional username to be entered for each website listed in the login. If a username is NOT configured for a particular listed website, then the username for the login would be used (i.e., the default behavior would be the same as the behavior today). If a website-specific username is configured, however, then it would override the login’s username for that website. That way, you could configure the most-used username in the login and only enter the “override” username for those websites that require the alternate formats.

    I will also echo the comment of stvkpln, above — I think that you folks do a FANTASTIC job. 1Password is one of my favorite apps/programs of all time. Great job, guys and gals!

  • Many thanks for the kind words, and for the suggestion, @MarkAShell. I will continue to urge the team to implement a soluton for folks in this situation. :+1:

    Ben

This discussion has been closed.