Forum Discussion

Former Member's avatar
Former Member
4 years ago

Stop check for reused passwords / weak passwords for some entries

In my email account I can (and I did) create aliases. An alias is a different emal name for the same account and has the same password.
It makes no sense that I always see a red alert box on such accounts.
The same is true for some websites. Some companies decide to have a password in conjunction with a separate security ID. Both are weak, the combination is strong. There are two fields to enter, I cannot combine them. 1Passwort greets me with a red alertbox which makes no sense at all here.
The basic functionality of such checks is ok, but it should be possible to turn them off on selected items.


1Password Version: 7.9.828
Extension Version: Not Provided
OS Version: Windows10

3 Replies

  • Jack_P_1P's avatar
    Jack_P_1P
    Icon for 1Password Team rank1Password Team

    Hey @SecretSquirrel:

    Thanks for all your feedback on this! I've added your voice as well to the issue Peter mentioned above. :smile:

    Jack

  • Former Member's avatar
    Former Member

    I agree with gsachs. I have many sites where I'm limited to a 4-digit password (PIN). I'd prefer the option to enter a stronger password, but no such option is offered.

    Rather than just complain about continually being shown these vulnerabilities, here are some options I'd suggest.

    Add another "advanced" setting that allows a user to bypass these warning. Perhaps force user to drill down several warnings.
    Let the user disable the warning, but only for a set period of time; i.e. 30, 60, 90 days, etc.
    Let the user assign a tag (like there is for 2FA) to disable the warning.

    You are all smart folks, I'm sure you can do something to fix this.

    Jerry

  • 1P_PeterG's avatar
    1P_PeterG
    Icon for Community Manager rankCommunity Manager

    Hi @gsachs, thanks for highlighting this for us here. These are interesting cases indeed, and I can see the validity of your point!

    There have been a number of folks who previously suggested that we include a feature to exclude certain entries from Watchtower. For example, in some cases a company may require you to use a short PIN, and that's out of the user's control. Fair enough. Even a number of banks I can think of - really recently! - set surprisingly low limits on the number and type of characters they would allow a customer to use to create a password. And what you've shared here is another great example where traditional password strength assessments may not totally apply.

    That said, it's actually pretty complex to figure out how best to deal with this - should we assume that a user understands, having been notified once, that a given password is insecure? Should we continue to present them with that information because it is likely to be insecure, and they need to know about that vulnerability, even if it's not possible to change it? Would a temporary "exclude" feature be better? What about some other middle ground? We're working through options on this, as resolving this issue something we're very interested in doing well.

    Thanks again for letting us know how this has presented for you - we appreciate the feedback!

    ref: dev/projects/customer-feature-requests/#130