This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

How to clear Password History?

divot
divot Junior Member
edited February 2011 in Mac
Hi there,



I want to clear Password History. In a previous post someone said they couldn't think of a reason to do this. Well, I want to if for no other reason that getting rid of clutter and to avoid confusion if the old passwords are used elsewhere. So, how can I clear the password history? Is there a way to do this?

Comments

  • MikeT
    MikeT Agile Samurai
    Hi divot,



    You can click on the arrow next to the Password History to hide this list and that’ll reduce some of the clutter. As for the old password being used elsewhere, that’s actually not a good thing. You wouldn’t want to re-use the same password elsewhere and re-use the old password again in the same Login. That’s one of the reasons we added the Password History feature, to protect you from re-using the same old password.



    As for removing the Password History itself, that’s not possible at the moment, we hope to implement this in a future update and I do not have a timeframe on this. To remove this now, you’ll need to create a new Login, copy the details over from the old Login and then delete the old Login.



    I hope this helps explain why we have this feature.
  • divot
    divot Junior Member
    edited February 2011
    I hear you but respectfully disagree. Old passwords typically are not reused since my MO is to create new each time. However, I still want to remove them to reduce clutter both in 1Password and in my brain! Creating new logins is not a solution because I have many entries with old passwords, all of which I want to clear. Simply closing the drop-down list is not the answer and you, as the developer, should not be second-guessing your users by trying to protect us from our own stupidity. And if I decided to allow someone temporary access I would not want them to see old passwords if for no other reason than to prevent them from potentially detecting password creation by variation-on-a-theme which I sometimes use for non-critical logins. I suggest you add this missing option.
  • khad
    khad Social Choreographer
    Thanks for following up, divot. As Mike mentioned, this is on our radar for a future release.
  • [quote name='khad' timestamp='1298253850' post='21017']

    Thanks for following up, divot. As Mike mentioned, this is on our radar for a future release.

    [/quote]



    I hope the future arrives soon. The inability to get rid of the password history, particularly when duplicating an entry (to reuse part of it) is pretty obnoxious, and in terms of security clearly in many cases counterproductive (the password history for one account being carried over to another, not to mention the possibility of discerning patterns in passwords (such as changing parts of it in a calendaric manner) that are intentional rather than accidental).



    There are many ways to achieve password security appropriate to the task at hand for any one account, and for a tool to flat-out deny (rather than discourage) the removal of the password history is very close to an app-killer for me. You guys know a lot about password security, but you should not assume you know it all <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Z
  • Thanks for the feedback, Z



    I have to say that I personally agree with you on this one and so I've mentioned this to our developers so we can discuss possible ways of handling the password history for duplicated login items, as you pointed out you're usually duplicating an existing item to change the credentials for another account on that service.



    As always, I can't promise a timeframe on this, and we certainly don't claim to know everything about password security <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />





    [quote name='xyz' timestamp='1301495273' post='23548']

    I hope the future arrives soon. The inability to get rid of the password history, particularly when duplicating an entry (to reuse part of it) is pretty obnoxious, and in terms of security clearly in many cases counterproductive (the password history for one account being carried over to another, not to mention the possibility of discerning patterns in passwords (such as changing parts of it in a calendaric manner) that are intentional rather than accidental).



    There are many ways to achieve password security appropriate to the task at hand for any one account, and for a tool to flat-out deny (rather than discourage) the removal of the password history is very close to an app-killer for me. You guys know a lot about password security, but you should not assume you know it all <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Z

    [/quote]
  • [quote name='xyz' timestamp='1301495273' post='23548']

    The inability to get rid of the password history, particularly when duplicating an entry (to reuse part of it) is pretty obnoxious, …[/quote]

    Related topic:



    [url=http://forum.agile.ws/index.php?/topic/4140-password-history-in-duplicated-logins/]Password History in Duplicated Logins? <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_sadsmile.png' class='bbc_emoticon' alt=':-(' />[/url]
  • divot
    divot Junior Member
    I'm still waiting. How can I clear password history?
  • khad
    khad Social Choreographer
    I'm sorry to say that, as I think you are already aware, nothing has changed in this regard. I'll nudge the developers on this. I know they have been extremely busy working on the new browser extensions, so I can't make any promises. However, I know that no one is opposed to the change. We just need to find the time to work on it. I'm sure if we get a huge influx of requests for this it may get a bit more priority, but for now only a couple people have requested this. That doesn't mean it is a bad idea, but we have to focus on the things that will help the greatest number of users first.



    If we can be further assistance in the meantime, please let us know.



    Best regards,
  • Arthaey
    edited January 2012
    I would also really like this. Is there any more news on when this will be scheduled?
  • khad
    khad Social Choreographer
    Welcome to the forums, Arthaey! Thanks for letting us know. As you can see above, no one has inquired about this since November, so it is not the number one priority. That doesn't mean we have forgotten about it, but we need to direct our limited development resources carefully.
  • benfdc
    benfdc Perspective Giving Member
    On a whim, I exported a pair of logins—one with a password history and one without—to a 1PIF, and opened data.1pif in Tincta (my text editor of choice). The password history is easy to spot.



    Time for the experiment:[list=1]

    [*]Duplicate a login.

    [*]Change the password in the duplicate (to create a history).

    [*]Export the duplicate to a 1PIF.

    [*]Trash the duplicate.

    [*]Edit the 1PIF in Tincta to delete [font=courier new,courier,monospace]"passwordHistory":[{"value":"oldpassword","time":1326641581}], [/font]

    [*]Import the edited 1PIF.

    [/list]

    This almost works, and does work if you force things. The problem is that when you try to import the edited 1PIF you get an "Action:Skip | Status:Newer Item Exists" alert. You can get past the alert by changing Skip to Import, but the import will fail unless you have emptied the trash (Ctrl-Opt-Cmd-Del) first to prevent a collision between the entry you are trying to replace and the entry you wish to replace it with. I don't understand what is causing these warnings, and why even emptying the trash doesn't prevent them, but they don't seem to be fatal.



    Further tinkering reveals that one can cleanly remove all password history from a keychain by following [url="http://forum.agilebits.com/index.php?/topic/9645-how-to-take-advantage-of-increased-pbkdf2-iterations-in-3811-and-later/page__view__findpost__p__54580"]Khad’s recipe for recreating one’s 1Password 3.8/3.9 keychain in the new "enhanced PBKDF2" format[/url], but adding a new step 3a: edit the exported 1PIF to strip all passwordHistory entries before importing the data into the new keychain. While the stripping could be done manually, I'm sure that someone who is skilled at constructing regular expressions or the like could automate the process.
  • As a frequent duplicator-of-existing-logins and ad-hoc tech supporter with a few other people's passwords stored for them (scarcely best practice, I know, but easier than teaching my grandparents to 1Password at this stage), I'd love to see this ability in a future desktop build. I wouldn't wish to get stung exporting other people's passwords with my old ones attached.
  • khad
    khad Social Choreographer
    Welcome to the forums, tullyhansen! I'll make sure to mention your use case to the developers as we make progress on 1Password 4. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    Thank you for the feedback.