This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Confusion with Generated Passwords

Hello,



I was showing some friends how easy it is to use the identities feature to fill up online forms. We’ve tried it on few website, without actually going on with the registration. (I did not want to register, Just showing them the feature)



I later found out that the app “1password” is filled with generated passwords from the websites we visited. For some websites there are even many copies of generated password; relating to how many times I visited that same website and tried the fill feature.



This is very confusing and misleading, as I have all of these passwords saved, however, none of them works, as I did not go on with the registration.



How do I stop the “1password” from generating a password when I fill an identity form? I want ability to write my own password.



I have:

- Unchecked Enable Auto-save of logins in browser

- Unchecked Auto-saves logins & Auto submit logins in Safari



But it’s still generating and saving passwords!



I’m Using:

1 password Ver. 3.5.8 on OS X and Safari



Thanks

Comments

  • Examinus
    Examinus Junior Member
    You can hide the Generated Passwords item in your sidebar, but I don't think you can stop it from generating passwords because it's one of 1Password's core features/functions.
  • Thanks Examinus, you are right.



    Here is what I suggesting and I hope someone from Agile Web Solutions would comment on this.



    Adding an option in the preferences:



    - Automatically Generate Passwords (for example)



    Once this option is unchecked, registration forms gets filled, yet the password field is left empty for manual entry.



    Once the user clicks submit the entry will be saved if (Enable Auto-save of logins in browser) is checked, otherwise it will not.



    Thanks.
  • khad
    khad Social Choreographer
    edited March 2011
    Examinus is correct that in order to promote good password hygiene 1Password will generate a strong password for you whenever you fill an Identity. They do no harm in the Generated Passwords section, and you can delete them if you wish. The Generated Passwords section is intended to be a safety net, though, so we recommend leaving it intact. You can disable its display in the sidebar if it bothers you (Preferences > General > Display in Sidebar > Generated Passwords). It is completely separate from your Logins which are actually displayed in your browser(s).



    [url="http://xkcd.com/792/"]Password reuse[/url] and [url="http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time"]weak passwords[/url] are arguably the most common causes of security breaches. The Generated Passwords solve both problems in one fell swoop. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' /> Please feel free to completely ignore them if you do not wish to take advantage of the additional security they offer.



    If anyone knows about an abundance of generated passwords cluttering up a data file, you can be sure that we at Agile do (with all the testing we constantly perform)! There are too many to worry about. I treat it like my Gmail archive. I never look at it, but I can search it if I ever need to. And I have certainly needed to once or twice after I thought I had saved a login but hadn't. Saved my bacon on more than one occasion.



    I hope that helps explain the situation a bit better. Please let me know if you have any additional questions or concerns.
  • Hello Khad,



    "I hope that helps explain the situation a bit better". Definitely, it makes more sense now.



    Thanks a lot.
  • On Khad's behalf, M jay, you're very welcome, glad he could help clear things up for you <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    [quote name='M jay' timestamp='1299996817' post='22346']

    Hello Khad,



    "I hope that helps explain the situation a bit better". Definitely, it makes more sense now.



    Thanks a lot.

    [/quote]
  • kongjie@mac.com
    kongjie@mac.com Junior Member
    1Password is such a great product that you can get away with not paying attention to it most of the time. But one or two things have puzzled me for a while. One is when certain logins never work, like for me my MobileMe web login never works--but that's not my question here.



    The other thing that I've been confused about for many eons is how "Password for..." items get created along with logins. For example, if I search for "Mailchimp" in "Everywhere," I get a login result, but I also get a "Password for Mailchimp.com" result that for its icon has the "Accounts" icon in the sidebar.



    But if I click on "Accounts" in the Vault, there are no entries. And in fact if I add up all the items in the Vault, there are 300 some-odd items; but if I click on the "All" smart folder, there are 400+ items. So there are 100+ of these "Password for..." items. What's up with that? I tried searching the forums but all my searches get rejected LOL.
  • khad
    khad Social Choreographer
    Hey kongjie,



    I have merged your post with the appropriate thread. Please see above for an explanation of the "Generated Passwords" items and optional related section in the sidebar of 1Password for Mac (Preferences > General > Display in Sidebar > Generated Passwords).



    For your MobileMe login, please [url="http://forum.agile.ws/index.php?/topic/2730-mobileme-mecom-login-change/page__view__findpost__p__15998"]edit your login to use your full email address rather just your username[/url]. For example, the username you want stored in your MobileMe login item is "john.doe@me.com" rather than "john.doe" which will give an error due to some JavaScript on the MobileMe site.



    If we can be of further assistance, please let us know.



    We are always here to help!
  • kongjie@mac.com
    kongjie@mac.com Junior Member
    [quote name='khad' timestamp='1304052492' post='25851']

    For your MobileMe login, please [url="http://forum.agile.ws/index.php?/topic/2730-mobileme-mecom-login-change/page__view__findpost__p__15998"]edit your login to use your full email address rather just your username[/url]. For example, the username you want stored in your MobileMe login item is "john.doe@me.com" rather than "john.doe" which will give an error due to some JavaScript on the MobileMe site.

    [/quote]



    Thanks, Khad, that answers my question. There are aspects to generated passwords that caused my initial confusion. One is that, like I mentioned, the individual items use the same icon as accounts--the skeleton keyhole. Maybe if the individual items used the icon for generated passwords that shows in the sidebar, it would avoid that. The other thing is that search shows generated passwords even if they are disabled in the sidebar. Maybe there could be an option to remove them from search results.



    Regarding MobileMe, you're right, thanks. My problem was that I was inspecting the wrong log-in entry to figure out the problem! I was looking at a log-in for Mac.com, but of course I should have been looking at the Me.com log-in, which only had the user name and not e-mail as you suggested.
  • khad
    khad Social Choreographer
    Thanks for letting me know things are working well now. I never tire of hearing that. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />



    We are working on some improvements to the whole concept of Generated Passwords which I think will go a long way to help minimize confusion. I will share your feedback with the rest of the team!



    Cheers,
  • I have to sign up for ton of websites and thought there used to be the ability to have a default password assigned to an identity. Currently, all I see is the option to have a default username. Does anyone know how to add a default password to the identity such that when I visit a new website and want to submit the information for a particular identity, that the default username AND a default password are applied?
  • khad
    khad Social Choreographer
    Welcome to the forums, Kevin! I have merged your post with what I believe to be the appropriate thread. Please see [url="http://forum.agile.ws/index.php?/topic/3899-confusion-with-generated-passwords/page__view__findpost__p__22284"]my post above regarding password reuse and the generated passwords 1Password fills with Identities[/url] and let me know if you have any additional questions or concerns. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Cheers!
  • [quote name='khad' timestamp='1304484550' post='26212']

    Welcome to the forums, Kevin! I have merged your post with what I believe to be the appropriate thread. Please see [url="http://forum.agile.ws/index.php?/topic/3899-confusion-with-generated-passwords/page__view__findpost__p__22284"]my post above regarding password reuse and the generated passwords 1Password fills with Identities[/url] and let me know if you have any additional questions or concerns. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Cheers!

    [/quote]





    khad;



    Thanks for the welcome. Unfortunately for me I do not understand the post you referred me to. More information about my issue is I need to be able to assemble a profile of member sites (<100) which, for ease of use, have the same login and password so I can administer them from a single dashboard with an auto fill option. It seems the post you refer me to suggests to not use the same login information for security purposes, which I recognize as a best practice, however in this case, the security risk is very low, so I prefer being able to efficiently create login/pw through 1password, using the same password function if it exists. Am I missing something--thanks!
  • Hi Kevin,



    Apologies on Khad's behalf for any confusion,



    The short answer is no, there is not an option to have a default password filled when you fill an Identity. I'm going to be brutally honest here and say that this will more than likely never be a feature of 1Password, it goes against our whole philosophy for what 1Password is designed to do.



    Password reuse is one of the biggest security risks on the web today, and while you may not think that using the same password on some 'low risk' sites is dangerous, the reality is that attackers can breach one site, gain access to another, and from that piece together enough personal information to do some real damage.



    1Password will never force you to use generated passwords though, you can delete the one it generates from the sign-up form if you really want, but at the same time we don't feel it's right to promote password reuse through a feature of 1Password.



    Sorry I don't have the answer you were hoping for, but I hope this helps to explain why this isn't a feature of 1Password.











    [quote name='Kevin Leveille' timestamp='1304543217' post='26243']

    khad;



    Thanks for the welcome. Unfortunately for me I do not understand the post you referred me to. More information about my issue is I need to be able to assemble a profile of member sites (<100) which, for ease of use, have the same login and password so I can administer them from a single dashboard with an auto fill option. It seems the post you refer me to suggests to not use the same login information for security purposes, which I recognize as a best practice, however in this case, the security risk is very low, so I prefer being able to efficiently create login/pw through 1password, using the same password function if it exists. Am I missing something--thanks!

    [/quote]
  • [quote name='stu' timestamp='1304556133' post='26259']

    Hi Kevin,



    Apologies on Khad's behalf for any confusion,



    The short answer is no, there is not an option to have a default password filled when you fill an Identity. I'm going to be brutally honest here and say that this will more than likely never be a feature of 1Password, it goes against our whole philosophy for what 1Password is designed to do.



    Password reuse is one of the biggest security risks on the web today, and while you may not think that using the same password on some 'low risk' sites is dangerous, the reality is that attackers can breach one site, gain access to another, and from that piece together enough personal information to do some real damage.



    1Password will never force you to use generated passwords though, you can delete the one it generates from the sign-up form if you really want, but at the same time we don't feel it's right to promote password reuse through a feature of 1Password.



    Sorry I don't have the answer you were hoping for, but I hope this helps to explain why this isn't a feature of 1Password.

    [/quote]



    Hey no problem and thanks for the clarification!
  • jpgoldberg
    jpgoldberg Agile Customer Care
    [quote name='Kevin Leveille' timestamp='1304633955' post='26367']

    Hey no problem and thanks for the clarification!

    [/quote]

    You are very welcome, Kevin. You might enjoy taking a look at [url="http://blog.agile.ws/2010/09/1118738545/"]this blog post[/url]



    Cheers,



    -j
  • I am not sure when this started but I just noticed that I have a ton of entries that all have titles that start with "Password for....". For example, one of them is "Password for evernote". I have another entry that has a title of "Evernote". What are these for. I deleted one of them and it did not seem to effect the "correct" entry. Is this a side effect of syncing?
  • khad
    khad Social Choreographer
    edited May 2011
    Welcome to the forums, Steve! Thanks for asking about this. Those are all [url="http://help.agilebits.com/1Password3/strong_password_generator.html"]Generated Passwords[/url]. Please see the section on 1Password's built-in [url="http://help.agilebits.com/1Password3/strong_password_generator.html"]Strong Password Generator[/url] in our User Guide, the above posts in this thread, and let me know if you have any additional questions. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Cheers,
  • I'm synching 1password on my iPhone via dropbox to several macs. The "Logins", "Accounts", and "Notes" tabs look fine. However, the "Passwords" tab shows lots of duplicate entries. There are 8 entries for my credit union on the 'Passwords' tab, but just a single entry under 'Logins'. I tried removing the 1Password app, re-installing it from ITunes, and resyncing via dropbox, and it made no difference - the Password entries still appear.



    After further investigation, it appears that these duplicate values were synched from the "Generated Passwords" shown on the 1Password Mac application. I fail to understand the value of synching multiple generated passwords to the 1Password IOS app. Why would I want 8 old generated values on my 1Password IOS app? Synching generated passwords doesn't seem useful to me.
  • [Deleted User]
    edited May 2011
    [quote name='JoeVA' timestamp='1305859781' post='27410']

    I'm synching 1password on my iPhone via dropbox to several macs. The "Logins", "Accounts", and "Notes" tabs look fine. However, the "Passwords" tab shows lots of duplicate entries. There are 8 entries for my credit union on the 'Passwords' tab, but just a single entry under 'Logins'. I tried removing the 1Password app, re-installing it from ITunes, and resyncing via dropbox, and it made no difference - the Password entries still appear.



    After further investigation, it appears that these duplicate values were synched from the "Generated Passwords" shown on the 1Password Mac application. I fail to understand the value of synching multiple generated passwords to the 1Password IOS app. Why would I want 8 old generated values on my 1Password IOS app? Synching generated passwords doesn't seem useful to me.

    [/quote]



    Hello JoeVA and welcome to the Forums!



    Your question has come up several times, and I know I was not a fan when I first started using 1Password. However, after using 1P for a few months, the generated password history[i] saved my bacon[/i] on more than one occasion.



    Hopefully, you will not encounter a situation where you are dependent on searching through 8+ entries for a specific website in order to locate the [i]one [/i]password that you actually used. Regardless, I understand how the plethora of additional unused passwords can clutter up your view.



    Please read Khad's post regarding [url="http://forum.agile.ws/index.php?/topic/3899-confusion-with-generated-passwords/page__view__findpost__p__22284"]Generating Clutter[/url], and reply with any further comments or suggestions.



    Brandt
  • khad
    khad Social Choreographer
    edited May 2011
    If I am looking for the "right" generated password I sort the passwords by date to find the one most recently created and go from there.



    [quote]Synching generated passwords doesn't seem useful to me.[/quote]

    As mentioned above, please feel free to delete the Generated Passwords, but you do so at your own risk. They are "insurance" to me, though. I don't need them until I really [b]need[/b] them. Then I am glad I don't delete them. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Cheers,
  • [quote name='khad' timestamp='1305868808' post='27416']

    If I am looking for the "right" generated password I sort the passwords by date to find the one most recently created and go from there.



    As mentioned above, please feel free to delete the Generated Passwords, but you do so at your own risk. They are "insurance" to me, though. I don't need them until I really [b]need[/b] them. Then I am glad I don't delete them. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    [/quote]



    As Khad does, I keep the generated passwords for [i]insurance.[/i]



    However, since I disliked seeing so many [i]unused[/i] generated passwords for the same site, I decided to use them for other sites. Specifically, whenever I prepare to save a new login, or change the password for a current saved website, I take a quick look for unused generated passwords and use one of those.



    I edit the title and URL of the generated password entry to reflect the new site, and I copy the original title/URL to the note's section and save it. Using this method [i]declutters [/i]my list, but allows me to keep my [i]insurance [/i]in place.



    It does create more work, but I have the time.
  • khad
    khad Social Choreographer
    Just be careful that you are not accidentally reusing a password. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



    I'm sure you would never do that, though.
  • [Deleted User]
    edited May 2011
    [quote name='khad' timestamp='1305923834' post='27467']

    Just be careful that you are not accidentally reusing a password. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



    I'm sure you would never do that, though.

    [/quote]



    Who? Me?



    It took me 15 minutes of frantically checking through my logins, but "no", I haven't.



    Thanks to Khad for posting the [i]Safety Tip[/i] of the day...and for causing a mild panic attack. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • Hi,



    I'm a little confused between logins and accounts. I've generated logins for my websites and when i have then changed to a more secure password it has asked me whether i want the login updated. I have accepted this and it now seems to have generated a separate account (icon with a keyhole).



    If i were to update the password again in the future would it change just the account or also the login card i have in my database? If i have a login card why do i need a separate account card? this just clogs up my database.



    I hope you can help me to understand this.



    Cheers
  • [Deleted User]
    edited June 2011
    Hello stodge and welcome to the Forums!



    When you use the Strong Password Generator, a Generated Password entry is created. These entries are separate from the Login vault and are represented by the icon with a keyhole. The purpose of creating these additional entries is for a form of insurance. There have been several instances where I created several Logins, but then inadvertently deleted the Login. Without a record of my Generated Passwords, I may not be able to figure out which password I used for which site. Every time you use the generator to create and [i]Fill[/i] a password, an entry is created. Your Login will be updated, but a new [i]keyhole icon[/i] entry will be created as well.



    Of course, you are free to delete the Generated Password entries, but that is up to you. If you do not like to see them in your sidebar, you can remove them from sight by going to Preferences>General and unchecking Generated Passwords under Display in Sidebar.



    Cheers!



    Brandt
  • Fantastic, I understand now. I didn't realise that they were the generated passwords.



    Thanks for the prompt response <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • My pleasure!



    Trust me, you aren't the first member to ask that question, and I do understand how confusing it is when you first see them.



    Glad you're good to go.