Designer Khoi Vinh weighs in on a recent article called The Ultimate Guide to Strong Passwords in 2019, by Jon Xavier. This article points out how to have the strongest password: how long it should be, that it doesn’t need special characters or numbers, that there’s no need to regularly change it unless it has been compromized, etc.
Vinh points out my biggest annoyances with password managers (like him, I use 1Password).
It’s also difficult for a password manager to understand when a password is applicable to more than one site or app. Once a password is created, it’s often matched exclusively to the domain of that site. So if your login is also valid on a closely related site, as is the case with many sites from large companies, the password manager won’t automatically recognize the relationship and present the relevant login.
I have lots of sites where I have passwords stored for login.domain.com, user.domain.com, domain.com, etc. If I just look at Apple, which has a number of sub-domains, and check one of my passwords, 1Password shows me this:
They’re not “reused,” they are just used with different subdomains:
Arguably, some of these are no longer used, but 1Password cannot understand that it is not wrong to use the same password for all these sites. I understand that there are cases where different sub-domains should have different passwords, but a password manager should be able to allow you to map a password to a domain regardless of its subdomain.
Another example is Amazon. You may not know this, but if you have an account with one Amazon store, you can use it in any Amazon store (US, UK, Canada, etc.). I do use multiple Amazon stores, and have a separate login in 1Password for each one. So there is a long list of Amazon logins, with various subdomains – 54 in all – and these can’t all be grouped. The ones with different sub-domains can, but each store (each country) has a different top-level domain.
7 thoughts on “Passwords Are a Design Problem – Subtraction.com”
From when I used to use 1Password, I seem to recall you could edit the domain name against which a password is stored to e.g. apple.com and then that would cover you logging in to any URL ending in apple.com, which would solve most of the above duplication problems.
I gave up with 1Password as it was too inflexible and requiring me to change to a subscription (i.e. regular payments) which I am not prepared to do for basic software like that. I now use Strongbox which suits my needs far better and also has the ability to ‘share’ data between different entries, so you could use the same password for any of the above examples, but stored only once. Change it there and all the other login entries would immediately and automatically be using the updated password, or whatever other data was being shared in that way. And it doesn’t complain.
I also have stopped trying to use a password manager to automatically fill in login or other details. Apple provide us with iCloud Keychain that works automatically across all my devices and I don’t get multiple offers of what to fill in from different sources or multiple reminders to save or update a login. Admittedly it means I have to manually copy any new data from Keychain (realistically that means from Safari) into Strongbox, but nowadays that’s not often and I find that less of a problem than not knowing what was asking for or offering to fill in what.
Oh and Strongbox uses an open source standard secure file format so the ‘vault’ can actually be opened by many other apps that use the same file format (as long as you know the password of course). That all keeps me happier than 1Password that was always trying to extract more money from me.
I get the same problem with iCloud Keychain. Especially when I update a password, and iCloud Keychain only updates it for one sub-domain. Then I have to try over and over to get the right one.
I agree about the 1Password subscription; I adopted it with some regret. But it’s still the most useful utility I have. I use it for much more than passwords: software licenses, secure documents, etc.
Strongbox allows me to do more than 1Password and all organised how I want it. Instead of one huge ‘Logins’ section I can split it up into e.g. Forums, Groups, anything. It’s totally free form. You can organise it any way you want.
I am not connected to them in any way. I just think it’s a good product and better priced than 1Password which I was using for many, many years.
What I’ve done to avoid the “Reused Password” alert is merge the various sub-domain logins under a single login, then add the various sub-domains under the login’s “website” section. I don’t know if that would resolve this issue for you, but it works for me.
I wasn’t aware of that feature, but I see that I have to do it manually. iPassword should allow me to automate that. Apple is just one example; there are lots of others like that.
I use Bitwarden. There you can specify that the same login (username/password combo) is used on several subdomains. It needs some manually setting up, of course, but it works like a charm.
You can just ignore 1Passwords warnings about reused passwords
1Password will still let you have a stand alone version if you threaten to move to another password manager like I did.
“Thanks for taking the time to contact us and for your support of 1Password. Yes, to purchase the standalone version of 1Password 7 for Mac the cost is $49.99 USD for a very limited time. Once you have installed 1Password 7 for Mac, you’ll have the option to either use 1Password with a subscription account, or to purchase the standalone version. Here’s more information for your review:
“Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many Macs as you have.”
During installation when it asks you how you want to sync your passwords make sure you select iCloud or dropbox, not 1password.com.