In addition to periodically checking Watchtower in 1 Password, I use Identity Leak Checker https://sec.hpi.uni-potsdam.de/ilc/?
I did MapMyRide close to 10 years ago, and had no idea that UA now owns them!
Diane
Oh I HATE that! I also wish that when you use the wrong password, it comes back with a hint of how many characters etc. Iâve seen sites do that and itâs usually enough to trigger me.
I did find a couple of breaches on 2-3 of my other accounts but I think I am still under - or close to - 12 total. Ticketfly got me on 2 emails.
Diane
I wanted a scale that would talk to the health app, but they all required a login, so I just went with another old fashioned Tanita.
Diane
What do folks think about PassWord Wallet, which does not use the cloud, it encrypts the datafile with a Master Password of your choosing. Easy to learn, logical interface, one time $20, iOS version $4.99 and you can import the data file you created on your Mac.
I used to use itâŚbut switched over to 1Password for Secure Notes, auto entry of credentials, cloud storage, and much easier sync. My wife still uses it even though Iâve got a family 1Password accountâŚcanât convince her to switch. PW has improved in the years since I switched but itâs still not as good as 1PW in features or syncâŚnot to mention cloud sync. Although I have a 1PW family accountâŚmy main vault lives on DropBox.
I love it. It was one of the first. I have been using it since TidBITS recommended it some 20 odd years ago. At that time I mostly stored registration data for software I had purchased, like GraphicConverter and Passwordwallet. 
Later I tried 1Password but didnât like it. Eventually, I stored the PW file in my Dropbox folder so it would be available on all my computers bypassing the syncing altogether.
Yes! Did the programmers think only mind readers (byte readers?) would use their web sites?
That has always been a very annoying âpet peeveâ of mine. It would seem that it would not be all that difficult to tell you up front what they actually need or accept. I suppose they donât because it makes it easier for someone trying a brute force approach.
I always thought it would be nice if they would pass the requirement to the browser or password manager through some defined protocol. Then when you as for example, use 1Password to generate a password it could automatically generate the password to fit the requirements.
I think the idea of not showing password complexity requirements until one is entered that doesnât meet them is to not clutter the interface showing users information they donât need until they need it. Some number of users wonât need to be shown the password requirements because the password they chose the first time meets them (perhaps because they let a password manager generate it for them). Only when one enters a password that doesnât meet the requirements do they need to be displayed (all the requirements, Iâve seen ones that only show the individual requirements you failed to meet e.g. âpassword1â âError: password must include a symbolâ âpassword#â âError: password must include a numberâ).
If their requirements include not permitting certain characters, (&, ;, >, etc.), they may not show them until theyâre used in a password out of embarrassment. If their system canât handle certain characters in passwords, someone has done a bad job.
But I have a set policy in my password manager to generate passwords as words rather than some random variation on must have numerals, upper case, punctuation and lower case or whatever that do not actually add any useful entropy to my default settings of three words and ~14 charactersâŚ
Especially when they have a limit of <14 charactersâŚ
It is just bad UX to not explain what you expect.
You can.
In Safari on Mac, open Prefs > Passwords tab (login via TouchID or password). Then you can see the Yellow triangles, click on them to see the other sites sharing the same password. Et voila!
The problem is, like 1Password, some sites are run by the same company and you cannot dismiss the warnings (though 1Password say theyâre working on a solution thatâll work across all the platforms they operate on).
For example, Iâm on amazon.co.uk / amazon.com / amazon.co.jp / and other sites of theirâs, even though each site has their own separate login screens, they share the same password.
Same for bbc.co.uk / bbc.com + ebay.co.uk / ebay.com + wikipedia.org / wikimedia.org to name but a few.
I know Iâve seen some that donât allow a few special characters. â!â seems to be one of them.
Diane
In 1Password, you can manage one account thatâs used on multiple domain names by having a single 1Password record with multiple websites saved.
Iâm not arguing in favor of any password requirements, Iâm just explaining why sites that have them might not display them up-front. If theyâre displayed first, everyone has to get past them but only some need the information. If they arenât, some wonât need the information because they met the requirements anyway and others will be shown the requirements after the first attempt. If the percentage of people who donât meet the requirements the first time and feel frustrated is small, that could be a reasonable trade-off benefiting the majority. My guess is in practice the percentage who fail to meet the requirements and are perturbed is not small for most sites. Of course, just because the requirements are displayed first does not mean they are read, understood, and followed.
A password managerâs job is to create, remember, and fill in passwords for you. I donât know why it would be advantageous to have it routinely choose mnemonic ones that you know will run afoul of some password complexity requirements when itâs just as easy to have it create equally strong passwords that wonât. I have 1Password choose long passwords that include digits and symbols (thereâs a 50/50 chance of each letter being upper or lower case so for long passwords itâs very unlikely theyâll be all one or the other, 1Password may even put its thumb on the scale to make sure thereâs at least one of each). By including symbols, that means on rare occasions I have to intervene in the password selection when itâs a bad site that canât take some symbols. Itâs more common to intervene because of a maximum password length but that affects passphrases as well. Iâm not going to weaken my passwords for better sites by setting a default that satisfies some lowest common denominator site.
I support Curtisâ comments. And will slightly modify my 1PSW password generation Default to similar guidance.
Based upon my experience with âTouch IDâ on my iPhone 7 and 8, Iâm not enthusiastic about a future that is biometric based.
Sorry yeah, youâre absolutely right. My examples were the wrong ones.
I should have said ones that need separate entries in 1Password (for whatever reason), so still get flagged as âReused Passwordsâ.
The issue still remains with Apple Keychain though, as each URL entry is separate by its very nature in Apple Keychain. So when you, say, open the Safari > Prefs > Passwords, you cannot turn-off the yellow warning triangles for all the Amazonâs, Ebayâs, BBCâs, Wikiâs, etc.
For those looking for something simpler than 1Password that doesnât rely on a subscription fee, Alco Blom has just updated his Web Confidential to be 64-bit savvy.
1 Like