Waiving weak/exposed/reused passwords

I have some passwords which are weak and will remain like this forever. Example : the PIN of my credit card. Same applies for some reused passwords. And most of my PINs are exposed :slight_smile: Would be good to have the possibility to tag them as “waived”, eg by adding a custom field. This would make the whole list cleaner as it would only display the passwords I really need to take care of

I can second this for some other use cases, like internal systems or test labs that aren’t needing high security. I feel domains and external IPs, however, should not be allowed to do this, since some people may just dismiss it than change it to something secure.

If you’re using a PIN for a service like that, I’d suggest adding it to the notes or something instead so it bypasses the scan. I’m not sure if custom fields are included or not.

No, not doing foolish things like using PINs where real, strong passwords should be used.
Your workaround could do the trick, but it sounds weird to use a password manager to store data in custom fields to prevent them from being considered.
Overall : I would let it to the user’s responsibility to choose whether to waive weak passwords, i.e. don’t try to discover automatically “internal systems or test labs”.

No, not doing foolish things like using PINs where real, strong passwords should be used.

This is hugely varying on the system in place. For instance, Speedway’s member system uses pins for signing in on terminals for ease. Even if they didn’t, I wouldn’t want to type out Y2Tq$LoYNBqGrrXaqCY%nLxEJEhsmX*2xd^[email protected]$cHxYuRpf%acawNbrcHSQvN%[email protected]#NPBwS*&ngd!E6N96T2bUso#mv to get into my account (I generated that with Bitwarden :wink:), let alone have to remember that or pull it up to do so.
This is also used for their website’s authentication, though, which I despise greatly…

As for the letting user deciding this, I still stand in my position that domains and external IPs should not be allowed to ignore. An alternative way then would be to allow an organization to specify test/lab domains that can be whitelisted from scans as well, so then domains in a testing environment could be whitelisted from scans. That way some form of organization admin can control this and not just anyone that wants to ignore the warnings.

Agreed if we’re considering a corporate environment, which I hadn’t thought of !

Agree that all the PIN codes I have stored are making it a pain to go through the password reports.
I should be able to mark a code as excluded from the reports.