Should an input textbox "type" attribute of value "password" ever be used for a DOB textbox?
When logging in with 1password using the following link:
https://online.hl.co.uk/my-accounts/login-step-one
I discover that the date of birth text box is filled in with my password. I can't fully prove it's my password but I'm pretty sure this is the case because when I inspect the textbox element for the date of birth I notice that it has type = password. Also what's entered is clearly greater than 6 characters.
I'm assuming 1Password uses the value of this attribute to identify if the textbox needs filling in with the password and therefore it's bad practise on the part of the website. Having said this I'd like a second opinion from this community before I message the company informing them that maybe they need to improve their web UI to accommodate password managers.
Thanks
Ben
1Password Version: 7.3 (70300020)
Extension Version: Not Provided
OS Version: OSX 10.14.5
Sync Type: 1Password Store
Comments
-
Hi @benfranklin! Welcome to the forum!
1Password does indeed check for password fields on webpages to understand where passwords should go. Because of this, I wouldn't be surprised if it tried to fill your password on any field on a website that is marked as a password field.
The strange thing about the website you mentioned is that this website seems to consider the date of birth as a password. So, technically speaking, 1Password is doing the right thing.
I don't have an account on the website to test this, but what happens after you login to this page? Are you asked for your actual password afterwards, in a later step of the login process?
0 -
Hi @ag_ana,
Thanks for the quick reply & welcome!
On the first login page, 1password correctly enters my username and I have to manually enter my date of birth. Then it takes me to a second webpage where I'm asked to enter my password and a selection of digits from my secret pin. 1password correctly fills in the password and I have to manually enter the digits. Then I'm in. I've not checked that the type attribute of the password textbox is of value "password" but I'm willing to bet it is.
Anyway, it seems like the website is poorly designed with respect to the DOB textbox. I don't think there's any need to make the DOB a password textbox and to hide the characters. It's just overkill. DOB is quite easy to obtain by means other than looking over someone's shoulder. You agree?
0 -
I agree, the date of birth can hardly be considered a secret. If anything, it's certainly not something only you know :pensive:
As a workaround for this specific website, I suppose you could, theoretically, create a second 1Password Login item for the first login step (with your username and your date of birth as your password) and use that to fill the first form. It wouldn't look pretty, but I think it would allow you to fill both form correctly.
0 -
Not a bad idea which I'd already thought of but the only problem is then 1password would give a warning about how bad the DOB is as a password. I may end up doing it for now though. Thanks for taking the time to respond. I will contact the company and hopefully they will update their website at some point.
0 -
Not a bad idea which I'd already thought of but the only problem is then 1password would give a warning about how bad the DOB is as a password.
True. In this case, I am afraid that you can only choose the least of all evils :P
0