Saved Form Details: loads of hidden text saved along fields?

Dan_Aykroyd
Dan_Aykroyd
Community Member

Hi,

I was just checking my entries in the iOS App and I noticed a lot of "garbage" saved in the form details while viewing the entry in the mobile app. It isn't being saved as fields, but like spaced out text above and below my actual username and password fields. It seems that you are capturing the text around the fields in the page and saving it in there.

In any case, some questions I have regarding this:

  • Are you intentionally saving this text for some form-filling reasons?
  • Is this really needed? Websites text/structure change extremely often, so if this is used for form-filling, how reliable can this be?
  • Is there any way to delete all this hidden information and keep the visible, actual fields as the only thing (along their field html names) saved?
  • Why this text is hidden on the desktop (macOS) app, but displayed on the mobile one? It adds to the list of inconsistencies I've found lately and posted about them here between the different clients

I hope you can comment on this. As a security app, it would be great to know that other details are being capture and saved in the entry, instead of hiding them (as of now) on the desktop client

Thanks in advance for your support.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Dan_Aykroyd

    Our filling used to be more literal and less smart, and so this information was indeed necessary in order to properly fill in forms. I believe it is still considered when filling with the new "brain," but less so than in the past. We don't generally recommend editing this information unless we're assisting you with a filling issue, which is why it is hidden by default in the UI.

    Why this text is hidden on the desktop (macOS) app, but displayed on the mobile one? It adds to the list of inconsistencies I've found lately and posted about them here between the different clients

    I don't follow. I show it as hidden by default on both. :) e.g.

    Tapping into Saved Form Details reveals:

    Are you seeing something different?

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    Thanks for you reply Ben.

    Yes, I'm seeing something different. I'm attaching a couple of examples here (these are only two, but all of my items are capturing that extra "garbage" in the web form details - this only can be seen on iOS; in macOS I only see the username/password fields).

    Keep in mind that only the username/password fields were showing while I captured the entry using macOS/Safari. I haven't added any extra fields and that information you see there was not saved at the time of creating the entries or added afterwards otherwise.

    Here "Login" is captured after the fields:

    Here you can see a lot of things captured before and after the actual fields:

  • Sure, I understand your form has additional / different fields than mine. I was asking specifically about this statement:

    Why this text is hidden on the desktop (macOS) app, but displayed on the mobile one? It adds to the list of inconsistencies I've found lately and posted about them here between the different clients

    Could you please clarify? This information is 'hidden' on both clients.

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    As I mentioned in my post, "all of my items are capturing that extra "garbage" in the web form details - this only can be seen on iOS; in macOS I only see the username/password fields". The inconsistency is that those extra fields only show in iOS but don't appear in macOS. I know you have to click to see the details; but after that, mobile shows what I posted and macOS only show the username/password fields.

    I understand your form has additional / different fields than mine

    I'm not sure if I was able to explain myself correctly... it's not just that the fields are different between us: all those text fields I posted (everything but the username/password fields) wasn't created by me manually after the capture and don't show up in the macOS client. And since you can't edit the web form details on mobile, there's no way to delete that extra data, since it doesn't appear in macOS. Even then, why is this extra information being captured in the first place for every entry?

  • @Dan_Aykroyd

    this only can be seen on iOS

    Okay. That's the thing. They do show up on macOS for me. e.g.:

    As for:

    Even then, why is this extra information being captured in the first place for every entry?

    I believe I explained that here:

    Our filling used to be more literal and less smart, and so this information was indeed necessary in order to properly fill in forms. I believe it is still considered when filling with the new "brain," but less so than in the past. We don't generally recommend editing this information unless we're assisting you with a filling issue, which is why it is hidden by default in the UI.

    If that is unclear please let me know. :+1:

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member
    edited March 2020

    Thanks Ben.

    How can I troubleshoot then why I'm not seeing that extra info for any of the entries on macOS?

    This is what I see there for the last entry I posted before; the one that had a lot of extra text captured above and below the username/password fields:

  • @Dan_Aykroyd

    How are you syncing your data between the two devices? And how/where was the item in question saved? If you save a new item for the website what is the result?

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    I'm a 1Password cloud subscriber, I've captured these items at the times of posting using my macOS and I'm running the latests versions of both macOS and iOS 1Password clients.

    I've tried capturing the site again and the same thing happens; all that extra data gets saved but it doesn't show up in macOS, only in iOS. All my entries have extra information captured that I can't see/edit in macOS; mostly a "Login" text after the username/password combination, but some others, like the second image I posted in my second post have a lot of data captured.

  • Thanks @Dan_Aykroyd. Unfortunately I don't have an immediate answer here to explain the discrepancy you're seeing. Hopefully as the filling brain continues to improve our reliance on this information across all of our platforms will be reduced, and we can focus on saving just the visible form fields and their contents. In the mean time, I really don't believe this is hurting anything. As mentioned above, we don't recommend editing this information unless there is a problem you're working with us on, and as such I wouldn't suggest spending a lot of time worrying about it. It isn't shown by default for that reason. :+1:

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    Thanks again for your reply Ben.

    As a follow up to your last screenshot, when you see those extra hidden fields on the macOS, do you also have the delete button next to them? I mean, are you able to delete those extra hidden captured fields?

    I'd love to delete everything beside the typical username/password fields (and see if the autocomplete still works!) as a workaround in the meantime. If you confirm me that you see the delete button and that are able to remove those fields, I'll keep on trying different things until I'm able to see those fields and delete them (perhaps trying the Windows client).

    I'm quite OCD and I'm starting to rebuild my password database from scratch (I'm migrating from KeePass), so I have hundred of entries to manually recreate, because I don't want to carry anything from there on an automatic import. I'm also resetting all my passwords in all services that I use, basing all of the new passwords in the 1Password generator rules, so, as you can see, it's quite an undertaking. That's why I'd want to trim all that extra unneeded stuff manually and save each item as clean as possible. I'm willing to manually trim that data, test filling, repeat each entry to make them as lean as possible.

    Thanks!

  • On macOS, in edit mode, I do have delete buttons:

    Thanks again for your reply Ben.

    You're welcome.

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member
    edited March 2020

    Hey Ben,

    I just checked the web client and there I'm also still only seeing only two fields in the Web Form Details (same as macOS client), while on mobile I still see more than 10 fields saved. Don't you think this falls more to the side of an oversight or bug rather than my own OCD thing? What if those extra fields that I can only see on mobile are storing sensitive information that I don't even want to save in my entries? A user might be at rest, thinking that they are in control on what they are storing in 1Password, while instead, you are capturing a lot of other fields and hiding them from the user on macOS/Web client. What if he is sharing that entry with his team/family and leaking extra information he might now want to share?

    Could you please elaborate further on what's going on here and why are you hiding that that info from the web client (which should be the same version for everybody)? The only way to see (and not even being able to edit) that extra data you are capturing on the desktop without the user knowing is to dig through the entries in the mobile app?

    Here is the Web Form Fields for that entry on iOS:

    Here is the Web Form Fields for that entry on the 1Password web client:

  • @Dan_Aykroyd

    Don't you think this falls more to the side of an oversight or bug rather than my own OCD thing?

    There may indeed be a difference in way various clients present this information.

    What if those extra fields that I can only see on mobile are storing sensitive information that I don't even want to save in my entries?

    They (intentionally) contain whatever information was contained on the form that may help in filling that form. The information is protected to the same level that the password is.

    A user might be at rest, thinking that they are in control on what they are storing in 1Password, while instead, you are capturing a lot of other fields and hiding them from the user on macOS/Web client. What if he is sharing that entry with his team/family and leaking extra information he might now want to share?

    Do you have an example of a web form where this could happen?

    Could you please elaborate further on what's going on here and why are you hiding that that info from the web client (which should be the same version for everybody)?

    I believe I've discovered the difference in what we've been seeing. In the example you posted it appears the fields have no contents... they're just empty labels. So there may be a difference between the iOS app and the web app in that the former displays empty labels whereas the latter may not. Arguably they should behave the same, and perhaps that is something we can evaluate moving forward.

    But the web app does show populated form fields beyond just the username and password:

    The only way to see (and not even being able to edit) that extra data you are capturing on the desktop without the user knowing is to dig through the entries in the mobile app?

    As mentioned above this information is saved for the purpose of improving the accuracy of form filling, particularly on atypical forms such as ones that have fields beyond/other than username and password. We don't recommend editing it unless working with our filling team on a specific issue. We're working toward smarter detection of form fields, rather than rote filling, but even so it seems what you view as extraneous may be necessary in some cases. Take the EFTPS.gov website for example, which is used to make payments to the IRS. This form is quite non-standard, and as such we need to save a number of fields beyond just 'username' and 'password':

    As such we're going to need to continue to capture form fields user beyond the standard two. I think there are two possible take-aways for us here:

    1. Perhaps we should consider not saving form fields that are empty or hidden
    2. If we do save/have saved such fields, the display of that information should be consistent between apps

    I'll mention these thoughts to the relevant teams for their consideration. Thanks for taking the time to work through this!

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    Thanks for your detailed response Ben.

    Do you have an example of a web form where this could happen?

    I do not have yet, as I'm in the process of building the 1Password database from scratch from my KeePass database, but I'll let you know when I find one.

    I know that capturing all fields is the standard (and expected) behavior, as there are a lot of forms that require additional information besides an username and a password. Similar to the EFTPS site that you mentioned, I have several sites that need to save additional login data, that were successfully working with KeePass (since I saved all the additional fields) and that will work fine with 1Password too, as I can save any number of required fields here also.

    What came to my attention, and the reason why I started this thread, is that in all entries that I have there are no other visible fields and I noticed that you were these "texts", which I don't even believe are fields. All the "Login" texts I see saved that I posted at the beginning are buttons, and that entry from that "Jumbo" site is saving a lot of extra labels for buttons or random text in the website, while it only actually requires the username/passwords fields to login.

    Perhaps we should consider not saving form fields that are empty or hidden
    If we do save/have saved such fields, the display of that information should be consistent between apps

    I agree with these. At least, don't save a lot of stuff that aren't effectively fields or let the user be able to edit/remove them afterwards. I've noticed that you mentioned a couple of times that "we don't recommend editing this information unless there is a problem you're working with us on", but even if I was working with support on this, there would be no way for me to edit that information, as you don't allow to edit the Saved Form Details on mobile and you are not showing these fields anywhere else. So, the takeaway of this for me is that at least you should consider capturing whatever you think you'll need but make it consistently across clients, because if I never looked at the details on iOS, I'd have never have known that you captured those extra fields. And by making it consistent across clients, I'd be able to edit the captured fields; effectively cleaning all those labels that were unneeded and leaving the entry as lean as possible.

  • What came to my attention, and the reason why I started this thread, is that in all entries that I have there are no other visible fields and I noticed that you were these "texts", which I don't even believe are fields. All the "Login" texts I see saved that I posted at the beginning are buttons, and that entry from that "Jumbo" site is saving a lot of extra labels for buttons or random text in the website, while it only actually requires the username/passwords fields to login.

    Ah; ha. Both buttons and text input fields are generated in HTML by the <input> tag. I suspect that is why they are saved, though I see the argument that doing so is likely unnecessary. I am failing to see how this would be any sort of information leak, though. We're just capturing the structure of the form that is on the page, which is presumably the same stuff someone you share the login will see when they go to that site.

    I agree with these. At least, don't save a lot of stuff that aren't effectively fields or let the user be able to edit/remove them afterwards. I've noticed that you mentioned a couple of times that "we don't recommend editing this information unless there is a problem you're working with us on", but even if I was working with support on this, there would be no way for me to edit that information, as you don't allow to edit the Saved Form Details on mobile and you are not showing these fields anywhere else. So, the takeaway of this for me is that at least you should consider capturing whatever you think you'll need but make it consistently across clients, because if I never looked at the details on iOS, I'd have never have known that you captured those extra fields. And by making it consistent across clients, I'd be able to edit the captured fields; effectively cleaning all those labels that were unneeded and leaving the entry as lean as possible.

    The only way to remove them would be to export the item to JSON (1PIF), edit it, and then re-import it. That is a fair bit of work for something that isn't doing any harm, and wouldn't be something our filling team would pursue unless it were causing an issue filling the intended form.

    Consistency across clients has been a big challenge for us. It is something we're focusing our efforts on, but it may be quite some time before we have the resources to get down to some of the details such as this. Right now we're still working on large components such as the password generator. That isn't to say we wouldn't want to address this eventually, but I didn't want to give you the impression changes would be forthcoming in the next update, for example.

    Ben

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    Thanks Ben for the heads up with the 1PIF being JSON formatted. Before creating the thread, I've tried exporting to .csv to see if I could remove the fields from there, but I noticed they weren't there in that file, so that added to the confusion of why they were hidden from there too and I didn't bother messing with the 1PIF format.

    I've tried exporting the 1PIF and opening the JSON and, effectively, these labels were there. I reckon that it would be a lot of work to process hundred of entries like this; exporting, removing, importing, testing auto-fill, repeat until it works and get the entry as clean as possible. I hope some day it would be possible to edit these entries from 1Password itself; either because you started displaying them in the desktop client or being able to edit Saved Form Details from mobile.

    Thanks.

  • Ben
    Ben
    edited March 2020

    You're very welcome. Thanks for working through this with us. :+1:

    Ben

    ref: dev/projects/customer-feature-requests#76

This discussion has been closed.