Am I understanding Password vs Login correctly when creating new online account?
Hi 1Password support team,
I know this is a long-discussed topic, and that you're aware of its potential confusion, but all the same, for as long as I'm still setting 1Password up for my clients, I'd like to at least verify that I understand the expected behavior correctly.
When I create a new account on a web site:
- After specifying a user name, or entering an email address, I click into the password field.
- I click on 1Password Mini, and then click on + Generate Password, and then click on Save & Copy.
- At this point, a Password record has been created in 1Password, whose title is the domain.
- The password hopefully has been auto-filled into the password field of the web site; if not, then I paste it manually.
And now, because the constantly changing nature of the web is such that 1Password is not going to be able to manage every single site as well as we'd all like it to, one of three things happens:
- 1Password does nothing. I have to go into the 1Password app, find the Password, and manually convert it to a Login, including changing the title, adding a username, and possibly adding a URL.
- OR: 1Password offers to save the Login. A new Login record is created in 1Password. I have to go into the 1Password app, find the Password record, and delete it.
- OR: 1Password converts the Password to a Login, adds the username automatically, and corrects the title. I don't have to do anything (but I also don't know that it happened, without going into 1Password to see).
Is my understanding accurate, so I at least know what I'm working with, or am I missing something that might reduce the number of steps and/or scenarios? While the above is not ideal, I can, as a technically oriented user, handle it. My clients, on the other hand, struggle, so if there's any way for me to make it easier, I'd like to know about it.
Best, and thank you,
Ivan Drucker
IvanExpert Mac Support
NYC
1Password Version: 7.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @IvanExpert
Yes, I think you've pretty well outlined the situation. #1 ideally wouldn't happen, but as you say some websites do things in fairly non-standard ways and we can't account for every eventuality, especially not without also creating further problems of false positives. #2 should not be happening, though. That is a bug. If you save a Login item with the same domain and password as a password item, the password item should be deleted automatically. We thought we had this fixed in 1Password 7.5, so if you're still seeing it in that version or newer please let us know so we can look into that. #3 is of course the expected / ideal outcome.
If folks are struggling, and consistency would help, you could consider suggesting that they always manually save logins, instead of relying on the auto-save prompt. Perhaps it would even be appropriate for these folks to turn the auto-save prompt off, so it doesn't add confusion.
How to save a Login manually in your browser
That does create extra steps for each login saved though, and I would think/hope that situation #1 should be a rare exception, and situation #2 should be resolved at this point.
Ben
0 -
Hi Ben,
Thanks for your detailed response.
With regard to the idea of always manually saving -- the article describes an approach I hadn't considered, but it addresses logging in with existing passwords, which I think is less of an issue. The main problem I'm having is with the generation of new passwords, since that's a use case where a Password entry is always created. Is there any similar process you'd suggest for that? (I'm not sure I'd really prefer this approach to the mostly-operational auto-save prompt, but I'd like to know what my options are so I can consider it.)
The fact that #1 sometimes happens makes it likely that a user, whether savvy or not, is going to end up with some amount of Password entries, particularly if they use the + Generate Password button, and I can't think of any use cases where someone would want to keep an auto-generated Password entry (as opposed to a manually created one where you get to title it) long term, except as a safety net for when #3 doesn't work. They're pretty ugly.
Why not just have Save & Copy make a Login in the first place, rather than a Password? Then they'd have a proper title and rich icon. When the username field remains unfilled during auto-fill, and the user enters it, auto-save could offer to update at that point (or just do it silently).
If that's undesirable, I think Password entries could at least be made more usable, because as they stand, they're indistinct in both title and icon. After clicking Save & Copy, 1Password could prompt for whether you want to convert it to a Login, and take you to that Login entry for editing title and adding username. Or maybe there could be a secondary button that offers "Save as Login & Copy," and then lets you edit the title and add a username.
If none of that seems feasible, then perhaps the title could be editable after clicking + Generate Password, so you don't have to be stuck with the domain as the title; or, 1Password could prompt for it after generating the password, like it does with auto-save. And a rich icon could be applied from the URL. Then you'd have something that's functionally similar to a Login -- it's just missing a username. And then, when someone attempts to auto-fill with that Password entry, they'll see that the username has not been completed, so they'll type it in, and then at that point 1Password will hopefully convert it to a Login as it is supposed to. (I realize 1Password does this already, but the Password entries look "wrong" to many of my clients, and even me, without a rich icon and proper title -- especially since there can be multiples for the same site.)
As for #2 being a bug, here's a reproduction case in 7.5, which led me to actually write the above post:
- poptropica.com
- Play Now
- menu icon (upper right)
- gear icon (upper left)
- Account Settings
- Save Account (or, another way to get the new account screen would be to start a new game, then try to save it)
- on new account screen, type a username
- click in password field
- click 1Password mini in browser
- click Generate Password
- set to 10 characters
- click Save and Copy
- autofill doesn't happen, so paste (twice) into password fields
- open Incognito window
- poptropica.com
- log in by typing user name, and copying and pasting from the Password entry
- save 1Password when prompted from browser
- there will be both the original Password entry, and the new Login entry, in 1Password
(I also verified that the domains are the same (though one has a longer URL).
Best,
Ivan.0 -
Is there any similar process you'd suggest for that?
It would be the same process, but you'd add the step of generating a password first.
except as a safety net for when #3 doesn't work
Correct; that's exactly their purpose:
If you used the password generator and can't find the password to sign in
Why not just have Save & Copy make a Login in the first place, rather than a Password? Then they'd have a proper title and rich icon. When the username field remains unfilled during auto-fill, and the user enters it, auto-save could offer to update at that point (or just do it silently).
That is an interesting thought. I can certainly discuss that with the development team.
or, 1Password could prompt for it after generating the password, like it does with auto-save
It seems this adds more steps to everyone's workflow to benefit an edge case? Auto-save not working as expected should be a rarity, and so having everyone get an extra prompt to title an item that should be automatically deleted moments later seems wasteful and like a potential source of additional confusion.
As for #2 being a bug, here's a reproduction case in 7.5
Thanks. I've added testing that to my to-do list for today. I'll follow up with development once I've done so. :)
Ben
0 -
Ben,
Thanks for your thoughtful responses to my comments and suggestions.
One additional one that comes to me when reading the (second) support article you linked is that it would be nice if 1Password had some kind of automated management for Logins (and Passwords) that share the same domain. In general, for most sites, you're really going to want only one domain per entry, The process being described in that article is very manual.
I'm not really sure what that automated management would look like (I'd need to think it through), but the whole business of manual copying a password from one entry, pasting into another while in edit mode, then going back and deleting the first (which the article doesn't even suggest, but would obviously be wanted), seems like a lot of clicks, as well as something that requires intermediate technical ability (not everyone is a master of copy and paste).
What would be beautiful is some interface that allows you to step through each entry with a shared domain, try each password, ask you if it succeeded in signing in or not so it identifies the right one, and then consolidate the redundancies into a single entry -- in other words, automate what is currently a very manual task when it comes to entry maintenance in 1Password.
Thanks again,
Ivan.0 -
What would be beautiful is some interface that allows you to step through each entry with a shared domain, try each password, ask you if it succeeded in signing in or not so it identifies the right one, and then consolidate the redundancies into a single entry -- in other words, automate what is currently a very manual task when it comes to entry maintenance in 1Password.
I think we may need to take a step back here... if there is a need for such a system then something is way out of whack. This really shouldn't be a problem that is occurring enough to build an in-depth system to address it. I'd much rather see our developers spend the time instances where auto-save doesn't work as expected. What percentage of the time would you say you're seeing this?
Thanks for your thoughtful responses to my comments and suggestions.
You're very welcome. :)
Ben
0 -
Hi Ben,
I totally agree with you, in principle, if not necessarily the facts on the ground. Based on my experience with clients, I think it's not so much an edge case as a minority case. I'd hazard to say that most of my clients have at least a few automatically generated Password (not Login) entries. I have no way of assessing, but I'm going to guesstimate Passwords end up persisting, one way or another, 10% to 20% of the time.
As another example, I just created a new account on Splice.com, and used Generate Password. It did auto-save correctly using Save & Copy, but the Password entry remained after the Login entry was created. Domain is the same for both. So I think that 7.5 really isn't fixed in terms of Logins replacing passwords reliably. (I think this is why I, at least, miss the old Copy functionality -- while it is true it created the risk of changing a password with no record of what it was, it also prevented the risk of the password library getting cluttered with Password entries, which is what happens in real life.)
Let me know if I can assist further, and thanks again for your interest and attention.
Ivan.
0 -
It is possible that in certain cases the previous generated password remains in that category even after creating a login item, so we will continue doing our best so that this doesn't happen. In the meantime, if you find an example where this happens, you can certainly deleted the duplicate password after you have created your login item.
0 -
I understand. I'm less concerned about what I have to do to clean up, since I'm reasonably tech-savvy and comfortable with 1Password -- I'm more concerned about my clients getting frustrated with 1Password because they don't understand what the Password entries are and why they proliferate. It makes training challenging.
I just wanted to provide another example of Passwords entries not being deleted when Login entries should replace them -- the "#2 scenario", above, which Ben said should no longer be happening in 7.5. At least with poptropica.com and splice.com, it seems like it's still happening.
I think the problem of lingering Passwords is fairly widespread, and diminishes my ability to, well, evangelize 1Password to my clients. It's not really impressive to tell them, "Well, sometimes 1Password doesn't do the right thing and will leave behind a Password entry in addition to the login, so let me explain to you what that is and why you need to check after every time you create an account on a web site that everything was done correctly." It feels like a lot of extra work and learning to them. Some of them don't really want to pay for 1Password at that point and don't understand how it really makes their lives better when they can use the less robust, but more predictable, password saving mechanisms in Safari and Chrome.
I don't mean to complain -- I just am hoping to provide examples to express the urgency of either really fixing this problem -- I think one way would be, as I suggested above, having Generate Password create a Login, rather than a password.
Or, if the facts on the ground are that this situation is always going to exist, then providing an interface to clean up Passwords in an automated, easy fashion. Because the alternative is having to train non-savvy users to understand the distinction of Passwords vs Logins, when Passwords get generated, and what to do about them when they end up permanently, rather than temporarily, in their 1Password vault.
As a footnote, I want to say that none of this existed when I was able to train clients on the the old password generator, followed by Copy. I understand why that option was removed in favor of Generate Password + Save & Copy only, but the reality is that now people's 1Password vaults are getting cluttered with Passwords, whereas that was a concept they never even needed to understand before.
0 -
I don't mean to complain
Not at all. We appreciate you taking the time to share these pain points with us. I can't make any promises other than to say I'll be sure the team is aware this continues to be an issue.
Ben
0 -
Well, that is certainly as much as I can ask for. Thanks.
It's my belief at this point that this happens 100% of the time; I haven't seen any examples lately of when the Password entry actually goes away as it is supposed to. I always have a Password entry left behind in 7.5.
As another data point, I just set up a new account at forums.macrumors.com. When in the password field, I typed cmd-\ to bring up 1Password mini, clicked Generate Password, clicked Save & Copy, and the password autofilled as one would hope. Auto-Save then prompted me if I wanted to save the password (which honestly doesn't seem like an amazing experience to me -- didn't I just generate the password?), so I did, and, now there exists both a Password entry and a Login entry.
It's actually a considerably simpler workflow to use Chrome's suggested password and then just let 1Password save it. (Unfortunately, I think 1Password doesn't prompt to Auto-Save when I do same in Safari.) This might be how I have to steer my clients, even if it does mean that the password is getting saved in both Chrome and 1Password, because asking them to go back and delete the Password entry, when it's already several more clicks just to use Generate Password versus accepting Chrome's suggestion, just makes 1Password look bad.
I hope you are able to fix this. Just to recap my suggestions, in order of my personal preference:
- Don't make Passwords at all when using Generate Password; instead, make Logins.
- Use rich icons on and proper page titles on Passwords so they don't look technical and out of place in the list of 1Password entries
- Fix Passwords so they reliably delete following Generate Password (I know this is your preferred choice, but I still find the whole business of Password entries being created and then auto-deleted kind of janky)
- Put Generate Password entries in a separate UI where they're not mixed in and offered for autofill, but can be reviewed if needed
- Provide some "cleanup" interface that lets you review and test out Passwords and Logins at the same domains so you can keep the One True Entry (this would be useful even without the issue I'm describing)
- Bring back Password Generator + Copy
Thanks for your attention and consideration.
Ivan.
0 -
Thanks again Ivan.
Ben
0 -
Another data point for Passwords not getting auto-deleted upon creation of a Login at the same domain in 1Password 7.5.
I just changed my password on SourceForge.net (which I didn't yet have an entry for in 1Password, though I had an account already). In the password field:
cmd-\
Generate Password
Save & Copy
1P autofilled as hoped for
when I submitted the form, 1P asked if I wanted to save the entry, which I did
1P then contained both a Login entry and a Password entry for SourceForge.net
(and in this case, the Login entry didn't have a username either, since it was a password change form, without a username field)Let me know if you'd like more as they happen, or if you'd like me to stop.
0 -
Thank you for the additional example @IvanExpert! :+1: At this point I believe we have enough information, and as Ben said, our developers are aware of this. Hopefully we will have a fix soon :)
0 -
Ok sounds good. Thanks Ana and Ben.
0 -
Thank you. :)
Ben
0 -
I'm so glad I found this post because it explains precisely the problem I wanted to come here and ask about.
I was wondering - is there any update on this? It always used to work correctly for me where I'd generate a password for a new login, then I'd opt to create a new login when I finished the website's sign-up, and then it would turn that generated password into a login. But now it always keeps the password and new login around in 1Password. It's quite frustrating and for members of my family who aren't as "clean freaks" as me, they end up with loads of duplicate login & passwords and I worry that they'll get confusing later down the line.
It would be great if there's a solution to this problem. I like the idea that generating a password from within the mini-popup could default to or at least have the option of actually creating a login. That would solve it immediately. Or the old behaviour where the password would get converted to a login would also be great.
0 -
No updates to share yet, sorry! Our developers are however aware of this, hopefully we will find a way to fix this in one of the future updates :+1:
0 -
@ag_ana would you mind double checking that it is still an active issue? I ask because the release notes for 7.6 say:
"Addressed an issue with saving updated logins via the extension that could result in generated password items not being deleted upon updating an existing login. {#4497}"
I actually haven't run into it in a while, but that's because I switched to 1Password X beta until desktop integration was removed. But if @mattjgalloway is still seeing it, it might deserve another look...
Thanks,
Ivan.0 -
I see that the issue is open, so there is probably something else we can try to do :+1:
ref: dev/apple/issues#4497
0