Saved password for Fidelity.com doesn't work
Hi there, I've just saved a password in Fidelity.com and noticed I can't login when I attempt to use my saved password it always fails to login, but it always works when I do it manually.
I've analysed the developer tools to understand what is happening to the input boxes and noticed the username input is altered once fill it and focus on the password input, this change generates a wrong username while using 1Password which results into a failed login attempt.
Steps to reproduce:
- Open https://nb.fidelity.com/public/nb/worldwide/home
- Focus on the username field and inspect that field's parameters (you'll see the field is working properly)
- Click on 1Password dropdown to use saved password and username
- Now focus on the password and inspect the field's parameters (you'll see the field value has been changed to contain ****** in it. There is a "data-unmasked" parameter that shows up displayed this issue)
- Attempt to login (which will fail)
Can anyone please fix this problem???
I'm using the Chrome extension.
1Password Version: Not Provided
Extension Version: 1.22.3
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @adinuno. :smile: I'm not able to reproduce the issue you're experiencing — I see the username get masked appropriately, and clicking in the field reveals the proper username, unmasked, as well. There's an additional thing about this page, though, that I'd like you to check. It has a max-length for the password field of 20 characters; does your password (at least what's stored in 1Password) happen to be longer than that?
0 -
My password and username are within the appropriate limits. I'm successful at logging in without 1Password, so 1Password is clearly the problem here.
What happens is when I use 1Password to fill just the username or both username and password the login always fails.
Can you please investigate this better? It only happens with 1Password, I have moved from other password managers and all of them worked.
0 -
Hey @adinuno. When you type or copy a password in, max-length fields are enforced by the browser, but 1Password will fill what's actually stored, so it was a good thing to check. :smile:
My login works well on Fidelity, including signing in, so it's strange that that is not the case for you.
What happens is when I use 1Password to fill just the username or both username and password the login always fails.
So if you fill your login (both username and password) with 1Password, and then modify the username in some way manually in the field in the page, you're able to sign in?
0 -
So if you fill your login (both username and password) with 1Password, and then modify the username in some way manually in the field in the page, you're able to sign in?
Yes. I'm looking at the developer tools and while inspecting the field I've noticed that when 1Password is activated and I don't manually edit the username field, 1Password transforms the value of that field into a literal "*******".
0 -
After some further review and brainstorming with one of my colleagues, there are a few additional things I'd appreciate if you could check:
- Just to be absolutely sure, is the data stored in 1Password the same as what you are entering manually by hand?
- If you copy and paste the values from 1Password into the fields, does signing in work then? This would rule out 1Password as being part of the equation.
- If after filing and clicking the sign-in button you still see an error, let's have you check the data that's actually getting sent to the site:
- Open Developer Tools
- Switch to the Network tab
- Click "Log In"
If it fails at this point, you should see
dj.chf.ra
in the list; select that, then choose the Headers tab. Scroll to the very bottom, and you'll see what was sent to the site.0 -
Just to be absolutely sure, is the data stored in 1Password the same as what you are entering manually by hand?
Yes
If you copy and paste the values from 1Password into the fields, does signing in work then? This would rule out 1Password as being part of the equation.
Yes, but the problem is not with the information being stored in 1Password. In the Fidelity login form, when the username input field is filled it gets a parameter called
data-unmasked
. This parameter will be populated by the value that is going to be considered as the username upon login.The problem is that when 1Password has filled the username field automatically this
data-unmasked
parameter gets filled with literal asterisks, so when I submit the login form, what the form is going to account for is that value with asterisks, thus failing the login attempt.If after filing and clicking the sign-in button you still see an error, let's have you check the data that's actually getting sent to the site:
As mentioned above, the information I see in the Form Data is all correct, except for the "username" key, which has my login name filled with asterisks like so:
*********na
.This only happens when 1Password has populated my username input field.
0 -
@ag_michaelc btw, the autofill I'm using from 1Password only contains the username, as I didn't want to save the password in 1Password.
Based on this fact, I decided to experiment logging in with two types of 1Password autofills:
- With just the username autofilling
- With both the username and the password autofilling.
After trying both of these I found that this only happens in case number 1, when I use 1Password to autofill just the username and not both the username and password fields.
0 -
Very peculiar! We've been able to reproduce now with that scenario in mind. We have an issue filed for further investigation and tracking, but I can't make any guarantees for a timeline as to when or if this will be (able to be) fixed. In the meantime, I'd suggest storing the password in that Login item (I'd be curious to know why you aren't?), or you can also use drag and drop.
https://support.1password.com/getting-started-1password-x/#use-drag-and-drop-to-fill-in-apps
ref: dev/core/core#4449
0 -
There are particular accounts that I don't want to save my passwords in 1Password. I trust 1Password, but only to a certain extent :)
0 -
If there are any concerns I or anyone on the security team can help alleviate, please let me know. I can't imagine anywhere safer for storing my financial passwords, but of course that decision is yours to make. :smile:
0