[Feature request] Support for not fixed field names
Hello, I'm using 1password since first versions, but all these years security is increasing and some websites use not fixed field names (for example, banking applications).
It looks like "6687e8ab-c7c2-4147-3cb5-d70b19821f92-0", next time it's "b1c38df1-8987-4ac1-368b-28e38d36a932-0".
It would be good if I can add "*-0" field to 1Password and it can find and fix these fields by mask, not by full name.
1Password Version: 7.7
Extension Version: Not Provided
OS Version: macOS 11.1
Sync Type: Not Provided
Referrer: forum-search:not fixed names
Comments
-
For example http://pekao24.pl. Try login "12345678" and next what it wants – random 9 characters from password which consists from 16 characters. I want my 1password to fill this form.
0 -
Yes, but if I add these fields like this:
6687e8ab-c7c2-4147-3cb5-d70b19821f92-0 = A
6687e8ab-c7c2-4147-3cb5-d70b19821f92-1 = B
6687e8ab-c7c2-4147-3cb5-d70b19821f92-2 = Cit works well. however on next load these names change. that’s why I came with the feature request.
I just want to have poasibility to add:
*-0 = A
*-1 = B
*-2 = Cand have them working matching field names by mask, not by full name.
0 -
Hey @nikbyte ,
There are a couple of reasons I can think of why this most likely not going to happen. The first one is security. We don't want 1Password to try and autofill wildcards, because websites can be injected with random hidden fields by malicious parties, and we definitely don't want to autofill those, which wildcards might trigger.
The 2nd reason is that our autofilling mechanism is a combination of several factors, such as the HTML spec standard for autofilling, the website's forms and fields structure and 1Password's "brain", which tries to figure out what goes where using all of the data we collect from the page. Adding wild cards to the equation might help here, but will probably mess up other places.
Instead of all that, I suggest you contact your bank's support and let them know their login process is definitely not secure, and actually hurts their users security. Whenever a website forces users to type anything, they are already risking the user's security. We actually wrote an open letter to banking websites (because they are the most problematic ones in that field) so that our users can send it to them and hopefully explain why they should change their login forms and comply with current standards: https://blog.1password.com/an-open-letter-to-banks/
In the meantime, the only workaround I can suggest is that you use drag and drop:
1. Open your 1Password app and find the login for this website.
2. Select it and click on "Edit", then create a custom field for each letter/digit that the website needs from you.
3. Click on "Save" to save the changes.
4. When you try to log into the website and it asks you for these specific fields, open the 1Password extension in your browser, then grab each letter/digit from the custom fields with your mouse, then drag it over to the field on the website and drop it there. Repeat this step for every one of these fields.Using drag and drop might be really helpful and easier than copy-pasting or manually filling these fields, so I hope you'll find this useful for now :)
0 -
Answering on first reason I can say that it would be good to have a setting to skip hidden fields.
In this case wildcards would be secure and this is more users responsibility than 1password what to use. 1password should provide tools, user decides what he needs. No?0 -
@nikbyte Some fields are hidden by using the "hidden" flag in the HTML code, but some fields can be hidden without it just by putting it behind some background graphic etc. This is not a reliable method to determine if a field is secure or not.
Additionally, we shouldn't implement features that encourage websites to develop such non-standard and complicated login processes. We need to stand up and let them know that what they are doing is no good, and they should change it for your sake! :)
You might also find it interesting to know that what we learned with time is that when adding custom features that users control - there are a lot of users who turn these features on when they have no idea what they actually do, causing a lot more troubles than intended, which is why we're going with the "Less is more" approach. Not everyone is as tech savvy as you unfortunately :)
0 -
I completely understand your position. However I think you're not able to change situation with such complex sites.
And you doesn't allow your users to avoid this complexities, i.e. not solve their issue.
So, having 1password I can't resolve my issue and it means I'll search for another tool which will resolve my problem.As for me, focus here should be to your customers, not to fighting with broken sites.
What I need as your customer – to have some tool which resolves all my situations.
When I must fill such fields manually it's annoying me.0 -
I completely understand @nikbyte .
That is why I provided the workaround of using drag and drop, so you won't have to manually fill that website.I really appreciate your feedback and input here. We will keep an eye on this (and similar) website and will continue to evaluate risks and benefits as we move forward. If enough users ask for such features, we will definitely consider them if we can find a way to implement it while keeping users safe.
Thank you. :+1:
0
