Smart Password feature is problematic on websites that don't have proper password validation

I encountered a situation last week where using a "Smart Password" from the 1PasswordX password generator got me locked out of an account because it didn't comply with that website's (iatspayments.com) password requirements. Admittedly there was user error on my part, because I didn't read the website's password requirements carefully. And the website was at fault too because they ignored their own requirements at creation time and then enforced them at login time, not cool. But there's also a point of view that 1password is at fault for claiming that they would "choose a smart password that meets the requirements of this website" (per the Smart Password description right there in 1PasswordX).

I'm not trying to speculate how this would turn out if it was a court case :). But I think a fair number of people would perceive 1password to be at least partly to blame. I have a bad habit of ignoring password instructions and just relying on websites to tell me when my passwords don't comply, and I bet I'm not the only one.

I'm curious how the Smart Password "uses information from the page" as it states. In this case with iatspayments.com:

the requirements were listed right there next to the password field. The first rule is debatable because of poor wording, but the Smart Password I got also had one of the special characters shown explicitly in the fourth rule. Of course 1Password might be parsing some hidden element on the page or getting the information offline somehow instead, and the wrong rules might very well have been given, but it still looks suspect, like the kid with his hand in the cookie jar.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited February 2021

    Hey @johnnyray14 ,
    Thanks for bringing this up!

    Smart suggested passwords use Apple's open project that stores known websites' passwords requirements, in addition to 1Password’s internal brain.

    Apple started this project to provide better password suggestions and opened it so that other password managers can utilize it. It would seem that this specific website is not included in Apple's library, so 1Password may have defaulted to a generic strong password, which did not comply.

    It is indeed very interesting that the website allowed you to proceed even though the password that was filled in did not comply with the requirements. You are correct in assuming the website should stop you there, I have never encountered a website that allowed to proceed if the password did not meet the requirements.

    I have also brought up the phrasing of our smart password's description with the team, to see if there's anything we need to change to make things clearer on when 1Password knows the website's requirements and when it simply suggest a generic strong password. Thanks for the feedback here!

    ref: dev/core/core#5271

  • johnnyray14
    johnnyray14
    Community Member

    Thanks @ag_yaron, very interesting! I didn't know about Apple's project.

    I've encountered a similar situation with my bank's website, except this one is worse: It allows special characters when creating security answers, but then it detects them upon login and gets in an infinite loop asking me to create a new set of answers, preventing account access.

    The bank wasn't aware of their own security answer rules and had no way on their end to restore my account access, because I kept on unknowingly triggering the problem over and over. After a few days I finally did enough trial and error to discover the cause, and I hope that the word will eventually get to their programmers (or at least become common knowledge among their customer support reps).

  • coyote3
    coyote3
    Community Member
    edited March 2021

    "It is indeed very interesting that the website allowed you to proceed even though the password that was filled in did not comply with the requirements...I have never encountered a website that allowed to proceed if the password did not meet the requirements."

    (While I'm new to 1Password...) I've encountered this dozens of times (that sites let one create a password that it then won't let one login with in future sessions), it is not at all rare that site login protocol is so poorly designed.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for the update @johnnyray14 .

    Indeed, banking websites are known to be problematic more often than regular websites. We actually wrote an open letter that users can send to their bank if needed: https://blog.1password.com/an-open-letter-to-banks/

    @coyote3 Please do report such websites to us as you encounter them, especially websites where we can sign up with a demo account and test it! You can report it here in the forum or via email to support+extensions@1password.com.

  • coyote3
    coyote3
    Community Member
    edited March 2021

    @ag_yaron
    It's true, despite it being more important for banks to do it right, they often do it wrong. I very much appreciate that letter; I've tried to communicate the same information to a number of financial institutions with no success: next time I'll use that great letter.

    I don't think any of the sites that let me create passwords I couldn't log in with the next time with were banks though, so at least there was that.

    A couple months ago I tried to educate one which disallowed paste. It was the Bank of America Android app. It doesn't allow paste into the 20-character password field. It did allow paste into the 32 character username field (which I generated random characters for due to being unsatisfied with the password max length; please correct me if I'm wrong but that seems like a good practice at security-sensitive sites).

  • ag_yaron
    ag_yaron
    1Password Alumni

    Well done, @coyote3 .

    If all users were as adamant as you with reporting of such issues to their service providers/banks, then we'd see changes for the better more often!
    The more users complain and send feedback, the more likely it is a bank/website will listen.

    The username field is usually not encrypted by websites/apps, so it doesn't really increase security to use a random long username. If the website's database is breached, the attacker will get his hands on all of the information available on their users. The password field would be encrypted which means the attacker will have to try and crack it, but they will have the user's email/username in plain text.

    You can contact the website's support and ask them if they encrypt the username as well. If they do, then creating a long random username would definitely increase security. But you should also consider the fact that a 20 characters long password (that was generated with our generator) on its own is nigh uncrackable.

This discussion has been closed.