Popup is Gone?

C820

I just installed the software for the first time in several months. It no longer has a popup prompt asking me if I want to save the login. It only seems to have an in-line offer to save each and every field I enter, manually.

Is this the intentional new way of saving logins? Several major problems with this:

• Options like checkboxes to "keep me signed in" or "remember my username" don't seem to be saved now and they were saved before.

• Saving each field one by one is nonsensical to me. For example, I save my Username, and simply going to the Password field now generates a popup asking if I want to "Update" the record. Talk about adding unnecessary steps.

• If I enter wrong login information, I will have already saved that wrong login information to 1Password. The old version didn't save the new record unless I successfully logged in (or at least I didn't approve the new record as a whole, until I saw I successfully got in). Now wrong login information might mistakenly get saved for good in 1Password.

• I don't know what I'm doing wrong but the first two sites I manually saved field by field simply don't work when I go back to the login and try to use 1Password to Autofill. Before, this simply worked. Now it doesn't. Usability ...

• I logged in to a website manually without saving to 1Password. Now it has my username saved in that field even when I log out. 1Password now has no in-line prompt to save my username. No matter what I do, that option isn't there. If I try to type a new username in that field, the option to save it appears. But this login is NOT in 1Password and yet 1Password acts like it's already saved the username. This is a major bug and makes no sense.

What on earth have you guys done to this thing? :'(

I believe you've "fixed something that wasn't broke". Or rather, you've broken something that worked fine.

I hope you'll forward this feedback to your Dev lead.

How do I get the old functionality back? I would prefer not to download an "expired" version (Classic) if that's the only solution. Eventually you'll retire support for Classic and I will never want to migrate to this new functionality.

Please enable this functionality as an option in the settings for all new versions. I hope this wasn't chosen as the new way of doing things. Its a significant downgrade.

Disclaimer: Sorry if I just wrote a book and my entire premise is wrong and this is a simple setting change.

-C-

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

ag_ana

Hi @C820!

Can you please download the classic extension and see if that works for you?

Get the 1Password classic extension

C820

Wow that was a seriously low-effort response.

And I knew that would be your reply. Which is why I wrote this entire paragraph for you above:

"I would prefer not to download an "expired" version (Classic) if that's the only solution. Eventually you'll retire support for Classic and I will never want to migrate to this new functionality. Please enable this functionality as an option in the settings for all new versions. I hope this wasn't chosen as the new way of doing things. Its a significant downgrade."

Did you just... basically not even read my post?

I also asked some questions.

I even alerted you to two different bus, and you seem to have ignored them.

No. I will not jump through all the hoops of uninstalling, downgrading, reinstalling, etc ... until I have had my questions answered about this current version, how it works, whether these are bugs I've found, and whether I can tolerate the "new" way of doing things.

My post basically showed you that the new version is broken in multiple ways and doesn't work. So you point me to an old version?

ag_ana

@C820:

Ah my apologies, I seem to have misunderstood your request! I read this:

How do I get the old functionality back?

So I suggested the way to get the old functionality back. By the way, in case someone else reads this, the classic extension is not expired, in case that helps :+1: Can you confirm if that is the extension you wanted to use? Because I think you are using the latest 1Password in the browser extension at the moment, which works very differently than the classic one. So it would be easier to just use the classic extension if that works for you :)

With regards to the bug report, can you please share the full URLs where this is happening to you, so our team can test them? Thank you!

C820

@ag_ana

"Oh my apologies, I seem to have misunderstood your request! I read this: How do I get the old functionality back?"

Yes. That's the only thing you read in the whole post. That was my point.

"By the way, in case someone else reads this, the classic extension is not expired, in case that helps"

I didn't say its currently expired. I said you will eventually expire support for it and force everyone to migrate to the "new" way, so replying with "downgrade" would not be an optimal response.

Maybe I'm using the new version wrong. Maybe I can get used to the new version, if I can get it to work.

I have a laundry list of incorrect behaviors going on here with he new version. Shouldn't the focus of this thread be equally about all those things? Rather than just "downgrade" ?

Thank you.

C820

Lets start over.

1. Coinbase.com auto fills properly when I go to the login, but it ignores the "stay logged in" (edit: Remember username checkbox) I had checked the first time when saving the record into 1Password.

2. Coinbase.com auto fills properly when I go to the login, but it doesn't press the login button even though this IS enabled in my settings. (to autologin after autofill).

Both of these things seem to directly relate to the fact that you guys removed the previous functionality.

Previous functionality saved the record AFTER ALL STEPS were complete (checking checkbox, pressing login, etc). It was almost like a macro recorder in that sense.

Now, since you force people to manually save every field one by one, it is not saving things that aren't text fields. Like checkboxes and even pressing the login button.

So am I doing this wrong? And if so, this should be a testament to how hard you've made your app to use. Because before it simply worked. Intuitively.

ag_ana

@C820:

Again you didn't read. I didn't say its currently expired.

I don't want to argue with you, but you wrote this:

I would prefer not to download an "expired" version (Classic) if that's the only solution.

So for clarification, the classic extension is not expired, this is important in case someone else stumbles upon this discussion :+1:

Maybe I'm using the new version wrong. Maybe I can get used to the new version, if I can get it to work.

I don't believe you are using the new extension wrong, I just think that it is very different from the one you might have been used to (since you wrote you haven't used the software in several months). A lot of things changed, and the whole way of using the extension itself changed (we have a new inline menu now, for example, while before 1Password would not appear below login fields).

I am not sure how feasible it is to migrate all of your suggestions to the new extension because of this, but our developers can certainly keep all of this feedback into consideration as they continue working on this. After all, it is a new extension so nothing is set in stone :)

ag_ana

@C820:

It looks like our replies almost overlapped, I noticed you sent a second post:

Coinbase.com auto fills properly when I go to the login, but it ignores the "stay logged in" checkbox I had checked the first time when saving the record into 1Password.

I see the same behavior here. Perhaps @ag_yaron, our extensions expert, will have a suggestion to change this and get that checkbox selected.

Coinbase.com auto fills properly when I go to the login, but it doesn't press the login button even though this IS enabled in my settings. (to autologin after autofill).

Can you post a screenshot of your settings, which shows this option being enabled? Thank you!

C820

Here is what I just did:

I deleted the Coinbase login record completely and started over.

Then:

Username field: Entered username
Password field: Entered password
Checked the checkbox to remember username
Clicked login

Nothing happened. No prompt to save the login. Is this the functionality you removed?

Is there a way for me to enter username and password, and save both at once?

Or do you expect people to:

1. save the username
2. create the record in 1Password
3. enter the password
4. click to save the password and "update" the record?

Requested screenshot:

ag_yaron

Hey @C820 ,

When using the new 1Password in the browser, saving new logins requires you to click the "Save in 1Password" button after you're done typing your credentials in all the required fields. So:

1. Get to a login page.
2. Fill in both your username and password (and tick the "Remember me" checkbox).
3. Only then click the "Save in 1Password" button and it will save everything properly, including the "Remember me" checkbox. As a side note, usually the "Remember me" checkbox is already selected by default, it's quite unique that this website does not check it by default. Then again, it is a financial website so that might be why.

As for the screenshot - This feature belongs to the 1Password desktop app for Windows. 1Password in the browser does not connect to the desktop app at the moment and is a completely standalone extension, with its own settings. It does not support the auto-submit feature by choice, sine we don't want to send keyboard presses (e.g. the Enter key after autofilling) on behalf of users, as this feature was maliciously used by malware to install unwanted stuff in the past.

We do have a feature request to add the auto-save prompt to the new extension, so that 1Password will pop up and suggest saving a page even if you didn't click the "Save in 1Password" button, so I'll add your request to that feature's log.

Thanks for the feedback here!

ref: dev/projects/customer-feature-requests#272

DenalB

@ag_yaron

We do have a feature request to add the auto-save prompt to the new extension, so that 1Password will pop up and suggest saving a page even if you didn't click the "Save in 1Password" button, so I'll add your request to that feature's log.

Please add my vote to this request too. ;)

@C820

Requested screenshot

As @ag_yaron wrote this is a screenshot from the Windows desktop app. You have to install the classic extension to get both together again. At the moment the new "1Password in the browser extension" is not working together with the Windows desktop app.

I'm using the classic extension as well since month and only will switch to the new extension if the Windows desktop integration is done. You can read more about this here: https://1password.community/discussion/115228/temporarily-removing-desktop-app-integration/

Just give the classic extension a try, and you will be happy again. ;)

ag_ana

Please add my vote to this request too. ;)

Done @DenalB :+1:

DenalB

Thx! :+1: ;)

ag_ana

Anytime :+1:

perisdr

Hello @ag_ana @ag_yaron,

Of course I want to add my vote for this request too, but what I really want to know is where does this feature stand priority wise in your backlog. I understand that you cannot provide with a date, but are we talking "this is under discussion" or "this will be implemented in 2021"?

Don't get me wrong, I just came to the ecosystem after years of using LastPass and one of the selling points for switching, was the user experience your product has for autofilling. I absolutely hated LastPass experience on this point. Nevertheless, the UX of adding a new login is also super important.

It seems you do not offer the feature (in the browser extension) of saving of credentials after the successful login based on some security reasons. Can you please elaborate on how sending keyboard strokes on behalf of the user can be maliciously exploited? I can't understand if you mean this can exploited by other extensions I may have installed in my browser.

For the customer's point of view besides what @C820 has already mentioned I want to add the following:

• Many sites during registration don't you hints on what the correct format should be. No option there but to submit a password and the see if the site accepts it. This is a nightmare scenario using 1password, requiring me to constantly copy-editing-pasting a saved password and updating until I hit the right one.
• Many sites have a max length on the password field. What that means, is that if I have generated a 25 char password and the field has a max-length of 15, it may automatically trim the generated password to 15 chars without me knowing. The only way to catch that, is if you have revealed the password and see the missing chars, or if the difference in length between the generated password and the inputted password is so great that you can see something is off. This gets even weirder because if I mistakenly save the 25 char password, I may not even understand that something is wrong because login pages usually don't have any validations on the password field whereas registration pages have.

My point is that you can never trust what you are autofilling in a field, only what the actual value of the field is. LastPass besides autofilling the generated password, prompted me to save the actual value that the password field had after my successful submit.

IMO the UX of 1password on this subject is bad. I can actually say this is a deal breaker for me. If I (a superuser due to my profession) find it difficult to create logins I can't even hope on explain the process to my 65 year old father who was also in my LastPass family subscription and have now switched him to 1password. As I said the major selling point for switching to 1password is that it is so simple even for the less tech-savvy users.

My yearly subscription has already begun and I do intend to stick with 1password as I believe it is an excellent product but I would very like to know if this feature has actual priority in the product's backlog or if this is something that will be years in the making.

Thank you

plttn

re: 1.

Now if Coinbase were to say "That password isn't good":

There's no need to be copying and pasting and editing manually.

as for point 2: truthfully you can't even trust what's in the password field either. For the longest time, MS accounts didn't even support more than 16 character passwords, and silently truncated on login. You could put "abcd...xyz" as your password, and the field would happily accept that, but would save it in the database as "abcdefghijklmnop" without it saying anything about it.

perisdr

@plttn if coinbase said that password isn't good then that means that 1password's "Smart Password" wasn't able to suggest a correct password. Maybe generating it again could be successful on the 2nd try, or the 100th try or even never. Generating a password and then editing it to correct based on the error that the site returns seems way faster. Unless you are suggesting that after 2 random generations and two errors you would continue doing the same thing, expecting different results.

For the 2nd point what the backend algorithm of the site does, it is not 1password's concern not anyone's.
If autoffiled value "123456" is translated to inputted value "123" and the site saves it at a database "123" its fine.
If autoffiled value "123456" is translated to inputted value "123456" and the site has the database value "123" then you have a problem.
It's very common to have limitations on the password registration page, and none at the login page, thus creating an inconsistency.

What the password manager has to make sure is that the autofill value = field input value. The only way to do that is for the password manager to save the input value at the vault. What the site does with the value after that is fine either way. Having mismatched autofill and input values is hard to catch with the eye (when creating random lengthy passwords).

plttn

ag_yaron

Hey @perisdr ,

I'll try to address all of your points, so I apologize for the long message here but I hope it will clarify and address all of your concerns.

but what I really want to know is where does this feature stand priority wise in your backlog. I understand that you cannot provide with a date, but are we talking "this is under discussion" or "this will be implemented in 2021"?

There's a bunch of stuff we're currently working on, including adding biometrics unlock which is one of the top priorities, so I don't really know if this feature will be added this year. In addition, this feature is not experience breaking, though I honestly do know how hard it is to break old habits, but clicking on the "Save in 1Password" button before sending the form is really all it is - a new habit that we need to get used to for now.

It seems you do not offer the feature (in the browser extension) of saving of credentials after the successful login based on some security reasons. Can you please elaborate on how sending keyboard strokes on behalf of the user can be maliciously exploited?

I think you're mixing a couple of things here. There's the Auto-save feature, which prompts you if you want to save a login after you send a form, and not necessarily log in successfully - it just picks up the submit event and suggest saving the form, so it can be triggered even if you don't log in successfully (e.g. the password is wrong), which is a part of why we didn't add it to 1Password in the browser. It's not always accurate. If you install 1Password Classic right now you will have that Auto-save feature whenever you send a form, and you'll see that it always triggers, whether or not the form submission successfully logged you in or not.
The other reason we didn't add it is because we want to provide a cleaner and uninterrupted experience, which means less popups.

The other thing you're talking about is the Auto-submit script, which sends the Enter key on your behalf after autofilling to log you into the website automatically. Some developers (such as Apple) decided to forbid such scripts in their browsers due to malware and other malicious software installing itself by using such scripts, so we followed Apple's footsteps and removed it. It's not that a malicious app can utilize 1Password's auto-submit, it's just that having it is not a great security practice :)

Many sites during registration don't you hints on what the correct format should be. No option there but to submit a password and the see if the site accepts it. This is a nightmare scenario using 1password, requiring me to constantly copy-editing-pasting a saved password and updating until I hit the right one.

Changing passwords is the most confusing process for most users for many reasons (regardless of 1Password), and making a UI for it is a really tough task, but I believe we're providing a rather simple UI (though your feedback is really great here!); 1Password will suggest a strong password based on multiple variables, such as the password field's max length, if the website is found in Apple's open sourced project for websites' password requirements, and the 1Password "brain" which tries to figure out what the requirements for the website are if they can be found in the field's HTML code.

It's not perfect, but it works in most cases. If it doesn't work, you don't need to get into a frenzy of editing/copy/pasting. You can either select a new suggested password and let 1Password update your login item with it, then try sending the form again, or you can, as @plttn mentioned, get to the full password generator in the extension and generate your own password with custom rules/recipe and autofill that. You don't need to try more than 2-3 times before you figure the suggested passwords won't work, so the generator is a quick last resort that should work.

Many sites have a max length on the password field. What that means, is that if I have generated a 25 char password and the field has a max-length of 15, it may automatically trim the generated password to 15 chars without me knowing

That's not accurate. When you autofill with 1Password, it will ignore the max length of the field in most cases because it injects the password into the field's HTML code, and doesn't copy-paste it in. That means the entire password will be input into the field and the website should reject it because it is longer than allowed.
If you manually generate a password, copy it and paste it into the field, then yes, it will be trimmed. Then you'll save it into your login item and end up with a password that is longer than what the website allows and won't be able to log in. If you contact us in such a scenario, we'll be able to figure it out quite quickly and instruct you on how to trim the password in your login item, which will work. You will not be locked out of your account.

This all comes to show that it is better to let 1Password autofill for you rather than manually copy-pasting things, whether selecting a strong suggested password or using the generator's "Autofill" button.

We're always working on improving the experience here, and more changes are to come as time progresses, but things should work correctly on the vast majority of websites.

My point is that you can never trust what you are autofilling in a field, only what the actual value of the field is. LastPass besides autofilling the generated password, prompted me to save the actual value that the password field had after my successful submit.

When you autofill a generated password 1Password will trigger a save/update prompt and will save the value in the field. If you autofilled a password that is longer than the max length of the field, the website won't let you continue. As mentioned above, 1Password will usually bypass the max length of the field so you should be aware that this is happening and figure out what is wrong with the password without being able to proceed.

If you're onboarding your family and are afraid it would be too difficult for them, we'll be more than happy to help you onboard them via email. We have one of the best customer support teams in the world, with many happy users (including elderly folks!).
Our support pages are also quite helpful in most cases, but there's nothing like a 1on1 email session with one of our reps :)

I hope that addresses all of your concerns. :+1:

perisdr

Hi @ag_yaron. Thanks for taking the time to answer.

it just picks up the submit event and suggest saving the form, so it can be triggered even if you don't log in successfully (e.g. the password is wrong), which is a part of why we didn't add it to 1Password in the browser. It's not always accurate. If you install 1Password Classic right now you will have that Auto-save feature whenever you send a form, and you'll see that it always triggers, whether or not the form submission successfully logged you in or not. The other reason we didn't add it is because we want to provide a cleaner and uninterrupted experience, which means less popups.

This doesn't make a lot of sense. The feature was removed because it was triggering even if the submitted password was wrong. In the same spirit why is 1password prompting me to save a password that I know 100% beforehand is wrong? The following screenshot is from paypal's registration page:

As I said I am always creating 25 chars long chars, and paypal is kind enough to inform (after filling the suggested password) that it only accepts up to 20 chars.

What is the experience I would expect? I could easily fix the suggested password by removing the last 5 digits directly in the fields, submit it and then save it in 1Password. Any simple user knows red font means something is wrong. Therefore, I cannot agree with you on the fact that this is just an "old habit". I seriously doubt that flow 1password is suggesting would pass any user experience test from that screenshot alone.

It's not perfect, but it works in most cases. If it doesn't work, you don't need to get into a frenzy of editing/copy/pasting. You can either select a new suggested password and let 1Password update your login item with it, then try sending the form again, or you can, as @plttn mentioned, get to the full password generator in the extension and generate your own password with custom rules/recipe and autofill that. You don't need to try more than 2-3 times before you figure the suggested passwords won't work, so the generator is a quick last resort that should work.

As I said I could easily fix the password by simply removing the last 5 digits in the input fields and be done with that. With just one submission. But the flow you suggest is even more confusing not even close to the following statement:

The other reason we didn't add it is because we want to provide a cleaner and uninterrupted experience, which means less popups.

As for the trimming

That's not accurate. When you autofill with 1Password, it will ignore the max length of the field in most cases because it injects the password into the field's HTML code, and doesn't copy-paste it in. That means the entire password will be input into the field and the website should reject it because it is longer than allowed.
If you manually generate a password, copy it and paste it into the field, then yes, it will be trimmed. Then you'll save it into your login item and end up with a password that is longer than what the website allows and won't be able to log in. If you contact us in such a scenario, we'll be able to figure it out quite quickly and instruct you on how to trim the password in your login item, which will work. You will not be locked out of your account.

I guess you are right, 1P is injecting the value directly to the field bypassing a lot of DOM events. But if 1P saved the submitted value you would never have to deal with any of this. This is a little old, dating back in to 2019 but even Troy Hunt seems to have ended up with thinking he had the right password, only to found out later it had been truncated on PayPal. I am not sure how this can happen if your password manager saves the submitted value.

https://www.troyhunt.com/banks-arbitrary-password-restrictions-and-why-they-dont-matter/

Maybe Troy's case is different since in 2019 the save-after-submitting functionality was probably present in 1P. But it goes to show you how easily even the most advanced users can fall in this issue. 1P can suggest as many passwords as required but at the end they are just suggestions. The real value is only the submitted one. My issue is why I am forced with so many popups for saving-generating-updating for something that has not taken a final form.

Anyway, this is a matter of opinion. I doubt I can be convinced that it is better to save a wrong password before submitting. Every other password manager I have used (on Firefox, Chromium browsers and LastPass) prompts the saving after the submission. I will try the 1P Classic although I am not sure if the classic extension is something you will keep updating with new features. I would love to see this feature given as an option in the new extension. Either way, I will re-evaluate with my family members how the experience is after a little while since everyone is still familiar with LastPass' way of working.

Do you have a feature roadmap posted somewhere? I can only find release notes for Betas (https://app-updates.agilebits.com/product_history/B5X). Or a uservoice where community suggestions have stats?

Thanks

ag_yaron

Hey @perisdr ,
Thank you for the additional info and feedback here.

You are right in some of these points, there's definitely always room for improvement and that is why we love getting feedback from users such as yourself. I will forward it to the right places, so thank you again :+1:

Do you have a feature roadmap posted somewhere? I can only find release notes for Betas (https://app-updates.agilebits.com/product_history/B5X). Or a uservoice where community suggestions have stats?

We do not share our roadmap or what is going to happen in the next update publicly. We only release the update notes after an update was released. You can find update notes for all apps/extensions in the link you provided: https://app-updates.agilebits.com/
Community suggestions are documented in an internal system for our developers, so no public access there as well.

ref: dev/projects/customer-feature-requests#272

ag_ana

Thank you for the feedback @helpmeobiwan, really appreciated! I have sent it to our developers :+1: