Navigating automatically to login page or form

jasimon9
jasimon9
Community Member
edited December 2021 in 1Password in the Browser

Quite a ways back it was pretty easy to set up the URL to go directly to the login form for a site. For example, suppose there is a site www.wonderful-site.com. And suppose they had a login page at www.wonderful-site.com/login.php. You could set up a 1P login to go directly to that page and log in.

Now it seems most sites use combinations of methods for security that makes this simple method no longer useable. On many sites, the only way to get to the form is by first going to a landing page, then clicking on a link to log in. Or they may use javascript-based login forms, or other mechanisms that if you try to link to directly, will not work.

This of course creates extra manual steps.

So I am wondering if it is now just something to be expected and accepted that there are extra steps for most sites?


1Password Version: 7.9.2
Extension Version: 7.9.2
OS Version: 10.15.7

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    @jasimon9:

    So I am wondering if it is now just something to be expected and accepted that there are extra steps for most sites?

    I don't know about "most sites", in my experience the majority still allow you to reach the login page directly, but it is true that when a website requires you to do those steps, there is typically no way around it via a tool like 1Password unfortunately.

  • jasimon9
    jasimon9
    Community Member
    edited December 2021

    As you may have gathered from all my recent posts here, I have been working on a thorough clean up of my 1P content. I am literally logging in to about 700 websites to see if they are still viable, etc. So finding that a much larger percentage of websites use javascript dialogs for login, where it is not that easy for a tool like 1P to integrate with. Even still finding some flash-powered logins.

    When I say "most sites", I am likely not statistically correct. However, it does seem to a much more common practice now for such popups in the sites that I am working with. It would be an exercise to actually compute the percentages.

    In practice this means that the login procedure can take multiple steps. When a site does have a direct path via a link to the login page, 1P can login in a single step. But when the login must be reached by clicking on a link that cannot be reached directly, then it is a several step process. So depending upon how the site is implemented, you get variations as follows:

    1. Sites with login pages that can be linked to directly and autofilled--one step
    2. Sites with logins that show a form but do not autofill, but will autofill if you click in the username.
    3. Sites with logins that show a form but will not populate with clicking in the username, but will if you click autofill in the 1P extension (not actually sure if this is a distinct case).
    4. Sites that will not autofill at all, and one has to copy/paste from the 1P extension into the fields.

    This is further complicated by many sites now taking username and password in two separate steps. That adds more possible combinations of steps. This was first most noticeable when logging in to Google properties, but is becoming more common.

    Separate forms for username and password should be and used to be considered a security weakness as it means an attacker only needs to find a valid username as step one, and then attack the password separately. I really don't know why this is permitted, except that sites like Google must rationalize that "we have so many members that all email addresses have accounts and having them both on a single form submission does not add that much protection". I don't agree with this, but maybe that's what they are thinking.

    Bottom line is your response that there is "no way around it via a tool like 1P".

  • jasimon9
    jasimon9
    Community Member
    edited December 2021

    I just typed a quite long response here, but somehow it got deleted. I edited it a couple times, and after the 3rd edit it was blown away. It seems that once you have saved a comment, that it should not be blown away, because it has been committed to the database. Not sure how that could even happen.

  • ag_ana
    ag_ana
    1Password Alumni

    @jasimon9:

    I believe I have recovered your comment, it was caught by our spam filter.

    Separate forms for username and password should be and used to be considered a security weakness as it means an attacker only needs to find a valid username as step one, and then attack the password separately.

    They are used for security reasons, to slow down automated tools that try multiple credentials by brute forcing them. For this reason, I don't think those sites see it as a security weakness, rather the opposite. There is an interesting discussion on the topic on this website: https://security.stackexchange.com/questions/85160/is-having-the-username-and-password-fields-on-different-pages-more-secure

    Bottom line is your response that there is "no way around it via a tool like 1P".

    That is correct: if the website is built so you must follow a certain procedure, or if the website actively tries to create obstacles for a password manager, the best way would be to reach out to the website and ask them if they can follow the guidelines included here:

    Design your website to work best with 1Password

  • jasimon9
    jasimon9
    Community Member

    Thanks for the partial recovery, and also the link to the stackoverflow discussion and design guidelines.

    The recovery is about 10% of what I wrote. Don't have the motivation right now to try to recreate the whole thing.

    Seems odd though that once a comment is posted, that a subsequent edit blows it away.

  • ag_ana
    ag_ana
    1Password Alumni
    edited December 2021

    @jasimon9:

    The recovery is about 10% of what I wrote.

    I cannot see anything else in the spam queue I am afraid, that looks like the whole forum comment as far as the forum is concerned. But losing 90% of text would mean that you lost 63 additional paragraphs of text, in addition to those 7 there. Are you sure you wrote that much?

    Seems odd though that once a comment is posted, that a subsequent edit blows it away.

    This makes sense, depending on what you write in the edit: otherwise one could add all sorts of things after a comment has been posted and avoid the spam filters that way, which obviously cannot happen.

  • jasimon9
    jasimon9
    Community Member

    The recovery that you show is only two sentences (first starts "Separate forms ..."; second starts with "Seems odd"). That is what was in your post, so I assumed that was the entire recovery. Those two sentences have 293 characters, and if that is 10% then the full post is 2930 characters. Very easily about what I wrote. Not sure where that could get to 63 additional paragraphs. More like 10 paragraphs or so.

    But thanks for trying.

  • ag_ana
    ag_ana
    1Password Alumni

    @jasimon9:

    This is the entire recovered post, if you scroll up in this discussion a bit: https://1password.community/discussion/comment/624064/#Comment_624064

  • jasimon9
    jasimon9
    Community Member

    Thanks for that. I had not scrolled upwards to see the post. Looks like it did recover it all.

    Interestingly, it is 2329 characters, which is relatively close to what I was saying above.

    Bottom line is that there are some sites that require more manual intervention to get logged in, whereas in the past where it was more common that sites had linkable login pages, there was less manual intervention required. And I understand also that it is more on the website to make a compliant design than it is for 1P to be able to handle.

  • ag_ana
    ag_ana
    1Password Alumni

    Looks like it did recover it all.

    Good to hear :)

    And I understand also that it is more on the website to make a compliant design than it is for 1P to be able to handle.

    That's correct :+1:

This discussion has been closed.