How to save login when page asks for random characters from a password
Hi,
Love what I've seen of 1Password so far - currently trying out a Windows trial before hopefully buying for Windows and iPhone.
I've saved a few logins already with success - however I'm stuck on one website which has two-stage login:
The first page asks for Username and Password - no problem.
The second page gives me three drop-down boxes and asks for random characters from a further security phrase. For example it might say "Enter characters 3, 4, and 7 of your security phrase" and then the next time will ask for different characters of course.
1Password doesn't appear to recognise the second stage as a login screen and doesn't give me any options, that I can see, to store the answer. Any suggestions?
Thanks,
David
Comments
-
There are days when I think web "security" designers are dedicated to training people to use short, simple passwords. For example, how easy it is to determine the third, fourth, and seventh characters if your password is "abcdefgh" or "12345678" or "asdfghjk"! :/
I can think of a few solutions to try:
Complain to the owners of the web site. ;)
View the password in the main 1Program, and type the appropriate characters into the form.
Copy the password in the extension window, paste the password into the form, and delete all but the appropriate characters.
Edit your saved Login item, adding a field (named 3-4-7, in your example) for each requested combination, in the hope that you'll be asked for that combination again, eventually, and (if you are) copy it from the extension window, and paste it into the form.
0 -
Hi,
Thanks for the prompt reply :)Ok - simple enough workarounds then - or I could just set a strong 1Password generated password for the main password and leave the other one simple as you say.
It seems to be a common login method with the websites I use - KashFlow, Royal Bank of Scotland, and Santander UK all use the exact same method as a secondary login page.
David
0 -
I've never encountered one in the sites I use for personal business, thank goodness. I'd be sending them cranky-customer messages, explaining that no criminal would be thwarted by such schemes; the only loser is the customer who can't use software to create and employ strong unguessable passwords.
0 -
I've now purchased 1Password for Windows and iPhone - absolutely love it! I'm slowly transferring all my logins, email accounts, credit card information, etc, etc, in and updating and creating secure passwords as I go. BUT... so many of my websites use the "type character x and y" from a phrase procedure that I mentioned above I find I'm having to stick with the simple phrases I've previously used to save having to open and view a more complex phrase I know 1Password could make for me.
I think an option to save the phrase with the other 1Password data then add to the right-click context menu, when viewing the login page, the option to have "security phrase x" > Insert Character > 1 | 2 | 3, etc. So in other words if I get a login page with a drop-down list which asks for character 3 of my security phrase I could right-click it, then from the context menu choose "1Password" > "Security Phrase 1" > "Digit 3" and whatever character is required is "typed" into the box.
I've had a look at the wish list for the new Windows version but don't think I saw this idea in there.
Keep up the good work :)
David
0 -
Nifty idea, David. I'll add it to the list of requested features for 1Password 4, currently in beta development.
0 -
so many of my websites use the "type character x and y" from a phrase
if a website is asking for "character x" from a passphrase, then they must be storing the passphrase in plain-text and this is a bad idea.
0 -
Maybe so. But it's a widely used practice with UK financial websites - virtually all such websites I use will ask initially for a username and password, and then on the next page for a couple of characters from another security word. You'll understand the method a website may or may not use to achieve this doesn't really matter to me - the fact is many of them do it which is why I mentioned this in the first place.
0 -
It's not good practice for anyone to ask for a specific character in a passphrase, as it means they have the passphrase stored in plain-text. I would contact them and request they change their policies regarding online security.
0 -
svondutch - why do you believe this implies the password has to be stored in plain text? Certainly it is trivial for the server to grab specific characters after decryption and perform comparisons against those supplied by a user.
0 -
With the greatest of respect I don't need to become the website security police. The websites which use this technique are operate by large national/international financial institutions who will no doubt have large teams of security experts on hand to assure me that the methods of security they are using when taken as a whole are completely safe and offer the best security.
1Password is a fantastic tool and I love it, but the suggestion that perhaps websites should consider changing to suit 1Password or that they are doing their security 'wrong' by using this method isn't helpful.0 -
why do you believe this implies the password has to be stored in plain text? Certainly it is trivial for the server to grab specific characters after decryption
A passphrase should be hashed - not encrypted.
@David Spink I understand the need for this, but 1Password mission is to keep users secure when online. Accommodating bad security practices is not where we want 1Password to go.
0 -
I'm sorry, but I agree with David - its unhelpful that 1P doesn't give an easy way to extract passwords that many of these sites use (which I will add is in addition to a regular password).
Surely 1P can give a simple way to extract characters 3,7,11 from a generated password, so that its easy for the user (me) to enter them in? At the moment I end up having to put a text string with: "123456789012345678" above my extra password field, so that I can answer these questions - I just wish there was a way to enter 3,7,11 into a text field and 1P could give me the relevant characters to enter.
You guys could be a little more pragmatic and help your users. You could also help by explaining to the industry why these types of passwords are bad - and use your influence to help make things change - but I'm sure for the next 1-2 years, I'm still going to be stuck trying to login to my bank(s) with that extra step.
Tim
0 -
@svondutch wrote:
It's not good practice for anyone to ask for a specific character in a passphrase, as it means they have the passphrase stored in plain-text.
Ah, an opportunity for me to learn something! Is that always true? Can't they store it encrypted, but decrypt it to perform the comparison?
I know nothing about this (as you can perhaps tell!), but it occurs to me that a good level of security would be to have a system which will encrypt passwords, but not decrypt them. When the user enters their password, it is encrypted and then the encrypted password is checked against the encrypted password they have stored. Is this how it's normally done?
Anyway, I still think they could provide the "nominated characters" feature without storing the password in plain text; but by having decryptable passwords instead. Not as secure as the one-way encryption, but more secure than plain text.
But, as I say, I know nothing about this, so please elucidate. :-)
Steve
0 -
@svondutch But this isn't the only method used during login. First there is a normal username+password combo, and then as an ADDITIONAL step they ask for certain random characters from a different phrase. So the sites that employ this method I'm sure will argue that it offers additional protection over-and-above having only a username/password combo. While the username/password is vulnerable in some ways (say a key logger on the local machine) the pass-phrase is less vulnerable to this because you're never entering the entire phrase. So even with a compromised username/password without knowing all characters of the secondary phrase life is still difficult. From the other perspective if the secondary phrase is stolen from the websites database because it's unencrypted that still doesn't help because the attacker won't have the password which presumably would be protected as you describe.
While I accept your mission is to improve internet security, etc, etc, you're also in the business of making a product which will be useful to people who are paying you money for it. It's not my business to start lobbying my bank, credit card company, etc, to tell them they are doing their security wrong - the fact is that's how they do it and I'd like your program to make it as easy as possible for me to login.
I'll end as usual by saying I'm a massive 1Password fan - keep up the good work!! :)
0 -
I agree with @David Spink - although I acknowledge 1P's position re. internet security in general, in reality we users are stuck with those types of login systems, regardless of whether we agree with them or not.
So I firmly believe that 1P should offer that facility if it wants to be regarded as a complete solution to password management.
0 -
Hi guys,
Please read my extensive post on this in the other thread here. The short answer is that we're looking into a way to present this in the UI to show you the password character map but we don't have a clear picture of how do to do this just yet.
I've added everybody's votes here to our tracker on this request and we'll see what we can do.
Thanks for sharing your passion to get 1Password to make your life easier on difficult sites like this and we'll try our best to make this happen as soon as possible.
0 -
Hi,
Again, I'm agreeing with @David Spink on this one - Barclays, Santander, Natwest in the UK all have this method of choosing 3 characters from your password and entering these - 1 password can't support this which is a shame so i have to have the password open and then flick between 1P & chrome.
A feature to support this usecase would be great...
ian.
0 -
The characters in the pin could easily be encrypted, each separately, then checked by comparing each hashed input from the user against the corresponding hashed digit it in the database.
A passphrase should be hashed - not encrypted.
A hash is an encryption, it's a one way encryption.
0 -
A hash is an encryption, it's a one way encryption.
This may or may not be technically true, but in common security parlance "storing an encrypted password" implies reversible encryption whilst "storing a hashed password" implies non-reversible. I've never seen them used in any other way.
The characters in the pin could easily be encrypted, each separately, then checked by comparing each hashed input from the user against the corresponding hashed digit it in the database.
Interesting idea. However, it doesn't address the main complaint about using encrypted passwords, namely that the key must be stored too which the encryption open to compromise.
@svondutch @jpgoldberg For curiousity's sake, does the efficiency and security of the AES algorithm remain constant with very short strings?
0 -
A hash is an encryption, it's a one way encryption.
http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374
The characters in the pin could easily be encrypted, each separately, then checked by comparing each hashed input from the user against the corresponding hashed digit it in the database.
In theory, yes. In practice? Probably not.
0