Using new HTML5 autocomplete attribute values.

craig_francis

It looks like iOS Safari might be working with some new autocompleate attribute values, helping it with the change password pages:

https://lmjabreu.com/post/ios-8-privacy-updates/#safari-keychain-improvements
(scroll down to Keychain Improvements)

https://html.spec.whatwg.org/multipage/forms.html#autofill

While I doubt many websites will actually implement these anytime soon, password managers could use them to fill out a change password page without any problems guessing the meaning of the fields (note, there are also values for filling out credit card details - something I know 1Password struggles with at times).

For example, at the moment if you use "fill" feature in the "password generator" it will fill out every password field with the new password (even though most sites will typically have the a password field set as the "current password").

I believe Luis is suggesting using some HTML like:

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8" />
    <title>Change Password</title>
</head>
<body>

    <form action="./" method="post" accept-charset="UTF-8">
        <fieldset>

            <div>
                <label for="password_current">Password</label>:
                <input type="password" name="password_current" maxlength="250" id="password_current" required="required" autofocus="autofocus" autocomplete="current-password" />
            </div>
            <div>
                <label for="password_new">New password</label>:
                <input type="password" name="password_new" maxlength="250" id="password_new" required="required" autocomplete="new-password" />
            </div>
            <div>
                <label for="password_repeat">Repeat password</label>:
                <input type="password" name="password_repeat" maxlength="250" id="password_repeat" required="required" autocomplete="new-password" />
            </div>
            <div>
                <input type="hidden" name="username" value="craig.francis" autocomplete="username" readonly="readonly" />
                <input type="hidden" name="csrf" value="tr6Gj6w6LczH98" />
                <input type="submit" name="button" value="Change Password" />
            </div>

        </fieldset>
    </form>

</body>
</html>

sjk

Hi @craig_francis,

Thanks for sharing that information and suggesting its potential for usage with 1Password. Looks interesting; I've passed it along to our developers. :)

craig_francis

I'm just creating another website which has a change password page (well, update profile).

At the moment if you press [cmd]+[/], 1Password will fill all 3 password fields (current, new, repeat) with the current password.

Is there any way for the website developer to help 1Password identify (and only fill out) the current password field?

The example HTML above shows this behaviour... and I'm hoping the autocomplete="current-password" would be enough :-)

Megan

Hi @craig_francis ,

1Password definitely should not be filling in all 3 fields on a password change form. Could you please let me know the version number of 1Password that you have installed, and the version number of the extension?

craig_francis

1Password 5.1 (510035), and Safari extension 4.2.5... I'm also using 1Password 4.4.3 with Chrome extension 4.2.5.90, and Firefox 4.2.5 on my main computer (can't upgrade to Yosemite just yet).

To reproduce, just take the above HTML, put it on a domain that has a saved password, and press [cmd]+[/]... all 3 password fields are filled out.

I realise that the change password guide says that I should copy/paste the current password first, then use the password generator to fill in the other two... which might be where I'm doing this differently (but assuming the software is currently working as intended, maybe it can be improved?).

sjk

Hi @craig_francis,

Thanks for the version information. The results you reported are reproducible here.

And with current 1Password for Mac and 1Password Browser Extensions betas (5.3.BETA-3 and the 4.3.0.BETA-7), only the first/top Password field is filled in Safari, Chrome, and Firefox using the sample form from your original message.

Does this help resolve your issue?

craig_francis

Thanks @sjk... the Beta has made it a bit better, but it does now auto submit the form (as though it was a standard login form), so I don't get a chance to enter the new random password (assuming the fields will be entered in sequence).

Meek

Hi @craig_francis,

Thanks for all your awesome suggestions here! This is great information. We would love to be able to fill out these change password pages more intelligently - currently this has not been fully implemented yet. We do have this on our list, however - I'm going to add your suggestions to the ticket for whoever gets to work on that. Thanks again!

ref: OPX-792

craig_francis

np, and I realise this isn't going to be easy, considering the number of websites that will do everything in their own way... I'm just hoping that the HTML 5.1 autocomplete gets used (at least with the bigger websites).

Megan

Hi @craig_francis ,

Thanks so much for your understanding. Keep being awesome! :)

mnot

Any update on this? Would be great if 1Password did this and the Web author guide at https://support.1password.com/compatible-website-design/ was updated to reflect that.

littlebobbytables

Sorry @mnot, there's no news to report at the moment. I wasn't aware of this before but I'd love to see it get widespread support and for us to have it too. The idea of taking all of the guesswork out of the process is extremely appealing for us and all of our users. The devs are all feverishly busy but Meek did record all of the information as promised so as soon as we get the chance I'm sure it will be one of the things we'd love to add.

mnot

Thanks @littlebobbytables. I think there's a bit of chicken-and-egg here; Sites don't know best practices to support password managers, and password managers have slightly different (and sometimes undocumented) ways to do what they do.

I suspect that if 1Password started supporting those extended values and documented it, sites would start using it, and other password managers would also get on board over time.

The other piece of the puzzle is the Credential Management spec:
https://w3c.github.io/webappsec/specs/credentialmanagement/
... and it would be great to get 1Password's input/feedback on that. Happy to help if you need intros / etc.

littlebobbytables

Hello @mnot,

You give us a lot of credit, I'm not sure how much pull we have with sites out there but regardless I think it is important that we support it. For starters, any site that does support it means we can skip all the educated guesswork of what field is what and instead we fill with 100% confidence. If a site doesn't support it then we simply revert to what we've been doing anyway. The only possible downside I can see is if we spend time implementing it and nobody uses the standard. It's a risk but believe a small one.

I'm curious about this Credential Management draft. I've scanned it but it almost seemed like a thought exercise at the moment. You seem to have a better grasp than myself so I'm wondering if you can help me so I can ensure I explain it properly to others.

craig_francis

Hi @littlebobbytables,

With the WHATWG autocomplete spec, I believe it is already implemented in the password managers for iOS Safari, Chrome, and maybe Firefox (can't find a bug tracker atm)... so hopefully more websites will support it soon :-)

As to the Credential Management API, this is currently only a discussion, with the intention that the browser can help password managers do their job. However I know Mike West is keen to get in touch with you (1Password) to get your feedback on the proposals:

https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0142.html

littlebobbytables

@craig_francis & @mnot,

Thank you both for your passion and informative posts. I can't make any promises or offer any timelines but for what it's worth I do like it. Anything that allows for more reliable filling sounds like a win to me :smile: