Kanto.aliorbank.pl - Problems filling in the 'nth' characters of the password
I have an issue with my bank's currency exchange portal login in both Chrome (39.0.2171.95 m (64-bit)) under Windows and Safari under Mac Yosemite.
The bank uses a very peculiar login form:
https://kantor.aliorbank.pl/login (you can enter any identifier, e.g. demo to see the password form).
Comments
-
Sigh.
Banks are so helpful.
:(
The first page in the login sequence doesn't include a password field, so the 1Password extension doesn't offer to save a Login item for you. You can still save one manually, so that 1Password can fill in the username page for you, on subsequent visits.
The second page in the sequence is the killer, though.
The first problem is that it appears to limit you to a seven-character password. Yikes!
I don't even know how to respond to that, other than to suggest you consider contacting your bank to let them know the 20th century ended some time ago.
The second problem is that you have to enter random characters from that password, which may explain why they don't expect you to remember more than seven of them. Ugh!
The best you can do it to edit the Login you save manually, adding a custom field for each of the seven (sheesh!) characters in your password. Then you can copy the appropriate characters from the Login item into the corresponding field on the form.
It's also possible that you could determine the field names of the seven characters on that second page by reading the HTML and edit the saved Login to include a row for each of them (near the bottom of the edit window). Then 1Password might be able to fill in whichever forms are requested, each time you get to the form again.
In case you can't tell, we're occasionally left just shaking our heads at the shenanigans some sites get up to, in the effort to put on a good show of security. Personally, I'm reminded of the TSA.
0 -
you have to enter random characters from that password
If they are asking for this, then they have your password stored in plain text and this is a big security no-go.
http://plaintextoffenders.com/about/
in the effort to put on a good show of security
If you cannot use a password manager than what they are actually doing is lower your security.
0 -
Thanks for your reply. When it comes to the login, I was able to save it manually and have 1Password fill it in.
To be fair on the bank, they do allow you to set passwords up to 25 characters, which will change the number of password fields in the login screen. The problem is that it seems that the html code for those fields is somehow in a conflict with 1P logic. Could the issue be that 1P distinguishes between fields by name, while the form below uses different IDs, but the same name?
<ul id="masked-password"> <li class="disabled"> <input id="lif-mask-1" class="size-XXS disabled field-disabled" name="j_password" disabled="disabled" size="1" maxlength="1" type="password"> <label for="lif-mask-1">1</label> </li> <li> <input id="lif-mask-2" class="size-XXS " name="j_password" size="1" maxlength="1" type="password" data-id="1"> <label for="lif-mask-2">2</label> </li> <MORE PASSWORD FIELDS :) > <li class="disabled"> <input id="lif-mask-19" class="size-XXS disabled field-disabled" name="j_password" disabled="disabled" size="1" maxlength="1" type="password"> <label for="lif-mask-19">19</label> </li> <li> <input id="lif-mask-20" class="size-XXS " name="j_password" size="1" maxlength="1" type="password" data-id="5"> <label for="lif-mask-20">20</label> </li> </ul>0 -
If you cannot use a password manager than what they are actually doing is lower your security.
I agree with you but I can understand the thinking. They're set in a traditionally corporate mindset that says that unless they control the data then they can't be sure it's secure. They don't want third party software to have access to your login details as that is outside their control. My bank has basically told me just that, even going so far as to say that use of password manager would count against me if my accounts were breached! Sadly that attitude seems to be all too common with banks.
Mind you, I'm not sure why I am surprised given that some of them are still running Windows NT4 on some of their internal, non-connected systems.
Could the issue be that 1P distinguishes between fields by name, while the form below uses different IDs, but the same name?
As far as I'm aware it checks ID first. Certainly, it worked on the manually saved login that I just tried.
@svondutch
Oddly though, having just tried again, it is now not working. Very bizarre.
The username fill worked ok but the password digits did this:
It filled the first digit correctly but then stopped. Also note that it is filling a disabled field, which I didn't think it was supposed to do any more.
It also now seems to have broken the url matching too. Restarting the helper temporarily solves that but then it seems to break again randomly.
0 -
They don't want third party software to have access to your login details as that is outside their control. My bank has basically told me just that, even going so far as to say that use of password manager would count against me if my accounts were breached!
@RichardPayne they are wrong: http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html
0 -
I know @svondutch. Like I said, it's an old fashioned way of thinking, but then the banking sector is a very old fashioned place.
0 -
in the effort to put on a good show of security
If you cannot use a password manager than what they are actually doing is lower your security.
That's precisely my point, @svondutch: it's only a show of security, not real security...just like the TSA.
0 -
@RichardPayne: because all the fields have the same NAME value ("j_password"), try editing each row, giving it the appropriate value from the ID attribute, instead ("lif-mask-2" and "lif-mask-3" and so on).
You might also try removing the "password" Designation from the first one. Since only one can have that Designation, maybe none of them having it will work.
I'd be interested to hear whether either change helps.
0 -
Sorry for a delay here.
I tried adding "lif-mask-1" thru "lif-mask-3" to 1Password (all with designation of "none", this did not work).
Tried same with 3 "j_password" entries, no success either.
0 -
Hi @RTemi,
I'm sorry to hear that you're having trouble making this work. Ideally, as is discussed above, we'd love to see banks do away with this type of 'security' in favour of true secure measures (such as supporting long and random passwords, and making it easy for users to fill with trusted password managers). While we wait for that magical day, however, we're left with some very unique login forms.
At this time, 1Password does not officially support the filling in of the 'nth' character of passwords. We are looking into ways to better handle these fields, but for the time being, you may have to copy and paste those details.
ref: OPM-1720
0 -
There still is something you can do easily, that is changing the 1Password UI so that when "revealing" a password you also show markers that help the user find easily the nth character, e.g. showing little dots every third character. What do you reckon?
0 -
I like that @giacecco
0 -
Verified by Visa or 3D Secure (their names may very well differ depending on the country) are two examples of where you might be asked for nth characters. My current setup is as I mentioned in my last post in that thread and here is how I have it set up in 1Password.
I use two password fields as they use constant character spacing allowing easy alignment and I give the index no name. When I use it I have to reveal two fields but it works fine for me. So I tend to use 1Password mini to reveal the Item details then anchor it. I reveal the two passwords and now I'm used to it I find it works for me.
Obviously a much better solution would be something baked into 1Password and if it can't be automated you want a nice easy way of highlighting to the user what character you're focussing on. Until then hopefully something in the post MrC linked to can make it a little easier to tolerate.
0
