Wrong password saved and auto-filled

Dukon

Hi,

I am using 1Password all the time, and noticed an issue with one site I use. I noticed that when I use the auto-fill, the site does not accept my password, but when I manually copy and paste the password, it does work just fine (username is auto-filled just fine).

The website: https://hb2.bankleumi.co.il/E/Login.html

Tests I did:

1. Filled in the correct credentials, and created a new Login item --> noticed that the saved password in 1Password was wrong and seemed random (but only lower caps).
2. Went on and clicked the login button on the website to verify I used the right password, and I did (successful login).
3. Tried using the new login item to login using auto-fill--> failed to login.
4. Tried using the new login item while copying and pasting the password --> failed.
5. Manually updated the password of the new login item to the correct one, verified it is also saved in the web form details, and tried again --> failed.

Other observations:

6. Only two fields under web form details (correct username, and the wrong password).
7. When I save a new Login again and again without refreshing the page --> 1Password saved the same wrong password.
8. When I add one character to the password --> the (wrong) saved password is the same plus one character.
9. When I refresh the login page, type the same (!) password, and save a new login item --> I get a different (!) wrong and random looking password.

The only workaround I found is: manually saving the right password in 1Password, and manually copying it to the webpage when I need to login. So I guess there are two symptoms here, probably related: parsing the password to 1Password when creating a new login item (or updating), and parsing the password from 1Password using the auto-fill.

Best,
Dukon

My setup:

• Mac OS X Yosemite (10.10.1)
• 1Password from the Mac App Store Version 5.0.2 (502006)
• Chrome Version 39.0.2171.99 (64-bit)
• iOS 8.1.2
• 1Password 5.1.2 form the App Store
• iCloud Sync

MikeT

Hi @Dukon,

The issue is because the bank site is trying to defend against automated password saving by changing these characters as you type it in. You may notice if you try to auto-save with just dummy data like "test"/"password", you'll get a different password each single time you try the same "test"/"password".

I also suspect the other issue is that the way 1Password fills in your password instead of typing it in, the bank is parsing it differently and thus gets a different value than expected, which results into a failure.

While we try to stay on top of this, 1Password cannot break or modify the security aspects of websites, that's not something we'll ever do. We can only save the values that the login forms have and because the bank changed it on the fly, there's no way we can get the original value from you.

In rare cases like this, you have to manually create a Login in the main 1Password app instead. This ensures that 1Password enters exactly what you gave it, not what the site gives back to the 1Password extension.

However, you also have the issue of the way 1Password fills in, and in this case, you have to copy the password manually instead of asking 1Password to fill in.

There might not be a way around this security feature of the bank but we'll investigate to see if there's a better approach to this.

Thanks!

Dukon

Hi @MikeT

Thank you for the explanation. The part of blocking 1Password (or any other software that is trying to save your password) sounds "easy" and smart on their side. I assume it does add some security, and that is good.

But I think that the other issue of using auto-fill is more interesting and is a bigger issue for ease of use. I am interested to know if you guys know how the site can differentiate between the user using copy and paste to fill in the password (which is working) and using the auto-fill function of a password manager (which is not working). If you can explain (or better solve) this one, I would think it's at least 95% of the issue I mention - you rarely create a login or update a password vs. using it to login.

Thanks again for the explanation!

Dukon

littlebobbytables

Hi @Dukon‌

My understanding is limited, especially in contrast to our developers but there can be a variety of reasons why one approach may work but another may not. We are working on a new filling brain which if you're involved in the beta you might have experienced already. This might help with some sites. One reason why copying and pasting works where the auto-fill doesn't is if we're incorrectly filling fields invisible to the user that we need to avoid. If you ever dare to look under the outer layer of a website you might go blind with the horrors that you see. We've come across some sites where neither system will work and only entering the password a character at a time is effective. The variety out there is quite something.

You might have also asking about the use of Auto-Type as an alternative to our standard filling technique? I'm not sure where we stand on that as I believe we're discussing security aspects at the moment.

If you have any further questions or I've misunderstood what you were enquiring about please do post back :smile:

ref: OPM-990

Spinosum

I am facing the same issue as experienced by Dukon, mainly affecting Banking websites. However, I have Lastpass installed alongside with 1Password in my Chrome/Safari. Lastpass is able to overcome this problem, due to the fact that it has the option of "Save all entered data", and we can manually add in various different fields to allow Lastpass to fill in the data/password for us when it comes to the right page/site. I have tried it on all the banking websites which 1Password is unable to fill in the passwords properly, but Lastpass does it flawlessly.

RunInCircles

I’m experiencing the same, or very similar phenomenon the past few days.
It is on more than banking sites, in my case. Even THIS forum required a cut & paste to work correctly!

Do not think there are any set-up changes on my end to explain how this came about.

littlebobbytables

Hi @Spinosum & @RunInCircles,

Our new filling logic or brain as we've referred to it in the changelog is still very new and we're working on improving compatibility. The tricky sites were always going to be the banks due to the inability for us as non-customers to see anything past the first page. We'll improve there too though as we learn more. We also have the ability to report a filling issue now via the 1Password Browser Extension (see the screenshot below)

The first thing worth trying with a filling issue is to try saving a new Login item using our How to manually save a Login guide. For example I don't have any troubles logging into these forums @RunInCircles so it might be worth a try if you're having troubles here.

MSpreij

Well.. finding this thread after encountering the error made me discover an error in our signup form, so ehr, problem solved (I hope) and thanks, I guess :-)

littlebobbytables

I'm glad we could help @MSpreij, even if I don't know for which site it was. Of course if you are still having difficulties at all please do let us know :smile:

MSpreij

@littlebobbytables Nope, that works now (double id attribute was messing things up). I have a few suggestions to improve UX, but that's for another thread. :+1: on your username btw :-)

littlebobbytables

Hi @MSpreij,

Yup, the ID attribute could cause some havoc if it isn't used as we expect it to be (unique and once per element).

Big Randall Munroe fan here - love the guy's work! :D Oh and welcome to our forums :smile: