login/password getting overwritten

reggoboy

After logging into my broadband provider's web site, their upgraded security prompted me to select a "security photo" and accompanying "security name". After I did, 1Password asked if I wanted to save a new login, but I changed that to Update Existing Login, hoping that 1P would capture all this information and associate it with my (single) broadband provider account, and fill out the fields as needed.

Instead, it has replaced my username with the "security name" above. And the password no longer seems to let me in. And since 1P stores my only record of my password, I was forced to reset my password to gain control of my account again. Fortunately, I had jotted my security question answer somewhere else, since it was random and I wasn't sure which "web form detail" entry in 1P applied.

So I think I've got control back, but it raises some concerns:

1) I'm thinking that I shouldn't have selected "Update" when 1P prompted me to Save New, right? When 1P says "Update" does that always imply that field data will be OVERWRITTEN rather than new field data being merged into an existing "login" form? In such cases, a "New Login" form should be created?

2) Let's say I blow away my username and password like I did today. Does 1P have any levels of "undo" to save me in such situations? Ideally to a "point in time", since I'm not sure it would have been clear to me how many changes were made during my various efforts to login today?

3) Speaking of Security Questions and Answers, what is the "right way" to capture those via 1P? Can't they all be in a single Login form, or does it vary depending on how the web form is presented?

Thanks!

1P is amazing, but some of these gotchas get me scared about jumping in with both feet.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:

littlebobbytables

Hi @reggoboy,

I'm going to assume you're running 1Password 5 and that you're running either Yosemite or El Capitan. If those are incorrect assumptions please do let us know which version of 1Password you are running so we can better understand what version your query is in reference to.

1. Updating a Login item should only replace the password. The last time I tried this, deliberately seeing if it would replace the username it didn't. So I'm a little surprised by what happened. We replace the password field with the new value and store the old one in a password history inside that Login item. As we currently only replace the password field there's not much to merge.
2. All copies of 1Password for Mac from at least version 3 make backups. In 1Password 4/5 we did alter this a bit so that it checks daily and if you've made changes then it creates a new backup. If you haven't then it skips that day so it doesn't backup just for the sake of it. Generally if you need to recover a single item I would suggest backing up the current vault, restoring an older backup, extracting the item you need to recover, restore the backup you just made and then add the item back in. We could just suggest restoring a slightly older backup but if you've made other changes they would be lost while the slightly more complex version wouldn't.
3. I personally add security questions as a custom section to my Login item. I use the label for the question and the field for the answer. That way I can easily copy the answer using just the mouse. There isn't likely to be a practical way to store all the information in a single Login item and fill as the security question is likely to be on a page by itself and probably one picked at random from a selection. If you're only asked about a single question on a page you could have each question as it's own Login item but I'm not sure that feels like a massive improvement over copying a certain field and pasting. Of course that last part is just preference so you may well feel differently about it.

I'm figuring you may have follow up questions so please do ask and if I haven't quite answered what you were asking please do let us know :smile:

reggoboy

First of all, thanks for your helpful reply.

And your Sql Injection screen name reminded me of that cartoon, and a painful lesson in a corporate hack I dealt with years ago, but I digress...

Sorry I didn't leave version info; I must have missed where that was prompted. Yes, 1Password 5 and running on Yosemite.

1. Yes, the "security phrase" somehow ended up replacing my username. I would have taken a screen shot or left it intact for forensic analysis, but I didn't due to security concerns and concern that I would forget my details, so I focused on regaining access. Strange, though.

2. I have never tried backup, restore, or extracting, but I'm sure I can figure it out. Nice to know there are options. Meanwhile, you can appreciate that it would be a lot simpler if you had a point-in-time restore feature, say if you logged each change by date/time in anticipation of undos. Possible feature request?

3. I will try this. Meanwhile, since security questions are integral data to modern security measures, it would be nice to see 1P take more "ownership" of this part of your data. Maybe when you're done filling out these Question/Answer pairs, users could select "Add Q&A Pairs To Existing Login?" and have 1P take care of this for you?

Thanks again! I'll let you know if I have questions as I go along!

reggoboy

Quick update:

I was able to reproduce how 1P prompted me to create a new Login by using a browser on a computer that was not previously "registered" with that web site. It was then that I selected Update Existing Login and then the Secret Phrase became my new Login, I believe.

Meanwhile, just now I tried to access my credit card, only to find that the Login was blank and the password was something bogus. Thankfully, I was still using the browser to cache web site passwords, and was able to use that to both get in and "Update Existing Login" to fix my 1P entry accordingly.

These things are rather unnerving. If I can do anything to help your engineering team debug what's going on, I'll be glad to help.

Thanks!

reggoboy

If "Update Existing Login" (or my untimely use of it) is the culprit here, I think one thing that would definitely help is to have 1P show me what fields it's planning to update and optionally the old/new values, so that I can be confident I want to proceed with the update.

littlebobbytables

Hello @reggoboy,

If you've found something that is reproducible it's bad but it's also great. Reproducible means we can clearly identify what's happening and why and look at getting this fixed. So could you tell us the following please.

1. What version of 1Password are you running?
2. What is your preferred browser and the version of that browser?
3. What version of the 1Password extension is installed?
4. What is the URL for the site and can you give a little description if possible about how to reach the page if it isn't part of the standard login process.

This will allow me to review what is happening and make sure a dev gets a good a description as possible as to what is happening.

reggoboy

I can supply this but some of the info I'd rather not post publicly. Can I correspond to you directly?

littlebobbytables

Greetings @reggoboy,

Of course :smile: I'll email the address you use here in the forums and get contact initiated.

littlebobbytables

Check your inbox @reggoboy :smile:

ref: VLB-22111-762