1Password fills the password field with red shading and no password
Symptom: In Safari, I click the 1Password button, I scroll down to select my bookmark, Safari opens the page, 1Password auto fills the user name but then it fills the password field with red shading without the password. I must manually type it in each time.
1Password Version: 5.4.1
Extension Version: 4.4.2
OS Version: 10.11 Beta (15A278b)
Sync Type: Dropbox
Referrer: forum-search:red shade
Comments
-
It happens with just one site so far.
http://idp.gvfv.clareitysecurity.net/idp/Authn/UserPassword
In order for you to test this site I would need to give you my user name and password and that's not possible.0 -
Hi @w100d001,
Sorry for the delay in responding. Now I've taken a peek at the site and the testing we can do even without a valid login was sufficient to understand what is going on.
This site is tough. When you save a new Login item from within the browser what we do is we look at the page and see what you typed in where. When you fill we try to set the fields to the same values that we saw when we first created the Login item. Now this page, what you see is a field for a username and password but that isn't the end of the story. I fact that password field isn't a password field at all. What is happening is the site is using JavaScript to see what you type into that field, copy the character to another hidden field (this is important) and then replace what you typed with an asterisk. So when you save the Login item what 1Password sees is ******* rather than the real password which is what would happen if the field was a real password field. Now we don't currently interact with hidden fields - the idea being if it's hidden you can't have directly interacted with it and thus it isn't part of the login form. Sadly this isn't the case here and my limited attempt at trying to force 1Password to fill this field failed.
The field also doesn't react to copy and paste, something the site has purposely tried to block. This will all have been done in a bid to make the page more secure but my personal opinion is it ends up causing people to pick simple passwords because they're forced to remember or at the very least type it. They're not the first and I'll never really understand as all of my passwords are significantly stronger thanks to 1Password.
Sadly it means I don't have an answer for this site, something I'm never happy to have to write. I do apologise :(
ref: OPX-1080
0 -
WOW... 2 things:
1st: that was great investigating on your part and an even better explanation... nice work! Never apologize for hard work my friend!
2nd: what's from stopping all sites from using this kind of authentication method? ...and if they did, would 1Password be crippled?
Thankfully , I only run into the problem with one site. Thank you for the reply!0 -
Hello @w100d001,
If a significant number of sites were to rapidly change to this sort of behaviour filling would be broken until we could come up with a different approach. Thankfully many sites adopt the KISS (Keep It Simple Stupid) approach and go for a nice, clean and most importantly, simple login page. Mostly really difficult sites are seen in just the finance sector where they come up with some really 'inventive' approaches and if sites in general started to do this we'd have a lot of unhappy users and a couple of really stressed developers. Now hopefully this is just a horror story scenario that we can tell each other here at AgileBits and this ugly situation never occurs in real life.
I have created a bug report so we'll see what we can do. The tricky part is we ignore hidden fields as normally that's a good idea so it's whether we can find a way to work here without affecting a larger number of sites as a consequence. The developers have a much better idea of this sort of thing than I so I'll leave it up to them to work their magic :smile:
0 -
You guys have always been excellent with your support. Thank you for looking into this... I'm not expecting a fix, just good to know it's on your radar. Keep me posted if something changes or if you need me to do anything on my end. I'm happy to work with developers on stuff like this. It's interesting to see how many tech problems are Real Estate related... I worked with Apple a few months ago to fix a problem with the new "dot realtor" domain... Apple's mail servers wouldn't recognize it so it couldn't be used with Apple mail. It's all good now though. Thanks again.
0 -
:smile:
0
