Feature Request: Popup Instructions
Some sites (chiefly large UK financial institutions) have an odd scheme where they ask you to pick a "memorable word" and then ask you for random characters from it as a second factor (or, sometimes, they do it for the password as a first factor) as seen below. Apparently they defeat keystroke loggers though I suspect they are mostly just there so the IT department can be seen to be doing their bit for "security".
It would be great to have a seamless solution for 1Password to handle these kinds of interactions but I suspect that's a big ask as they aren't nearly as standardized as password fields. What would work is to allow an "advisory" to be popped up that appeared after 1Password submitted the password and remained until dismissed by the user. It would just be a text display. For the example below it would probably be:
The 'memorable word' is 'fuchsia' 0123456
which is basically what people put on the sticky note attached to their monitor so they can remember how to login. Given the need to line up letters and numbers it would be best to display the text in a monospaced font. For sites that do this for the password, the ability to have the popup displayed when the 1Password option is chosen from the browser's popup menu would be useful.
The relevant portion of the 'memorable word' request screen where the popup advice needs to be visible:
This is how the 'memorable word' is specified when creating the account:
1Password Version: 6.1
Extension Version: 4.5.5.90
OS Version: OS X 10.11.4
Sync Type: Dropbox
Comments
-
Hi, @Peregrine. Thanks for your post. First, you're right that as of yet we haven't found any standard patterns for how these terrible password screens are presented, so supporting them in 1Password would be like fighting the hydra.
What we do have that might be of use for you is Large Type. (This isn't in our documentation yet but we hope to get it in soon.) If you click the 1Password button in your browser, show the details of your Login item, and mouse over your password, you should see a button. By default, the action is "open and fill" but if you mouse over the button itself, you'll see a small triangle on the right. Click this and you can choose Large Type. You can read more about it in our blog post announcing the feature. I think that may help with the sites that use this approach.
As for the future, it's hard to say for sure, but I'm skeptical of these security practices. I can't think of a way that the storage of these password details in a way that is verifiable after submission is at all secure. No one has ever fully described the security model to me, but from my perspective, none of the options seem sufficient. At the worst, they may be storing the real password as plain text in their database. In the best case, they have to keep a separate hash of all of the 3-character combinations they may ask for, in which case, your 6-10 character "memorable word" becomes a 3 character password ripe for a breach of that database to attempt a rather trivial attack against. To me, it seems they must be relying on their various security policies about where the data is stored, how the gates are guarded, etc. over the real security of strong passwords with appropriate hashing. Rather than attempting to support this in 1Password, I would rather see these practices fall out of vogue and the total security of these sites improve for all users.
I hope that helps. Let us know if you have other questions or concerns.
--
Jamie Phelps
Code Wrangler @ AgileBits
http://agilebits.comref: DOCS-580
0