eBay New/Change Password Solution
I was hoping AgileBits will be working on an easier way to update passwords on sites that no longer allow for copy and pasting. Will 1Password be able to do this automatically in the future, i.e. able to populate current password and populate new password and re-enter same new password...? ebay used to allow for copy and paste but not at the present. Ebay Customer service has no idea or clue regarding this issue and they don't know why they changed their system to not allow for pasting into password fields. The only way I can accomplish this now is to create 2 new logins called "Ebay Password Current" (with just a password field) and "Ebay Password New"(with just a password field with the new password) and change to "always submit" and this works when I mouse into the field I want 1Password to populate the field. Then 1PASSWORD asks to update the ebay login, and I respond to allow. There has to be an easier work-around from your software gurus... analyzing and determining the field attributes of the ebay update fields, or any site that uses this method, and providing a method to run this with one keystroke would be a great benefit to all your 1Password users.
Love your program otherwise. I have used many password programs, and cannot find a better product than 1PASSWORD. I appreciate the work and constant updates your company provides.
1Password Version: 1Password 6 Version 6.5.BETA-16 (650016) AgileBits
Extension Version: 1Password 6 Version 6.5.BETA-16 (650016) AgileBits
OS Version: 10.11.6
Sync Type: N/A
Comments
-
Hi @NeroWolfe
Thank you for taking some time to write about this issue with eBay, it sounds annoying! I'm going to move your thread to our "Saving and filling in Browsers" category so the right people will be able to see it and help you better.
Someone will comment on the details and technical details about what you propose, so I'll leave that part to our experts. I can however, ask if there's any specific answer why you need to change your password on eBay often? If you've picked a strong, unique, random password there's no need in general to change them unless you think they've been compromised. No need (or usually advantage) of going through the hassle. :chuffed:
I would also like to know if you've been experiencing this behaviour with other sites besides eBay. The more information we have, the easier it will be to deal with these issues!
0 -
@NeroWolfe: Thanks for reaching out! That definitely sounds like a web of woes combining to make some things that are already pretty troublesome (passwords in general, and password change processes more specifically) even more of a headache. I haven't needed to change my eBay password since Heartbleed, so I wasn't aware of the current state of affairs. You raise some important points. While I haven't encountered this seemingly user-hostile (and security-hostile) behaviour on shopping sites, I definitely see this a lot from financial institutions. Either way, not fun!
There has to be an easier work-around from your software gurus... analyzing and determining the field attributes of the ebay update fields, or any site that uses this method, and providing a method to run this with one keystroke would be a great benefit to all your 1Password users.
You're absolutely right that there could be an easier — and almost certainly better — way from a user perspective. Unfortunately that's where the "easy" ends and the pain begins, because to be useful at all it really needs to be reliable. And frankly, the reason that we're not to this Password Change Promised Land already is that there's no one-size-fits-all solution.
Just think of login filling. While we've certainly made progress there (and continue to fight to do so, tooth and nail), the reason that this isn't a solved problem that we can ignore (even for a day!) is that no two sites work exactly the same (unless they were designed by the same entity and are reusing the same code). Now, hopefully you don't encounter too many intractable login filling issues, but many people still do I'm afraid. And by all means let us know when you do so we can work on making 1Password even better at this.
You're probably wondering what this has to do with password changes though. But I'm just trying to illustrate that we've got our work cut out for us with login filling, not so you feel sorry for us — we're insane and love what we do — but rather to point out that while login forms are often problematic, there is more standardization and consistency there than password change forms. So it's an even harder problem to solve from the outset.
Another wrinkle here is that login filling is what we're all doing with 1Password the vast majority of the time. Passwords are — and should be — changed only occasionally. So we do a lot more good for a lot more people by focusing on filling. And to be honest, at the end of each day spent fighting the good fight for you and the rest of our customers who may be experiencing login filling issues, whether troubleshooting, coding, or testing, we're spent...and there's no shortage of work to be done the next day when we wake up.
Again, I don't say this to evoke sympathy, but to illustrate that while better password changing is absolutely something we'd like to do and, I think, something worth doing, it probably won't happen any time soon both for technical and logistics reasons. I'd like to be wrong about that though. Who knows? Maybe we'll perfect a password filling AI and it will teach itself to change passwords too! What could go wrong? :crazy:
0 -
Hello @NeroWolfe,
I haven't used eBay for a while so I took a peek. They do seem quite determined to not allow pasting and like yourself I can't think what good this does or what security threat it protects against. Some things in life are best not pondered for fear of going mad.
What can we do to make this easier though? I've got my thoughts so let's see what you think. If you fill with the Password Generator from inside 1Password mini it fills any empty password field with the newly generated password. This works on eBay and likely works on any other site you've found this issue with. So we've got a way of filling a new password that avoids using a new Login item and hopefully isn't affected by the myriad of anti-pasting approaches. So in my mind this leaves the issue of getting the old password filled. If I fill using my standard eBay Login item I note it fills the wrong field in the change password form. So it seems to me one approach would be from inside our filling logic to better recognise if we're filling a password change form and if we are:
- Better identification of the current password field and fill just the password from the Login item.
- Ignore the submit state of the Login item, never submitting when we believe it's a password change form.
If all of this works what it should mean is when changing a password you would fill as you normally would using the single Login item. It would fill the correct password field and return control to you as the user. You would then open 1Password mini again and fill using the Password Generator. After that the existing code for detecting a password change kicks in. What do you think?
This is all theoretical at the moment but just thinking about it I think it should be quite feasible without risk of hurting filling elsewhere and I think it would be an improvement. What I'm not as keen on is the idea of a single action filling all three fields and the reason is with the above approach you will easily be able to see what field was filled with the existing password before returning. If we fill three fields with two passwords you have to hope everything went smoothly, which while it should, requires a bit more faith and it's harder to know when something went off script. We can discuss this a bit and then I'll write a feature request up as I think this has merit.
0 -
Thanks for the response... let me check out a few things and get back to you.
0 -
We appreciate your feedback on this! It's definitely worth investigating. :)
0 -
So I got a work around fixed on this. I wish I remembered where I went on eBay, but I selected "forgot my password" and had an email sent to me. I clicked on the link, and I was able to make a new password (copy and paist) with no issues.
0 -
Hi @prime,
That's certainly a novel way to bypass their odd restrictions :lol: I haven't forgotten about wanting to improve filling on change password forms so hopefully 1Password can do a better job, it's just about finding the time. Nice investigative work though!
0 -
Thanks @littlebobbytables! I even sent them a couple of links on twitter blasting them how this is stupid. I was changing some passwords and Allstate insurance still had a 10 character limit on their site too.
0 -
Whoa. To be fair, even 12 characters is effectively uncrackable if it's random with a full character set so 10 isn't the end of the world if you're generating it with 1Password. But you're right that in this day and age there's no reason not to allow much longer passwords. :angry:
0