Responding to a security question mis-recognized by 1PW as a password change
I have recently discovered (I think) the reason that my login access to a particular retailer regularly gets disabled. Quite frequently, I'm asked at login to answer a "security question," and when I do so, 1 PW puts up a dialog asking if I wish to update an existing login or create a new one. If I click "update" my security question response is recorded by 1 PW as creation of a new login password!
I've not done an exhaustive search to see if other users have reported this, but needless to say, it's frustrating! Any thoughts on what I should do to avoid this?
1Password Version: 6.3.3 (but this happened before update
Extension Version: 4.5.8
OS Version: OS X 10.11.6
Sync Type: Not Provided
Referrer: forum-search:security questions
Comments
-
Hi, @CalfeeRider. Sorry for the trouble you're having. In order for 1Password to leap into action for a password change, at least two password fields are required to be on the page. Can you share the URL where you had this problem? Sometimes sites will have password fields on the page that aren't visible to the user. 1Password does try to reason about the page to understand if the fields are visible or not, but there could be some edge case we need to account for.
--
Jamie Phelps
Code Wrangler @ AgileBits0 -
Jamie Phelps kindly answered with
Sometimes sites will have password fields on the page that aren't visible to the user. 1Password does try to reason about the page to understand if the fields are visible or not, but there could be some edge case we need to account for.
I know that for some sites that use security questions I've added fields to my 1Password entries for those sites, in which I apply field labels such as "sec quest 1" and then enter the the answers as the field content. Is it possible that 1Password could be "fooled" into a password change response if I've done that? I'm embarrassed that I cannot remember at the moment at what site this occurred most recently.
One other source of such problems has occurred at sites where typing error correction is applied (I don't know whether the operating system, the website itself, or 1PW is applying the error correction) to the username. In such cases, the username (familiar to me, but a non-word concatenation of two separate words, or a shortening to an abbreviation of a single word is corrected to a "real" word and therefore rejected by the site as in incorrect entry of the username.
I'm on the road now. When I return home I'll be wrangling with one of the sites that has caused problems for me in this manner, and I'll let you know my findings.
Thanks so much!
0 -
Those are definitely some interesting cases form the sound of things. Totally understandable that you don't happen to know the URLs off the top of your head. Just let us know once you're able to and we'll be happy to investigate further. We're here whenever. Cheers! :)
0 -
I found one yesterday. I've never been able to maintain my login credentials for my ATT small business account, and didn't know until I had time to restore those privileges yesterday while a support person was on the phone with me. I managed to get everything all set, logged in once, had to answer a "secret question" to complete my login, whereupon 1Password posted its "Would you like to save the username and password for this site in 1Password?" dialog, with the two alternative ways to do so being "Create New" and "Update Existing".
I detest those security questions. Let's say I answer "mother's middle name" in ALL CAPS because I remember adding a bit of something to confound miscreants' attempts to complete login, but then don't recall whether I've done that, or perhaps all lowercase, or perhaps AlTeRnAtInG upper and lowercase. Of course the "secret question" is looking only at the character string, so "MABEL" is wrong if it''s looking for "mabel" or "Mabel."
In this case, once I entered the "correct" answer to the secret question, I mistakenly agreed to permit 1Password to update its info about the site. Next time I tried to log in, I was denied, because 1Password now contained my "secret question" answer in the "Password" field of its web login entry for the site. Here's the site:
https://www.wireless.att.com/businesscare/login/
I should add that I'd attempted to avoid this when I created the login a few years ago by including a data category I'd named "Secret Questions" for the site, w
0 -
Here's another example of the same thing, at https://baynet.bayalarm.com/login/.
I selected the 1Password login, which auto-entered the email address and password, and then the host asked me to type in my "code word." When I did so, 1Password asked me to choose whether or not I wanted to save changes.
0 -
@CalfeeRider: First of all, thanks so much for following up on this! I was excited to dive deeper into this issue, but it seems that I got my hopes set too high. The right way for this to work I think would be for the site to not leak info like "User not found" and just accept any garbage login credentials, ask for security information, and then fail without telling the "attacker" (in this case, me) why. Unfortunately that's not the case here, so it seems I can't test these without a valid account (I actually have an AT&T account, but apparently not the right kind!)
I hate to do this to you, but would you be able and willing to send us saved copies of the webpages themselves? If so, just attach it to an email to support+extension@agilebits.com with a link to this discussion. Alternatively, if you're comfortable looking through the source yourself, just knowing the names/IDs in the security question forms may help us make 1Password smarter about these. That said, I appreciate that this may not be your idea of a good time, so no worries if that's asking too much. I just figured I should at least ask since you've been so proactive about reporting these issues.
And I have to ask one other question too, completely unrelated, out of curiosity: Is that Yosemite? :)
0 -
First, the easy one: Yes, it's Yosemite (actually, not so easy). My photos are scattered all over my Mac, in horrible disarray. I thought at first it was taken at Lake Louise, but the creation date was long enough ago, time of the year wrong, and my midsection small enough that it could not have been taken there. So, I peeked at my calendar to see what I'd been doing then. It answered "you were on vacation with nothing to keep track of." So, I figured that if I was on vacation it must have cost me something; sure enough Quicken told me I was at the Tenaya Lodge (South Entrance).
Now, the difficult ones: which pages do you want me to save? The ones asking for input? (I'd guess that would be when I'm being asked for my user ID and PW, and then when I'm being asked for the answer to my security question). I'm in Safari (10.0). The default is "web archive." Does that work for you?
I don't know enough HTML to decipher what's where, so I don't think I could help by trying to parse the source myself.
As for my willingness to supply information to get this figured out, you bet I'll keep trying. Believe me, it's no fun remembering to pay a credit card bill on the very last day before interest is charged, only to have my login attempt foiled, discovering that my password is now the answer to "Where did you meet your wife?" rather than the indecipherable sequence of keystrokes generated by 1PW's "Password Generator" the last time I paid that bill.
0 -
First, the easy one: Yes, it's Yosemite (actually, not so easy). My photos are scattered all over my Mac, in horrible disarray. I thought at first it was taken at Lake Louise, but the creation date was long enough ago, time of the year wrong, and my midsection small enough that it could not have been taken there. So, I peeked at my calendar to see what I'd been doing then. It answered "you were on vacation with nothing to keep track of." So, I figured that if I was on vacation it must have cost me something; sure enough Quicken told me I was at the Tenaya Lodge (South Entrance).
@CalfeeRider: Thank you! That was driving me crazy! I was there this spring and it looked so familiar! :lol:
Now, the difficult ones: which pages do you want me to save? The ones asking for input? (I'd guess that would be when I'm being asked for my user ID and PW, and then when I'm being asked for the answer to my security question). I'm in Safari (10.0). The default is "web archive." Does that work for you?
A Web Archive of the page with the security questions (which triggers 1Password's Autosave) would be perfect! Don't even fill anything. Just knowing the form elements that are causing 1Password confusion could help us improve it.
I don't know enough HTML to decipher what's where, so I don't think I could help by trying to parse the source myself.
Hey, no problem! It's really awesome of you to take the time to share this information with us in the first place. I won't ask you to learn HTML too. ;)
As for my willingness to supply information to get this figured out, you bet I'll keep trying. Believe me, it's no fun remembering to pay a credit card bill on the very last day before interest is charged, only to have my login attempt foiled, discovering that my password is now the answer to "Where did you meet your wife?" rather than the indecipherable sequence of keystrokes generated by 1PW's "Password Generator" the last time I paid that bill.
That's a great example, and I can't tell you how sorry I am that 1Password played a part in that fiasco. While I haven't run into this specific issue, I can definitely relate to the bill pay scramble, and it's no good when something that's supposed to make this easier for you actually makes it harder. Down with interest and late fees! :ohnoes: :-1:
0 -
Thanks, @CalfeeRider. We've received your email. Thanks for sending those webarchive files. We will follow up with you in the email thread and then we can update this forum thread if there proves to be information that might be more widely relevant.
ref: HTL-76776-919
0