How to prevent filling username?
Our site has the normal sign-up, sign-in, and change-password forms. 1Password works fine for those.
In addition, however, there are some sensitive forms that require the user re-enter their password even after they've signed in. Those forms don't have a username (since we know which user is signed in), but they do have a password field and some other fields. When users try to use 1Password to fill in the password field, it gets a little over-eager and fills in other non-security fields. For example, it fills in a "keys" field with the username.
How can we prevent 1Password from populating a field?
1Password Version: 6.3.3
Extension Version: 4.6.1.90
OS Version: OS X 10.11.6
Sync Type: Not Provided
Comments
-
I tried
autocomplete="off"
, but that didn't work. I also tried `name="something-not-at-all-like-username" to no avail.One option might be
<input readonly onfocus="this.removeAttribute('readonly');" />
, as suggested here, but that could interfere with CSS styling forinput[readonly]
and could confuse users.0 -
I also tried separating the fields into different
<fieldset>
s to indicate that they're not semantically related. That didn't work either.0 -
Greetings @jamesarosen,
So I believe we completely ignore
autocomplete="off"
as do most managers. It's a shame but sites were abusing the feature rather than using it responsibly, forcing everybody to ignore it so the password managers could do their job. We recently altered the extension to ignore read-only fields but instantly we started getting requests to remove this because some sites again use this to make the user's life difficult. It makes it harder for sites who are happy to co-operate and want to use any flag they can to help guide the password manager.The site you're referring to, can anybody sign up? I find the best way to see what can be done is for us to take a look. If that's possible but you'd rather not supply the URL in our public support forums then we can move this to email. Either way I'm sure between us we can find a way to have 1Password behave better :smile:
0 -
The site you're referring to, can anybody sign up?
Yes, but it takes a solid 30 minutes of setup to get to the form I'm talking about. I tried recreating it here, but it seems like the iframe is messing with the ability to use the extension. It's really just two fields: one that's not a username and one that's a password. I want to tell 1Password it should only fill the password field.
0 -
Right now, we don't have a way to tell 1Password not to fill a field. As with
autocomplete="off"
, this could easily be abused by website owners that think they know what is best for a user's security, much the way banks have historically included this attribute on their sign in forms and this is no small reason why browsers either ignore it entirely or offer the option to ignore it. (Chrome, Firefox, and Safari) 1Password has always ignored this attribute.I think the best way to handle this is to set the field to
readonly
when the password prompt displays. So, something like:function showPasswordPrompt() { document.getElementById("fieldToAvoidFilling").readOnly = true; document.getElementById("passwordPrompt").style.display = "block"; }
Could you give that a try and let us know how it goes?
--
Jamie Phelps
Code Wrangler @ AgileBits0 -
Setting the
readonly
attribute does prevent 1Password from filling, but I want the field to be editable. The solution seems to be something like<input name='key' class='no-1password' />
and
$('body').on('focusin focusout', '.no-1password', function() { $(this).attr('readonly', $(this).is(':focus') ? '' : 'readonly'); });
to remove the
readonly
attribute when the input receives focus.0 -
It's certainly something worth considering. :)
0 -
Hi @jamesarosen,
I'm a bit surprised this helped but can't argue with it if it did. We briefly did look at not interacting with read-only fields to improve the general expected behaviour but then received a number of complaints about 1Password not filling where it used to. Unsurprisingly it was financial sites as it always seems to be. So we had to adjust the filling behaviour once again to allow filling into read-only fields under certain circumstances.
If it works though it works.
0 -
For what it's worth, I can not get this technique to keep
<input type=password />
s from autofilling, though it does work on regular text fields. Is there any other way to block 1Password from autofilling?0 -
As I said back in October, we don't want to allow for a way for a site to turn 1Password filling off. Can you share an example site where this is a problem so we can have a more concrete use case to consider?
0 -
@adamyonk: Also, to be clear, 1Password does not autofill. It only does anything when actively you tell it to fill a login, so I'm not sure I understand why you'd ask it to if you don't want it to do so. Are you maybe having this interaction with your browser's autofill feature instead?
0 -
The issue we are having must be coming from elsewhere in the user's setup. I was trying to stop 1P from filling a field at all (and I can understand why you wouldn't want to give me the capability of doing that), and the reported issue had to do with autofill and is probably unrelated to 1P. Thanks for your response.
0 -
Most commonly, you can recognize your browser's autofill because it turns the background of the fields yellow. Do let us know what you find from the user's machine, though, in case there is something we can do to help. :)
0