Passwords folder (the one with the key) - what is its purpose?
I'm not sure what the Passwords folder is for. I think I have an idea, but I don't know for certain.
Yesterday, I tried logging on to a site and it said my password was incorrect, so I clicked on the Forgot Password link. Once I verified who I was I was allowed to create a new password and used the password generator from 1PW. When I did that, a window came down and asked if I wanted to update the password in 1PW. I said yes. Once I finished my work, I logged out and tried logging in again to see if the password was, in fact, updated. It wasn't.
I then looked in the Password folder and saw 15 different files and found the one that pertained to this particular site. I tried using this file to log in to that account and it worked.
My question then is: why didn't the password get updated to the Login folder and what are those other 14 files? Does that mean I've updated 14 other passwords over time and these now hold the correct passwords?
Thanks.
1Password Version: 6.6.1
Extension Version: 4.6.3 & 4.6.3.90
OS Version: 10.12.3
Sync Type: Not Provided
Comments
-
Hi @RCMjr,
The Password category is an unusual one in that while you can create Password items manually if you wish (I do this for things like PINs for iOS apps) it's primary use is by the Password Generator. When you use the Password Generator in 1Password mini and either copy or fill using a generated password 1Password creates a Password item as a safety net. If used inside a browser with the extension installed it will set the title according to the domain of the open tab and store the URL of the page that was active when the Password Generator was used. 1Password does this in a bid to help remind what the password was likely used for.
There are a number of actions that occur when 1Password asks if you want to update a password and you tell it yes.The first thing 1Password does is analyse the page using what we call the brain, the code that handles filling and saving. 1Password then attempts to recognise the new password from the various fields on the page. This will make more sense when you consider that in the majority of cases a password change form will ask for the existing password and the new password. We then replace the existing password in the Login item you've instructed 1Password to update with the password we believe to be the new one.
We also check existing Password items. If we find a Password item points to the same domain in the stored website field and the password stored in the Password item matches the new password we remove the Password item as it has now served its purpose.
So in the scenario you described 1Password clearly got confused but the Password item served its purpose of being a safety net. Now with the other 14 items it's harder to say. If you ever copied or filled with the Password Generator but didn't go through with using it that would cause an entry to hang around. If you changed a password but 1Password didn't offer to update and you manually updated a Login item that would also cause a Password item to hang around as 1Password only removes them when the update existing code is being run.
One option for clearing things up is the Help > Tools > Remove Redundant Generated Passwords If it finds a password in a Password item is stored in a Login item for the same site with the same password it will remove it. If you find you still have items afterwards the easiest thing to do is note which sites they are for and try logging into the site with your existing Login item. If the Login item works it would seem safe to say the Password item is redundant.
Off the top of my head I can think of two scenarios where 1Password can get confused and offer to update an existing Login item yet not save the right password. The first are sites that ask for the existing password and the new password but no confirmation of the new one. This area is one on our radar for improving. Another scenario is if a site mangles the password field at all. I'm more thinking of banks here as they tend to do a lot of weird things that you rarely see elsewhere. We know of at least two separate banks where they like to obfuscate the password meaning the obfuscated one is all 1Password can see. Even though we're aware of it we're struggling to see what we can do about it. We'll continue to consider but it's a tough one.
If you're happy to say what site you observed this issue with here in our public forums I would like to learn so we can go take a look and see what we can maybe do to improve our accuracy in this area.
0 -
I'll try and read this more thoroughly later today, but here's the site that prompted this question: https://secure.connectyourcare.com/portal/CC?rnd=1488755055030.
Chip
0 -
Thanks for the link, Chip, but it looks like the password page will be hidden behind that first username page, so I'm not sure we'll be able to glean any helpful info…
One thing that springs to my mind is that maybe the page is using an iframe with a different URL. So, for instance, you're on secure.connectyourcare.com but the password form is actually served from secure.example.com. Do the passwords that were generated and the Login items that you have saved contain the same URLs or are they different in any way?
--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas0 -
The first link is the one that's in my Connect Your Care login category, while the second comes from the Password category.
https://secure.connectyourcare.com/portal/CC?rnd=1485034443903
https://secure.connectyourcare.com/portal/CC?rnd=1488755055030
0 -
Hm… so that doesn't fit with my theory. There is an issue we're working to improve with some password change forms not being recognized and when you switch to the "Update Existing" tab, it can pick up the wrong password field as the one to update from. Do you happen to remember if you had to change the tab to Update Existing? Could you post a screenshot of the forgot password form (with no data filled in)? Seeing a bit of how it's structured could help us understand what might have happened.
0