Usability problem saving passwords when using multiple vaults

austin

I’m the administrator for my family account, and my brother messaged me panicked because he had reset an email account password; 1Password Mini prompted to update an existing account which turned out to be my mother’s email account (we both have access to my mother’s vault). I tried his steps and saw the same behaviour. Here’s the reproduction:

1. Neither of us have my mother’s vault set in the “All Vaults” view.
2. We did not have this particular account saved in one of our vaults.
3. We change the password on the account. 1Password Mini prompts to update the record in my mother’s vault. If you don’t move quickly, the dropdown states this clearly, but if you aren’t paying attention, you update the wrong record instead of creating a new record as was intended.

There are two behaviours that I would expect:

1. If I am in “All Vaults” (⌘0), I should only be prompted to update records that are visible in the vaults selected. If there are no records in those vaults, prompt me to create one.
2. If I am actively selecting a specific vault (⌘1, such as my vault, or my mother’s vault), I should only be prompted to update records that are visible in the selected vault. If there are no records in those vaults, prompt me to create one.

I was able to recover this because the Mac client shows me the password history, so my mother shouldn’t even notice this particular issue, but it would be nice to have sane defaults prevent this from being an issue in the future.

---

1Password Version: 1Password 6
Extension Version: Not Provided
OS Version: macOS (multiple versions)
Sync Type: 1Password for Families
Referrer: forum-search:Problem when updating passwords with multiple vaults

AGAlumB

@austin: Thanks for reaching out. I’m sorry for the confusion! I hope you don't mind, but I've move this discussion to the browser filling category so we can focus on the issue(s) you're describing.

Please correct me if I'm misunderstanding your scenario, but from your description it sounds like 1Password is just respecting your "vault for saving” setting in 1Password Preferences > All Vaults. Is that what you're seeing? You kind of touched on a few separate things, so I'll also try to touch on those.

It may be that we can consider other options in the future as well, but it can get a bit messy that way. For example, in most cases, the user will expect that this setting will work as described, defaulting all login saving to the specified vault, at which point they can select another vault when saving. So with regard to the concern of needing to verify that you're updating the correct login, that can't be helped, as regardless of any settings and which vault is selected, you really need to make sure that you're saving or updating the way you think you are, as your intent isn't something that 1Password can definitively determine for you. For example, when I want to save a brand new login instead of updating an old one, I may need to specify that if 1Password offers to update my existing login instead. So it is incumbent on each of us to pay attention to what and where we're writing data, just as when we're saving documents.

Moving on, there are a few things I'm confused about here with regard to the "update" question. If you're in All Vaults, and this vault is excluded, how are you filling the password to change it in the first place? I think you may have a point about the update prompt in general, where a slight behavioural change and perhaps some design tweaks may help, but I want to make sure I understand fully first. I look forward to hearing back from you! :)

austin

OK, I obviously didn’t explain this well enough, because I touched on exactly two things. Please note, this is not about browser filling as such, but about correct record update detection.

Here’s the setup:

1. I have two vaults, A and B.
2. My “All Vaults” view excludes B.
3. There exists a password for service Y in vault B for a account Yb.
4. I am in the “All Vaults” view.

Here’s the scenario that is broken:

1. I need to log into service Y for account Ya.
2. I don’t remember my password and it is not saved vault A.
3. I reset my password and am prompted to make a password by service Y. I use the 1Password password generator and fill the password.
4. I hit submit on the service Y password reset.
5. 1Password prompts me to update a password. In this case, it prompts me to update Yb in vault B which is not currently in the list of vaults I’m looking at.

What should have happened is that 1Password looks only for accounts in visible vaults to update, otherwise it prompts to create.

Let’s modify the scenario a little:

1. I have three vaults, A (no record for account Ya), B (record for account Yb) and C (record for account Yc).
2. My “All Vaults” view excludes B. I am in “All Vaults” view.
3. I reset the password for Ya.
4. 1Password prompts me to update a password, Yc, because it is in my “All Vaults” view (the view I’m currently in).

Now, this second scenario isn’t really ideal, but at least it makes sense. If I am not seeing a vault because of my view settings (either because I am in a less-than-all “All Vaults” view or because I am viewing a specific vault), I should not be prompted to update records that I can’t search for.

The problem wasn’t an update prompt in general (but I will agree that the UX around that is suboptimal, but I have no really good suggestion for this), but an update prompt for an account that I could not auto-fill because of my settings. Clearer?

AGAlumB

@austin: That makes it perfectly clear! Thank you! I don't think it was your fault. It's just confusing, and admittedly that's the problem. I had most of that in mind, but the details really matter. I agree that what you're suggesting makes more sense, but also that this is kind of a murky area where there isn't a perfect solution. There's definitely room for improvement, and I've filed an issue for this.

Just to clarify, while this doesn't involve filling, since it's stuff happening in the browser and interacting with the 1Password extension there (for saving/updating), I just wanted to make sure that I moved this over so it gets all of the attention it deserves from the team working on this. Thanks for being patient with me.

ref: OPM-4915