Changing Password Process needs work

I just checked https://support.1password.com/change-website-password/ to see if there's anything I was missing, and there isn't.

The problem with the steps you've described is that there's an easier way to accomplish the same task that uses 1password LESS.

Having to flick to and fro between 1password to retrieve the old value and then back to generate the new value makes the process cumbersome. I found it much easier to go to an external password generator - I used http://passwordsgenerator.net/ - to generate the new password, and just paste that into the field and let 1password pick up the change and offer to save the new value when you submit the form, than it is to browse your way to the entry in 1password first, and then click edit, and then click regenerate.

If I try to use the "Password Generator" in the 1password mini client, then as soon as I click "Copy", it's saved to a new independent entry just called "Password" in the Password safe, which is literally the last thing I want it to do. and makes that function of password safe worse than just going to a website. Having creating a password that I plan to use for something, I'm going to save it attached to the relevant entry. You can't (afaik) change the type of an entry from "Password" to "Login" or anything else - which is annoying - and having a context-free password hanging around with nothing to tell me what it means or what it was for is useless. If I find it a week later, I won't even know it's safe to delete.


1Password Version: 6.5.401d
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @bencurthoys,

    Thank you for contacting us about this! I'm sorry you're having trouble using 1Password to help you change website account passwords. It should be much easier than what you described, and I think I know what's going wrong:

    I found it much easier to go to an external password generator ... than it is to browse your way to the entry in 1password first, and then click edit, and then click regenerate.

    You definitely shouldn't need to do that, and the article you mentioned (Change your passwords and make them stronger) has very different steps to generated and update passwords for Logins/website accounts.

    To summarize those steps, you'll want to find the 'change password' form on the website, fill in your current password, then use the Password Generator feature in 1Password mini to create and fill the new password. When you submit the form, 1Password should ask if you want to update your Login item with the new password.

    It sounds like this is where you're running into a problem:

    If I try to use the "Password Generator" in the 1password mini client, then as soon as I click "Copy", it's saved to a new independent entry just called "Password" in the Password safe

    The name of the Password item comes from the app or website you were using/viewing when you generated the password. If you ended up with a Password item named "1Password", it sounds like you were using the main 1Password app when you generated the password in 1Password mini.

    Instead, open the website first and find the 'change password' form. Fill in your current password if necessary, then click on 1Password mini in the menu bar (or use the ⌥⌘\ (option+command+backslash) keyboard shortcut). Use the Password Generator option there to create a new password, then click the 'Fill' button. That should fill the new password into the 'change password' form. At this point, the new password will be temporarily saved in a Password item (named after the website) to make sure you don't lose it. When you submit the form and tell 1Password to update your Login item, it will automatically delete the Password item.

    Again, this is the same process described in the article you mentioned, although it doesn't mention the details of what happens in the background with the Password item. If you follow those steps, it should be a smooth and easy process.

    Hopefully this helps, but please let us know if you have any trouble with that, or if you have more questions. Cheers! :)

  • bencurthoys
    bencurthoys
    Community Member
    edited May 2017

    Ok, so, I'm going to try this now. I've logged into a development account on a payment gateway, and because of PCI/DSS rules it's forcing a password change. I see this in the browser:

    With the focus on the browser textbox, I launch 1password mini with the shortcut, and click the Password Generator

    and there isn't a "Fill" button.

    If I click "Copy" then it creates a new 1password entry named "Password".

  • bencurthoys
    bencurthoys
    Community Member

    So, because I actually needed to log into this system, and clicking the "Copy" button inside the 1Password Password Generator has undesirable side effects and takes more clicks, I generated a password elsewhere, copied it to the clipboard, pasted it into the form, and then on submitting the form 1Password offered to save the update, which was fine:

    It just feels like a lot of the 1Password browser integration gets in the way of "generate a random sequence of characters and insert it into the clipboard buffer" which is all I really want it to do.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hello @bencurthoys,

    So there are two issues that we need to see addressed in 1Password 6 for Windows but I feel there is some confusion here as well. Let's start with the issues.

    1. 1Password 6 for Windows does not yet offer a fill option in the Password Generator dialog.
    2. 1Password 6 for Windows doesn't clean up old Password items after saving/updating a Login item. I need to double check this but I believe this is the case.

    Now regarding the confusion that I believe is present. Even once both of these are addressed in 1Password 6 for Windows, the application will continue to generate Password items any time the Password Generator is used regardless of whether it is to copy or fill. The reason for this is to act as a safety net should anything go wrong. What you don't want happening is you update a site to use some ridiculously complex password (the best kind!) and then 1Password for reasons unknown doesn't react. There are no real standards when it comes to fields so everything is based on recognising the various designs we see. People are creative though and constantly keep us on our toes with sometimes frankly bizarre designs. I would vehemently argue to keep any safety net in 1Password rather than risk locking somebody out of an account.

    So the Password item isn't there to be used in replacement of a Login item, it's really just meant to hang around long enough to ensure the password is stored in something more useful. Once everything is working smoothly in 1Password 6 for Windows the way it would work would be:

    1. You generate a password and fill. This will still create a Password item.
    2. When you submit the form 1Password recognises and asks you to either Create new or Update existing. This should be happening already even if you only have a copy option in the Password Generator.
    3. After saving/updating a Login item, 1Password notices it has a Password item with the same password and for the same site. The Login item makes the Password item redundant and so the Password item is moved to the Trash.

    The Password items won't interfere with filling when there is a valid Login item. By this I mean that say you use the Password Generator and you've saved/updated a Login item as a result. The keyboard shortcut to fill the current page, ctrl + \ by default I believe, will only look for a Login item and not a Password item. This means Password items can be deleted in bulk at your convenience rather than immediately. I don't know if that makes any difference or not.

    Obviously it will be better once 1Password 6 for Windows addresses these two and removes the manual bits that it currently has. We do have them listed, it's just about making our way through the list as there are still many items to address in 1Password 6 for Windows due to the young age of the code behind it in contrast to 1Password for Mac.

    ref: OPW6-793
    ref: OPW6-1051

  • bencurthoys
    bencurthoys
    Community Member

    Thanks for the reply.

    1. Ah ha! it was a Mac program before it was a Windows program... that explains why things in the UI are never quite where I expect to find them =)
    2. You really shouldn't be using that excuse any more if 1Password for Windows has been around since 2010 and you've had time to rebuild it from scratch for v6!
    3. I get that generated passwords should go into some kind of ephemeral storage so you're not left locked out of an account. I always used the clipboard for this, but that I accept is really easy to accidentally overwrite.

    What I think would nail it for me would be some kind of specialised password update dialog that had TWO password boxes on it. It would show the current password - with copy / autotype options - and have a separate textbox for the new password below it with the usual generation controls plus copy / autotype. That way you can see both side by side, copy each into the relevant parts of the target form, and then hit a button that says "confirm password change" when you're done and the change has been accepted to commit that change to the database.

    That way if the new password is rejected by the target system (because the new random password failed a password rule https://blog.codinghorror.com/password-rules-are-bullshit/ ) then I've still got the original password there to try again without having to cancel out / look at the password history / whatever.

    You can persist all the values generated whilst on that dialog in some kind of storage, and if the program crashes before the change is committed then you can recover them, but when either the confirm or cancel button is pressed all those in between passwords can safely be forgotten about.

    It's functionally equivalent to what you do now, but in my opinion would make for a friendlier and lower friction UI.

    BTW: I don't think that the current ephemeral password entries record which site they were generated for, so all your proposed autodelete function has to go on is "is the password the same". I think that's probably enough. If it's cryptographically possible to detect when two entries have the same username and password, as you suggest, I would love it if there were a function to report on "entries which reuse passwords", and a further option to merge entries which share username and passwords, if they happy to be two records for the same system that got recorded twice.

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @bencurthoys,

    Ah ha! it was a Mac program before it was a Windows program... that explains why things in the UI are never quite where I expect to find them =)

    We do try to keep our apps to be as close to the user experience feel as one would expect on a given operating system. You may see changes in the 1Password for Windows app yet in terms of design though. Let us know if you have any feedback about other parts of the design.

    You really shouldn't be using that excuse any more if 1Password for Windows has been around since 2010 and you've had time to rebuild it from scratch for v6!

    1Password for Windows 6 has come a long way since we released the beta version back in June of last year. We haven't been able to directly use any of the code from version 4 since it was built without using the latest and greatest Universal Windows Platform (UWP) technology that Microsoft has made available with Windows 10. We still have a lot to catch up on but we're making progress :)

    I get that generated passwords should go into some kind of ephemeral storage so you're not left locked out of an account. I always used the clipboard for this, but that I accept is really easy to accidentally overwrite.

    The clipboard can be quite useful however there are a number of problems with it:

    • It can be read by any app running under your local user account making it a great tool for snooping apps.
    • As you mentioned, it can be quickly overwritten by other content which can result in being locked out.

    Having a more permanent and secure storage for generated passwords solves these issues.

    What I think would nail it for me would be some kind of specialised password update dialog that had TWO password boxes on it. It would show the current password - with copy / autotype options - and have a separate textbox for the new password below it with the usual generation controls plus copy / autotype. That way you can see both side by side, copy each into the relevant parts of the target form, and then hit a button that says "confirm password change" when you're done and the change has been accepted to commit that change to the database.

    Thank you very much for this suggestion, it does make the process a lot more manual though because 1Password's Autosave feature should be detecting the vast majority of sign in and password update changes on websites. We do know it doesn't work 100% for all websites however we are gathering as much information about the websites that the automatic saving detection doesn't work on with the aim of improving the process.

    With the 1Password for Mac approach (which we hope to get to on Windows). If a user is on a password change form on a website and wishes to change their password, the approach currently is:

    1. They copy their current password if required into the website.

      1Password for Windows actually currently provides this with a nice menu feature if you right-click on a Login item in 1Password Mini (see screenshot below):

    2. They can access the 1Password Strong Password Generator via the 1Password Mini and fill the generated password directly into the page (it will automatically fill the new password fields). The password is autosaved at this point in 1Password. This is how it looks on 1Password for Mac:

    3. When they click the button to submit the Change Password web form, 1Password auto detects the change and offers to update their existing Login item. They can click "Update".

    So in very few clicks they will have their password updated in 1Password and avoids use of the clipboard. Hopefully once we add the fill feature to 1Password for Windows, the process will be faster than it currently is.

    BTW: I don't think that the current ephemeral password entries record which site they were generated for, so all your proposed autodelete function has to go on is "is the password the same".

    1Password for Windows does store the website for any Password item generated using the 1Password Strong Password Generator while viewing a web page in a browser with a 1Password extension. You should see it shown in the website field of the Password item. Let me know if you're not seeing that happen.

    Password changes are important to get right and hearing great ideas like this is certainly going to help improve 1Password. Thanks again for taking the time to write into us.

    I hope that helps. Please let us know if we can be of further assistance.

    Best regards,
    Matthew

  • bencurthoys
    bencurthoys
    Community Member

    Let's look at the password reset process on one of my customers: https://tickets.windsor.gov.uk/
    This way, if the problem is with the website, I can fix that too =)

    I've already got a password saved for my test account in my 1password vault. I go to the login page and hit the "Reset password" button:

    and I'm sent an email with a link to a password reset form with the unique reset code etc in the url:

    I reenter my email address, and put the focus in the New Password box, and I press ctrl + alt + \ to open 1password mini, and I choose the password generator, and I click copy, and I paste that password into both boxes.

    I get the 1password browser popup asking me to update an existing login, and I select the login and update it.

    At this point the password on the login entry is updated to the new password, but the stand alone password entry does NOT have any website or other identifying information:

    It's just a password.

    And I'm pretty sure the extension is running:

    PS: https://msdn.microsoft.com/en-us/library/system.windows.forms.sendkeys(v=vs.110).aspx HTH =)

  • bencurthoys
    bencurthoys
    Community Member

    Also, WRT:

    "it does make the process a lot more manual though because 1Password's Autosave feature should be detecting the vast majority of sign in and password update changes on websites. We do know it doesn't work 100% for all websites however we are gathering as much information about the websites that the automatic saving detection doesn't work on with the aim of improving the process."

    I would strongly argue that your manual fallback options should be polished and usable AS WELL - for the cases where the automation doesn't work. You know that automation doesn't work 100% of the time, and you know there will always be new edge cases and new websites and new fashions in login lightboxes that manage to be on different URLs every time and not have any kind of consistent html markup for you to parse. And if you rely on your browser integration for 100% of your usability improvement, I have some bad news for you: I also have passwords for things that aren't websites. Games, communication tools, email accounts, RDP connections to servers, databases...

    For a relatively small investment of time, you can change

    "1password works so invisibly that 99% of the time I don't notice it, but the 1% of the time that it doesn't work it's really annoying and makes me cross and that's all I notice so my overall impression is negative"

    to

    "1password works really well in manual mode, and there's some cool automation that means that 99% of the time I don't even have to do that. I love it!"

  • AGAlumB
    AGAlumB
    1Password Alumni

    @bencurthoys: Just to clarify, a "Password" item is saved when you use a generated password, and it should only contain a password and nothing else.

    I don't think anyone's arguing against continuing to polish and improve things. That's why we're here, after all, and we really appreciate the feedback!

    Now, I disagree that it's "a relatively small investment of time", but it's something we care deeply about and are committed to nevertheless. ;)

  • bencurthoys
    bencurthoys
    Community Member

    "Just to clarify, a "Password" item is saved when you use a generated password, and it should only contain a password and nothing else."

    Oh. So, @matthew_ag said

    "1Password for Windows does store the website for any Password item generated using the 1Password Strong Password Generator while viewing a web page in a browser with a 1Password extension. You should see it shown in the website field of the Password item. Let me know if you're not seeing that happen."

    and I was just letting him know that it didn't happen. It doesn't really matter either way.

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @bencurthoys,

    and I was just letting him know that it didn't happen. It doesn't really matter either way.

    I apologize, you are correct - 1Password for Windows does not save the website field when you click "Copy" on the 1Password Password Generator. This is how it works on 1Password for Mac and I didn't check it on Windows. I'm very sorry for misguiding you and wasting your time trying to get this to work.

    There is still work to do in 1Password for Windows to save the website field as part of the Password Generator's automatic Password item creation flow. At the moment the Password Generator is not aware of the website at all.You can expect this to be updated and improved in a future version. When this is done, Password items created by the 1Password Mini's version of the Password Generator will also name the Password item in a more context aware way - instead of the Password item's name being set to "Password", it will likely be set to the domain or title of the web page to help users find the generated passwords they need when they search for it. This is also how things work on the Mac. Unfortunately I don't have a timeline for when that will happen on Windows though.

    I would strongly argue that your manual fallback options should be polished and usable AS WELL - for the cases where the automation doesn't work. You know that automation doesn't work 100% of the time, and you know there will always be new edge cases and new websites and new fashions in login lightboxes that manage to be on different URLs every time and not have any kind of consistent html markup for you to parse. And if you rely on your browser integration for 100% of your usability improvement, I have some bad news for you: I also have passwords for things that aren't websites. Games, communication tools, email accounts, RDP connections to servers, databases...

    Regarding the Password Generator our fallback of automatically saving a Password item in any case where you click "Copy" should be enough to allow a user to recover a changed password if 1Password's extension doesn't automatically detect the change. Based on your feedback, we will certainly consider your suggestion for creating a manual mode so thank you very much for sharing it!

    As for non-website app passwords, the process will be more manual here but in these cases I would recommend using the Password Generator within the main 1Password for Windows app itself. This will mean you'll be able to give your Password / Login item a more meaningful name at the time of creation than the 1Password Mini's Password Generator can.

    I hope that helps. Please let us know if we can be of further assistance.

    Best regards,
    Matthew

This discussion has been closed.