I'm having problems copying from 1Password and pasting into password field on CREDO mobile website

I just switched my mobile carrier to CREDO mobile and created a user account on their website but am unable to copy my password from 1Password and paste it into the 'password' field of my account on CREDO mobile. The username copies and pastes as expected, but somehow, the password field on the CREDO mobile login site is only accepting actual typing.

Here's the URL that is giving me issues
:https://www.credomobile.com/LoginMember.aspx

Any pointers?

Thank you


1Password Version: 6.8.1
Extension Version: Not Provided
OS Version: OSX 10.11.6
Sync Type: Not Provided
Referrer: forum-search:CREDO

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    Hey, @r5z8e2l3, thanks for your post. Sorry for the trouble this site is giving you. Some sites disable pasting into certain fields in a misguided attempt to prevent users behaving insecurely. I do see that there is an event handler for the paste event on this field, but I couldn't dig much further into it than that. What I can say is that the 1Password extension does not use copy and paste; it uses Javascript to change the values of the fields directly. Could you try using the extension and see if that helps? I manually saved some dummy credentials and then refreshed the page and it filled for me, so hopefully that helps you as well.

    Let us know how it goes!

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • r5z8e2l3
    r5z8e2l3
    Community Member

    Hi Jamie. The main reason I didn't install the 1Password extension in chrome (browser I use most frequently) is that when I go to install it, the popup for the 1Password extension app says "It can: Read and change ALL your data on the websites you visit"

    I don't feel comfortable giving access to ALL my data, including sensitive banking information, medical record information, etc. to any Corporation, including AgileBits, unless assurances can be given to me that my data isn't somehow tunneled to AgileBits servers somewhere and never leaves my local computer to be sold to other Corporations.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2017

    @r5z8e2l3: I hear you. Not a fan of the way that sounds myself, or the fact that Chrome doesn't allow for more granular permissions. Unfortunately if you're not using the 1Password extension, there isn't much we — or 1Password — can do to help you login there. I'll be happy to give you an overview of how 1Password works and how we operate here at AgileBits though, in case it helps.

    First, let's be real, if we were evil, not using the extension wouldn't protect you, as you're installing the 1Password app on your system and entering (if you're like me) your most important, sensitive information there. But since we're all in the same boat (we're 1Password users too!) we don't want 1Password invading our privacy either. You can learn more about the lengths we go to not know about 1Password users like you and I in our knowledgebase:

    About 1Password and your privacy

    That's a pretty exhaustive breakdown so definitely check it out, but the long and short of it is that our reputation and livelihood depend on trust; us doing anything that harms our customers (especially by compromising their privacy or security; we're a security company after all, and people use 1Password to protect their privacy as well) means we'll be out of business and unable to support ourselves, not to mention 1Password — would cease to exist and we couldn't use it any longer either! We intentionally know as little as possible so that we can't be co-opted to get to our customers.

    Getting back to filling in the browser, using the 1Password extension is actually more secure than copying and pasting, since it's trivial for apps to monitor your clipboard. So bypassing that entirely is not only a convenience (especially in cases like this), it's also a security benefit. Using the browser extension also doesn't store your data in the browser; it's decrypted and sent on demand as you access/use each login, etc. And the browser extension communicates only with the 1Password app, not over the internet, which validates the browser's code signature before connecting.

    And at the end of the day, while "Read and change ALL your data on the websites you visit" does sound ominous, it does allow 1Password to save and fill login credentials without you having to dump them on the system clipboard. And we run a sustainable business rather than selling out, selling you, or accepting money from investors or advertisers. Hopefully this helps you get a better sense of how we roll, but be sure to let me know if you have any questions! :)

  • r5z8e2l3
    r5z8e2l3
    Community Member

    I want to thank both of you, brenty and Jamie, for taking the time to answer my question/concern. You're absolutely right about trust. Customers like me already decided to trust AgileBits with the 1Password program enough to purchase it and use it to store our sensitive data. If there was some way to summarize what you just said in your response to me and put that in the popup that shows up when installing the chrome extension (better than the existing "all data" line), that would probably satiate people like me who tend to obsess over minor details ;) Unfortunately, I don't have a suggestion as I think it is a challenging task to condense what you wrote into a 'one-liner,' but you can always point customers like me who raise this concern over to this post for reference.

    I went ahead and installed the extension to Chrome and retried to login to my account on the CREDO mobile website and it works, but is kind of intermittent. I see the browser flash quickly a couple or few times to try to fill in the username and password fields. Sometimes it works and sometimes it doesn't, but if I play with the mac 'Command Key' + '\' keystroke, I can eventually get it to work. I also spoke to and submitted feedback to CREDO about this so that they can address this on their end, if possible, although the customer support person I spoke to was quite resistant to my concerns. They claim they force users to physically type in each character of the password for higher security, but in my opinion, it forces people to create shorter dictionary passwords that are actually more insecure, not to mention a barrier to people who have disabilities who are either unable to type or have difficulty typing.

    Thank you both for helping me on this issue,
    r5z8e2l3

  • jxpx777
    jxpx777
    1Password Alumni

    it forces people to create shorter dictionary passwords that are actually more insecure, not to mention a barrier to people who have disabilities who are either unable to type or have difficulty typing.

    This is exactly right. A lot of these policies are well-intentioned, but they assume that a user is copy and pasting from a plain text file or an Excel spreadsheet or something like that. But even if that were the case, a longer, unique password stored in a plain text file is better than a password that is reused across multiple sites and these companies can't prevent the sticky note syndrome (writing password on a sticky note attached to the monitor or ""hidden"" under the keyboard…) or any of the other number of insecure things that people do.

    That's why one of our articles of faith at 1Password is that we have to make it easier to behave securely than insecurely, and the browser extension and keyboard shortcut serve a critical function in this effort.

  • jxpx777
    jxpx777
    1Password Alumni

    Ah, I also wanted to mention that the browser extension plays a critical role in phishing protection as well. When 1Password asks the extension for the current URL and then looks for matches, it will only offer you Logins that match the site that's in your browser. It doesn't matter how very clever a phishing attack might be, 1Password will properly compare the site to your Logins and won't fill if the sites don't match. Even if you select a different Login from the Logins section, 1Password won't fill it into the current page; it will instead open the website that is listed in the Login and fill there, taking you back to safety.

    I know the prompt from Chrome is scary, but unfortunately we don't have any say over what Chrome shows the user about the extension's capabilities. I would love if they gave us a way to offer some explanatory text or link.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

This discussion has been closed.