1Password Keeps Prompting Me to Save Password

schwachs

Hi, I'm on the latest Windows Beta (6.8.496) - mostly it works fine... but for some reason, it continually asked me to save the password for logins that already exist- even though it has saved before and absolutely has it in the vault. I've searched around for solutions on here and can't find the answer to what might be causing this.

Any ideas?

---

1Password Version: 6.8.496
Extension Version: 4.6.12.90
OS Version: Windows 10
Sync Type: 1Password
Referrer: forum-search:1Password Keeps Prompting Me to Save Password

bundtkate

@schwachs: We may need to take a closer look to figure out what's going on here, but first, is this isolated to particular sites or is it more pervasive where it prompts updates consistently across sites?

schwachs

It’s constsnrly across all sites.

thenerdlawyer

I am having the same issue -- I get the prompt on every single website, every time I enter a password. It has become so annoying I've had to turn off autosave, which is a shame because I think it's a great feature.

1Password Version: 6.8.496
Extension Version: 4.6.12.90
OS Version: Windows 7

AGAlumB

@thenerdlawyer, @schwachs: Can you give us some examples? I'm not able to reproduce this here (haven't been prompted to save once when logging into a few places just now), but testing it might help us identify if there are some edge cases:

• Browser version
• URL saved in the Login item
• Type of vault it's saved in (Personal/Private, shared, etc.)
• Exact steps leading up to the issue
• URL on the website where you're prompted to save

Thanks in advance!

schwachs

Browser version: Google Chrome is up to date
Version 63.0.3239.132 (Official Build) (64-bit)

URL saved in the Login item: https://us.etrade.com/home (asks to update that. pw not different)
Type of vault it's saved in: Personal
Exact steps leading up to the issue: after being logged off due to time-out, log back in and boom.

URL on the website where you're prompted to save: https://us.etrade.com/etx/hw/accountshome?cnt=header_logon_startin_accounts

AGAlumB

@schwachs: Thanks! I'm not able to test this at the second address since I don't have an account there, but I'll check to see if we have anyone who does. In the mean time, just to confirm:

Exact steps leading up to the issue: after being logged off due to time-out, log back in and boom.

1. Are you only being prompted to save the login again after being automatically logged out (I'm guessing that's what the URL you gave is from)?
2. Are you using 1Password to fill the login credentials, and then it's asking you to save them again?
3. Are you being prompted to save a new login, or to update your existing login?
4. Are you having the same problem here as well? https://us.etrade.com/e/t/user/login

I don't see a login form at the URL you gave — https://us.etrade.com/home — but I found that other one. I really appreciate the info! :)

schwachs

Hey there... I realized I never followed up with this... I am still having this problem... On almost every website and now from two different Windows 10 machines.

1. It's happening any time I'm logging in.
2. No, it's being filled in from Google Chrome.
3. It gives me the option for new or update.
4. Yes.

AGAlumB

@schwachs: Thanks for following up! Just to clarify on #2 — "No, it's being filled in from Google Chrome." — 1Password should offer to save your login credentials if you're using something else — your hands, the browser, another app — to fill them. More specifically, we always recommend disabling browser autofill because it's insecure, can cause conflicts, and also confusion in cases like this (also, "Where is that password? Did I save it in 1Password, the browser, or somewhere else?")

But if you're having trouble with 1Password itself, since a lot has changed since then, please give me an update:

• Which OS, 1Password, browser, and extension versions are you using now?
• Are you having this problem at https://us.etrade.com/e/t/user/login (since that's an example we've already discussed)?

Thanks in advance!

schwachs

@brenty

Well that explains a ton... but can I get some more info on why autofill from browsers is insecure and otherwise bad? (I'm not saying you're wrong but I'd love to learn more...)

I understand the confusion part but there are some benefits I like so I want to understand what I'm gaining / losing.

Thanks!

AGAlumB

Well that explains a ton... but can I get some more info on why autofill from browsers is insecure and otherwise bad? (I'm not saying you're wrong but I'd love to learn more...)

@schwachs: Absolutely! I am always hesitant to go into too much detail right off the bat and risk boring someone terribly, but I'm glad for the opportunity — to go into more detail, not to bore you, hopefully. :lol:

There have been a number of news stories about this over the past few years, but I think this case is the best example:

https://lifehacker.com/your-browsers-autofill-data-can-be-phished-heres-how-t-1791084371

You can actually check out the proof of concept here:

https://github.com/anttiviljami/browser-autofill-phishing

And if you search Google for "browser autofill exploit" or "browser autofill vulnerability" you can find many more examples.

I understand the confusion part but there are some benefits I like so I want to understand what I'm gaining / losing. Thanks!

You're welcome! Indeed, while browsers have made some changes to help with this in recent years, the problem is that fundamentally browser autofill is a feature which is designed to do exactly the thing that's being exploited — namely, entering information into webpages automatically without user interaction — since, frankly, that's what people use it for. It's very convenient, but at a cost to privacy and security.

Since the beginning, 1Password has only filled information into webpages when the user explicitly tells it to, using the keyboard shortcut or context menus. And, of course, we regularly get pushback because of this: "Why doesn't it fill automatically?" and "Nothing happens when I go to the webpage." The browser autofill feature predates 1Password and is used by many people long before they ever even considered using a password manager, so the expectation, understandably, is that 1Password works that way as well. And when it doesn't, it can cause some confusion and outright frustration. I get that, because we are asking the user to take an additional step. But at the same time this is a critical part of 1Password's security model, and defense against phishing attacks (along with it not filling a login unless it matches the URL of the current page, which similarly causes some confusion and frustration).

So while it isn't something we're going to change, we're always happy to answer questions about why we've designed it this way. I hope this helps give you a better sense of the reasoning behind this, but don't hesitate to ask if you have any followup questions. Cheers! :)