Would you like to update your existing username and password --- FAIL!

I have tried to change a password using the 1Password extension (in Safari). I have noticed this recurring problem.
1) I retrieve my current password from the extension.
2) I paste my password into the dialog box.
3) I go back to the 1P extension and click Edit. Then I click the button to generate a new password.
4) I click Save.
5) I click Copy to get the new password, and paste it twice into the dialog box, then I submit the information.
6) The password is successfully changed.
7) Here's where the problem begins.
If I click Update Existing, the new password is replaced by the old password!
Fortunately, 1P keeps a log of previously used passwords, so I can retrieve my "old" new password and swap it with the "new" old password and all is well.
I have noticed this problem for quite awhile. I suggest some debugging is in order to prevent this from giving people heart attacks, especially those who don't realize that old passwords are being stored somewhere.

Clay142


1Password Version: 6.8.8
Extension Version: 4.7.0
OS Version: 10.13.3
Sync Type: iCloud
Referrer: forum-search:Would you like to update your existing... FAIL

Comments

  • pervel
    pervel
    Community Member

    It doesn't sound like you're following the right procedure for changing passwords. You're not supposed to edit the item you want to change. That's only if you want to perform manual changes. Instead you just use the generator directly on the site's change password page and then you're (hopefully) asked to update the information in 1Password.

    There is a full description here: https://support.1password.com/change-website-password/

  • AGAlumB
    AGAlumB
    1Password Alumni

    @clay454: Indeed, we definitely recommend updating the Login item for the site during the process of updating it on the website itself, as you'll generally need the current one during that process, so it's helpful if you haven't already replaced it in 1Password. You also often won't know if the password you generate will be accepted until you try it. And, if you change it in 1Password first, and then use the original password to login to the site when you want to change it, 1Password will probably — correctly — offer to save the login for you since it doesn't match what it has, which could be a bit confusing for you later on. Cheers! :)

  • clay454
    clay454
    Community Member

    Ok, I’ll take your word that 1Password is working “correctly” but the workflow is counterintuitive to me. I’ll continue to do it my way but click “Not Now” when that dialogue box appears.

    Clay

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2018

    @clay454: You don't have to take my word for it. 1Password is doing exactly what you told it to do: saved the password you'd just entered on the webpage when you clicked that option. I'd be hard-pressed to find a compelling argument that that isn't working correctly. :tongue:

  • clay454
    clay454
    Community Member

    I understand, but I’ll still do it my way, which, in your eyes may be he wrong way, because I’m the user and it works for me.

    🙃 Clay

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2018

    1Password has a lot of users, so I don't think you get to be "the user". We have to consider others as well. And I thought your point was that that doesn't work for you, but okay!

    ¯_(ツ)_/¯

    Just remember: if in the future you don't want 1Password to save a password for you, you can click "Not now" and it won't. I promise. :chuffed:

  • AbrahamBartolo
    AbrahamBartolo
    Community Member

    I attempted to sign into the AgileBits Support Forum (“ABSF” hereafter) to address an issue I encountered with 1 Password 6 v6.8.9 (689001) hereafter “1P6” failing to update an existing password on several occaisions.

    The ABSF site advised me that my password was incorrect. Although this seemed unlikely as I was using 1P6 to input the password, I pressed the link "forgot password" and then checked my email for the link to reset my password. I activated the link from the e-mail and changed the password on the ABSF site. Not trusting 1P6 to remember my password, I used a manual method involving cut-and-paste of an existing 1P6 password for the website.

    Upon successfully logging into ABSF, 1P6 offered me the following window:

    I pressed the lower right button "Update Existing". I then went to 1P6, chose “reveal” for the password of the login noted in the graphic: the previous 40-character password had not been updated to the new 44-character password.

    I signed out of ABSF, thinking that the password might update after I was off the ABSF site. I attempted to re-login to ABSF using 1P6 to fill in the allegedly updated password. (Graphic below ↓ )

    (Image captured: 5/23/18•1:44 PM CDT.)

    I was not surprised when, 1P6 failed to log me in. Here is the response I received on screen at 5/23/18•1:45 PM:

    Having just read two previously reported closed discussions on this issue (see below) I had saved my 44-character password in a different application. I pasted the 44-character password in from that application and successfully logged in to ABSF and sent this message.

    Prior to writing this message, I also reviewed:
    https://support.1password.com/change-website-password/
    Although this informational webpage advises of a way that is "correct", according to a contributor, “Pervel” from one of the aforementioned discussions, I find nothing in my procedures that appeared improper to me and the problem remains unresolved.

    I did not expect you to resolve this issue, but your comments are welcome.

    https://discussions.agilebits.com/discussion/80776/1p-did-not-update-my-password
    https://discussions.agilebits.com/discussion/68553/when-i-select-update-existing-password-it-does-not-update

    (Posted: 5/23/18• ~2:55 PM CDT)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hello @AbrahamBartolo,

    Is the gist of your post that you had to reset your password for our forums but 1Password didn't update properly after correctly prompting you? That will be easy enough to test, I just want to make sure that is what you're reporting.

  • AbrahamBartolo
    AbrahamBartolo
    Community Member

    In response to 4:43 AM posting of littlebobbytables:

    The gist of my post is that I reset my password for this forum, but, after resetting my password by manual pasting a 1P6 generated password that had been altered to improve encryption, 1P6 displayed a window labeled "1 Password – Save Login" window with "Update Existing" button. That button was activated, but 1 Password 6 didn't update the existing password to the reset password.

    After further examination of this issue, I believe I have found the flaw in the programming which has not yet seen discussed in any of the forum posts that I reviewed.

    Please test under the following conditions and see if you get the same results.

    1. Open the full program, 1P6.
    2. Select a saved login that is to be tested. I suggest agilewebsolutions.com/login
    3. Select "edit" and make a change in the NOTES section of 1 Password 6 login , such as "2018_0524 Retiring Password: 1CVi~dbmVK;Y}_LF9E9G-6LW6xgLy0O-hcg.z!y^ REPLACING it with new password: eB^Q-1jSGo.m6_jY0V]i"2n9-Fyt>Lcdyil((-xStGB/ "
    4. DO NOT peplace the existing password manually and do not save changes to the program. (This will leave the 1P6 program in editing mode).
    5. On the website to be tested, enter the correct user ID on the login window, but press the "forgot password" to receive a link to reset the password by email with reset-link
    6. Retrieve the email or activate the reset-link and change the password to: eB^Q-1jSGo.m6_jY0V]i"2n9-Fyt>Lcdyil((-xStGB/
    7. The window labeled "1 Password – Save Login" window with "Update Existing" button will appear. Click on "Update Existing" button.
    8. Logout of the website that is being tested.
    9. Return to 1P6. You will find that the program is still an editing mode and the password has not been updated.

    I am uncertain how many passwords I have lost over the years under the above scenario.
    I suggest this is a flaw in programming as I believe the program when it said it was going to "update existing" password but failed to do so.

    Posted: 5/24/18•9:21 AM CDT

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @AbrahamBartolo,

    So it seems it isn't that 1Password didn't update correctly but that you're finding the edit screen doesn't refresh with the newer information and then when you save it's overwriting the updated password with what is present in edit mode.

    If you were to look in the Login item's password history you will find the correct password. I shall report this but for now the best workaround is not to be actively editing a Login item whilst also updating it from inside the browser.

  • AbrahamBartolo
    AbrahamBartolo
    Community Member

    The theory of your first paragraph seems a valid attempt to describe the phenomenon; however, the "updated password" should, I submit, have overwritten the contents of the field "password" in edit mode, or advised the user that s/he must leave edit mode to update the field "Password."

    I could not confirm that the correct password was saved as a "previously used passwords".

    The "best workaround" is now obvious to me. I wonder if it is obvious to other users?

    Posted: 5/24/18•12:32 PM CDT

  • AbrahamBartolo
    AbrahamBartolo
    Community Member

    Hi, littlebobbytables

    You wrote on your post of 9:48 AM, that were I "to look in the login item's password history [I would] find the correct password." When I wrote at 12:33 PM CDT I had not confirmed your assertion.

    In "previously used passwords" for the login item, the correct password does appear as having been entered on May 23 at 1:35 PM CDT; the password field is occupied by a "previously used password" from six minutes earlier, that is May 23 at 1:29 PM CDT. Chronologically this is paradoxical, but the correct password was preserved.

    Thank you for your attention to this matter; I will never make this mistake again and hope that resolution can be found for the unwitting user of your excellent product who has used my procedures and presumed that the password was irretrievably lost.

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited May 2018

    So I've now observed what we would consider are two unusual approaches to updating a Login item.

    The first is to manually edit the Login item in advance of changing the password on the site's change password form and then to allow 1Password to update the Login item again after submitting the change. Due to how we need to detect the new password on certain sites the double update essentially negates itself although the new password will be stored in the password history.

    The second is the scenario you've brought to us, where you're actively editing an item at the same time as updating it elsewhere.

    With the first I do genuinely believe 1Password is doing the right thing. If a person doesn't want to trust 1Password to prompt they can turn that off and manually update items. Sometimes the more intelligent you make something the worse the unanticipated outcome can be.

    With the second I'm not sure what the right behaviour is. I shall file a report so it will be discussed. What I will say is that we don't see questions about either scenario that often so I can only surmise that the majority of users haven't attempted this, after all from a support perspective I would hope anybody experiencing what you have experienced would reach out to us. For now you have a better understanding of how 1Password operates and with that knowledge you can ensure you're not caught out by it or worst case scenario you know where you can retrieve the correct password from.

    ref: apple-1410

  • AbrahamBartolo
    AbrahamBartolo
    Community Member

    A well writ conclusion.

  • hawkmoth
    hawkmoth
    Community Member

    I too have encountered the behavior described in this thread. I have attempted to update a password on a site while having the appropriate record in edit mode in the 1P7 main application. When I saved the record, sfter selection the option to update the exisiting record, it did indeed replace my newly generated password with the previous one, the one that was supposed be be replaced when I selected the option in 1Password to update the existing record. That baffled me, but I did find that everything worked like it should when I did not have the record at issue in edit mode. So now that's the way I've proceeded since then.

    I must admit that I don't know why I thought it was a good idea to have a record in edit mode when asking 1P7 to do its thing. I've learned to stop doing that. But I agree with the other users in this thread that this is unexpected behavior, and I don't understand why the proper new password isn't saved to the record, even if it is in edit mode when the update existing record option is chosen.

    This only arises for me because I've been auditing most of my logins for security and have found that there are quite a number that I wanted to update.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @hawkmoth: Thanks for sharing your experience. We definitely recommend following this guide when it comes to updating passwords:

    Change your passwords and make them stronger

    But there's always room for improvement too. We'll see what we can do. :)

This discussion has been closed.