1Password taking over fields in non-login form on BofA website

Unlike seemingly many people in your forums, I have never had trouble using 1Password Chrome extension (or now 1PasswordX) to log in to Bank of America's website.

However, today I noticed something odd: On the "transfer money between accounts" page, 1Password thought the "amount of money" field was a login field, and offered to insert my username. Not a huge deal, but the little 1Password icon in the field obscured the manually typed amount (the icon is on the far right of the field, but for some reason this field was right-aligned...)

So a few issues:

  • 1Password misidentified an unrelated field as a username field.
  • Suggestion: the icon should go away when you start to manually type in a field.
  • My 1Password record for BofA has https://secure.bankofamerica.com as the website, and this transfer form is on transfers.bankofamerica.com. So it looks like 1Password will suggest passwords across sibling subdomains? Possibly it shouldn't do that?

It would be great if there were a power-user feature where you could tinker with form field detection, e.g., blacklist/whitelist specific URLs, or HTML form element ids/names/classes. Or even just right-click on the icon and have a context menu that allows you to coach 1Password that it has misdetected a field, or say "don't prompt for this field on this page in the future". You see what I mean, anyway.

Anyway, big fan of the product!


1Password Version: 6.8.8
Extension Version: 1.7.1
OS Version: MacOS 10.13.4
Sync Type: 1Password Account

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2018

    @hattrick: Thanks for getting in touch! I have a Bank of America credit card, but I'm not familiar with transfers so please bear with me. ;)

    Unlike seemingly many people in your forums, I have never had trouble using 1Password Chrome extension (or now 1PasswordX) to log in to Bank of America's website.

    Thanks for the kind words! In all fairness, I think it's understandable that most people only get in touch with us because they're having trouble with something. That's what were here for! I'm glad to hear that you're enjoying 1Password X (and 1Password in general) though. :)

    However, today I noticed something odd: On the "transfer money between accounts" page, 1Password thought the "amount of money" field was a login field, and offered to insert my username. Not a huge deal, but the little 1Password icon in the field obscured the manually typed amount (the icon is on the far right of the field, but for some reason this field was right-aligned...)

    Alas, Bank of America has historically been a tough cookie, so I can't say I'm surprised you're reporting issues there now. Unfortunately I think I'm not able to get to the page you're having trouble with because I don't have a bank account (though I'm not sure since you didn't include the URL). I'll see if anyone else here does to test with.

    So a few issues:
    1Password misidentified an unrelated field as a username field.

    That does sound like something we may need to address specifically for this site.

    Suggestion: the icon should go away when you start to manually type in a field.

    I really liked that idea until I thought about it more. I can see how this would be nice in some circumstances...but then how do you save a new login on the page? I suspect that it would be better for us to find a solution to the specific problem you're having instead.

    My 1Password record for BofA has https://secure.bankofamerica.com as the website, and this transfer form is on transfers.bankofamerica.com. So it looks like 1Password will suggest passwords across sibling subdomains? Possibly it shouldn't do that?

    1Password intentionally allows filling within the same domain, as that's expected and preferable in the vast majority of cases. For example, www.apple.com and appleid.apple.com; www.amazon.com and smile.amazon.com; etc. After all, a single company owns any given domain. But can you elaborate more on why you don't want that behaviour?

    It would be great if there were a power-user feature where you could tinker with form field detection, e.g., blacklist/whitelist specific URLs, or HTML form element ids/names/classes. Or even just right-click on the icon and have a context menu that allows you to coach 1Password that it has misdetected a field, or say "don't prompt for this field on this page in the future". You see what I mean, anyway.

    I can see how that may seem like a good solution for you, but since you manually tweaking 1Password for a specific site wouldn't help any other users I think it's best that we investigate issues like this on a case-by-case basis so we can improve things for everyone, and potentially make 1Password smarter overall.

    Anyway, big fan of the product!

    Thanks so much for your support! Definitely let me know the browser version and URL involved and we'll see if we can figure out what might be causing the Bank of America issue you described. :)

    Edit: Is this the URL, roughly? https://secure.bankofamerica.com/transfers/m2m-funds-transfer.go

  • hattrick
    hattrick
    Community Member

    The precise URL was https://transfers.bankofamerica.com/jsp/bofa/make_transfer_gen3.jsp. You get there by going through the "transfer money from my account to an account at another US bank" flow. Chrome version is 66.0.3359.139.

    Manually tweaking for specific sites would totally help other users, if you collected the data and analyzed it to find common trouble spots... Or at least add a context menu item to "report a problem with this field" or something?

    PS While I have your attention, you know what would be a great feature? The ability to automatically change your password. I get that this is intractable to do generically, but even special-casing a few dozen prominent cases (Google, Amazon, banks, anything that provides identity, such as Facebook and Twitter) would be valuable.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The precise URL was https://transfers.bankofamerica.com/jsp/bofa/make_transfer_gen3.jsp. You get there by going through the "transfer money from my account to an account at another US bank" flow. Chrome version is 66.0.3359.139.

    @hattrick: Awesome! Thank you! :chuffed:

    I was actually able to track down someone here with a bank account who can view this part of the site, and wow...some weird stuff going here. Your description was very gracious... I've filed an issue for this to see what we can do here, but suffice to say I'm not surprised that 1Password X is interpreting fields named things like fielduser.amountInput as usernames, and then it's a short logical leap to guess that fields following that are used for passwords. Obviously none of that is desirable, so we'll see what we can do to make 1Password X smarter there.

    ref: b5x-416

    Manually tweaking for specific sites would totally help other users, if you collected the data and analyzed it to find common trouble spots... Or at least add a context menu item to "report a problem with this field" or something?

    I know. We just really don't want to collect user data. It can't be taken from us and/or misused if we never have it. ;)

    Perhaps we can find a way of doing something similar without the downsides, but we do want to err on the side of caution. Secrets that are revealed cannot be taken back. :sweat:

    PS While I have your attention, you know what would be a great feature? The ability to automatically change your password. I get that this is intractable to do generically, but even special-casing a few dozen prominent cases (Google, Amazon, banks, anything that provides identity, such as Facebook and Twitter) would be valuable.

    I agree it would be nice, but this goes back to privacy (and security) because we'd have to act as a middle man to negotiate password changes in that case. Websites do not offer a standardized API that apps can hook in to do this without a go-between like that.

    Then again, maybe we could come up with a different way of doing it in the future. But then the question is how many resources can we reasonably dedicate to such a monumental task (which would require upkeep as websites change and new ones are added), especially when password changes are incredibly rare compared to what people usually use 1Password for: logging into websites. And since an automated-password-change-gone-wrong could be catastrophic, and we have plenty to do working on login filling and other website issues like the one you're reporting here, I just don't see that being something we can do for the foreseeable future. It's definitely something that's always on our mind though, so perhaps someday we can do something like that — but secure, private, and risk-free; otherwise it's really not worth doing at all. Cheers! :)

This discussion has been closed.