Non Username + Password form fields no longer fill after update

Chubaloo

Hi there,

I received a notification to update 1 Password 7 on my Mac two days ago. I noticed that upon restarting my computer that forms with more than just a username and password field no longer get filled when they did without issue before.

I have a login,

Code:
User:
Pass:

Before all three would fill in as I did the "enter all fields but click 1 Password > Save New Login" trick, but despite being able to see the additional field is still saved in 1 Password under "View web form details" it refuses to fill.

I thought that perhaps the website had changed it's form names so I did the save new login trick again but nothing changed and the form looks the same.

Any ideas?

---

1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1 Password

Lars

@Chubaloo - OK, first of all, you win for best avatar I've seen all day. :)

I'm sorry for the trouble. Can you give me a couple of examples (or at least one) where the filling behavior used to work and no longer does? There are definitely some login pages that give 1Password more trouble than others...but I've not noticed that being a function of a recent update. Also: can you tell us what specific versions of 1Password 7 for Mac you were using previously, and what you're using now, that you think caused this change?

Chubaloo

Hi @Lars,

https://business.bdo.com.ph/fo/login is the page. Never had an issue with it until the day of the latest 1P update. You can see that the top field, Corporate Code is the one that is no longer being filled.

I am using...

1Password 7
Version 7.1.1 (70101001)
AgileBits Store

The version before this was whatever the last release before 7.1.1 was as I always stay up to date.

I someone can point me in the direction of another login field with user + pass + other field then I shall just create a test account to see if the behaviour is repeatable.

Thanks

Lars

@Chubaloo -- interesting. I didn't have a problem with that in my testing just now. Can you please use these instructions one more time to save a new Login item manually, then make sure you've got the current version of the 1Password extension installed -- check in Safari > Preferences > Extension. Let me know what you discover.

Chubaloo

Hi @Lars - Yes those instructions are how I saved the login in the first place over 6 months ago. I tried them again, created a new login and the issue is still the same. I have tried this on Firefox, Safari, and Chrome. Re-installing the extensions for each browser.

I guess the next step is to try and re-install 1 Password 7? Because I can quite clearly see the data saved right there in the "extra fields" it simply will not pass that info into the browser. Only the username + password.

Lars

@Chubaloo -- I don't think re-installing 1Password for Mac is going to help. But what might help to narrow things down a bit is if you'd be willing to download this file from Dropbox. It's a .1pif export of the item I created here which is working for me. Of course, I don't have an actual account so I used "dummy" data -- but it fills correctly, which is the important point. Click the "Download" link in the top right of the browser window you'll be taken to, then in 1Password for Mac, choose File > Import and import it into your 1Password vault (doesn't matter which vault). Double click it inside 1Password and see if it works. If it does, then something is different between my item and yours. If it does not, then we know to look elsewhere. Let me know what you discover.

Chubaloo

Hey @Lars - This is absolutely insane. I imported your file and tried it on the page, it filled in all forms right away. I tried to use my login and it didn't fill in the forms.

I compared them side by side - https://imgur.com/a/BjNitJh - and could see no difference at all, so I went ahead and copied my data into the working 1Password Login you provided.

I then tried using the modified login entry with my details and the form no longer filled. Crazy I thought, but maybe something in my data was messing things up? So I deleted the modified login entirely and re-imported your original file. It now NO LONGER fills in all three entries despite it doing so the first time I tried it.

I opened fresh instances of the site to make sure it wasn't some weird thing, I checked the HTML form names in the source and they haven't changed, but now for love nor money I cannot get your test login to fill in all three entries at all.

Any ideas? As this is just baffling.

Lars

@Chubaloo -- thanks for the screenshot. I don't know much (OK, anything) about the internals of that site, but I did notice that you have a field in your record that I didn't in mine. It's called "Admin Username." Not sure what that might have to do with it. Also: what browser are you using, and have you tried other browsers? Obviously, that's not a permanent solution, but it would potentially help us narrow the issue down. Also: are your corporate code and User ID the same value? (do NOT give those values here, just a yes or no).

Chubaloo

Hi @Lars,

Admin Username is just a "note to self". I removed this field and it didn't change anything.

Corporate code and userID are NOT the same value, no.

I just did a little more testing, still crazy but reproducible on my end each time...

1) Open NEW browser (FF, Chrome, Safari - it doesn't matter which, they behave the same).
2) Open https://business.bdo.com.ph/fo/login
3) Use your login = all fields fill correctly.
4) Use my login = only two fields fill correctly
5) Use your login again (unmodified) = Only two fields fill correctly

It is basically like using my login at all breaks the ability for your login to then work correctly. The only way I can get your login to work again (even if I close the tab and open a new one) is by closing the browser entirely or by waiting an undetermined time (likely an hour or so).

It still doesn't address WHY my login will not work, or why my login not working then breaks the ability for your login to work until a browser restart, but it has meant that I have been able to "move" my login details into your login and that then correctly fills in the form.

littlebobbytables

Hello @Chubaloo,

So ignoring Lars' item for a moment, all of my own testing ends up with the corporate code not being filled which I believe mirrors your own findings. I'm not sure how Lars managed to create one that worked for him or why replacing just the values should cause it to stop working. Those answers will take more time to discover.

What I'm hoping will have a bit more success for you is a modified item I've created. It appears to work for me anyway over all tested browsers, all of which were displaying the bad filling with a normally saved Login item. Let's see if it helps you.

Link for modified BDO Login item.

If you download the my 1PIF file, import it as you did with Lars and replace the placeholder values of the three fields with your real ones do you find this works better for you?

ref: xplatform/filling-issues#255

Chubaloo

Hi @littlebobbytables (nice name, I am sure you get that a lot :) )

I have copied my data into your login and it works perfectly each time, thanks for checking and sending it.

This isn't actually the first time that BDO and 1Password have crossed paths, their personal banking - https://online.bdo.com.ph/sso/login?josso_back_to=https://online.bdo.com.ph/sso/josso_security_check - stops you from 1P filling or even copying and pasting a password into the password field, so you have to type it out manually each time. I actually made a post about that here but it was a few years back and doesn't seem to be in my history.

I'd love to know if you get to the bottom of either issue, so please do keep me posted.

Thanks

Lars

@Chubaloo - we will. And sorry for the inconvenience. If it's any consolation (it won't be), banks and financial institutions in general are perennially among the worst offenders in terms of outright shenanigans on their login pages, designed to force users to do this or that bit of what we refer to as "security theater" (i.e. - hoops to jump through that at best offer limited or no real increase in security and sometimes actually reduce a user's security). This post from our blog is from all the way back in 2015 so some of it is outdated, but it should give you an idea of how long we've been wrestling with this. In one sense, you can't blame them: banks and other handlers of financial information have had a big fat target for thieves and other hustlers painted on their backs since long before John Dillinger. They know people are gunning to trick/break/hack them. And that has only increased in the digital age, since now a slip-up in security means that attackers don't have to drill through steel and concrete or come in waving automatic weapons to steal money, they only need to break into a computer system. So it's hard to fault banks for wanting to take stricter measures to keep their valued customers secure than, say, catgifs.com might. That's not what we object to -- its when the steps they take make it difficult or impossible to use a password manager, so customers are forced to either use alternative means to try to save/enter their login information, or go back to using a much less secure password that they can actually memorize...hopefully. It's an ongoing battle, but there's hope that as more and more banking is done electronically, even banks will come to realize the value of a strong password -- and what that means (and what it does not mean).

littlebobbytables

Hi @Chubaloo,

For the sign-in form for their personal accounts can you try saving a new Login item and testing to see what happens with it. When I tested just now it appears that we fill the required fields without any tinkering required. One of the reasons financial institutes are tricky for us is we can't test submitting as that requires real account credentials and test accounts aren't possible like they are on commerce sites. So while it appears everything is in place your help in confirming will let us know if there is still work needed there as well as their business side or if it's just the three fields business sign-in form that we need to work on (for the moment).

Chubaloo

Hi @Lars - Yes I totally understand the position. Hopefully things get better soon.

@littlebobbytables - The form will fill, but when you submit after filling or copying and pasting it will tell you that the username or password is incorrect. I emailed them asking about and they told me it was by design. The discussion with 1 Password before was that on Windows the system could trick the browser by appearing to type in each character individually before submitting and that "you" were working on the same thing for Mac.

Thanks

Dean

littlebobbytables

Hi @Chubaloo,

Thank you for clarifying. So we can't replicate how it works precisely on Windows as we're using a very specific Windows feature. We've somewhat reproduced it in 1Password 7 for Mac but based on your description I'm not sure it's going to be sufficient. Instead of auto-type we have the ability to drag and drop a field from an item into a field in an arbitrary window as long as it supports it. Basically all the documentation we have is at https://support.1password.com/explore/whats-new-mac/#fill-logins-in-apps (so not a lot). I find it works quite well and although I don't use it in a browser because of the normal extension it will work there as well. I suspect you'll be reporting back that this doesn't help with this page though :(

On windows the auto-type feature is actually typing the string a character at a time and that's why it works not just on odd pages like this but other windows as well. So it isn't that we're tricking the browser, it genuinely is as if the string was typed, just really quickly because it's all handled by Windows.

Chubaloo

Hey @littlebobbytables - Understood on the above, and as you suspected it doesn't work. They seem to check to make sure that the form is in click focus, so when you drag the 1Pass entry to it it fills it, but it loses focus. Clicking in the field again to give focus then empties the field entirely.

They have certainly done all they can to ensure that password managers and copying and pasting does not work at all. Thank goodness I can remember Password123 to type it in directly :p

Lars

@Chubaloo -- and now you see our dilemma. I know you were joking, but that's not too far from what is literally being forced upon users not by accident, but by the concerted effort of the bank's website coders. You and anyone else who does business with them are actually being forced to use a less-secure password (or try to remember a long, strong, random one)...all in the name of "security." We'll do what we can to get it working, but at the end of the day, it's the domain/website owner who has the final say over what can and cannot be done on their site, assuming they are competent and dedicated. Absent something like Auto Type, there is in rare cases a limit to what we can accomplish on your behalf, unfortunately.