1password submin incorrect password

Greetings @arti69,

So the first thing I'd like you to try is to create a new Login item, using the steps detailed in our guide How to manually save a Login. Does this new Login item behave any differently from the old one?

If a new item doesn't behave any differently I'm curious as to the following. Have you very recently changed your password? I know from recent experience helping others that Wells Fargo do something a little odd on their password change form and as a result it can cause confusion. If you use the 1Password Password Generator and have it create a password longer than 14 characters we will store the password generated but the kicker is Wells Fargo only take the first 14 characters. When we fill we supply the full password, even if it's longer than allowed and as it doesn't match the password they have the attempt to log in fails. When you copy and paste though their site only accepts the first 14 characters and so the log in attempt succeeds. The result is when 1Password fills it fails but copy and pasting works because the two methods are quite different underneath.

I'm confident we can get to the bottom of this though. We'll wait to hear back from you and take it from there :smile:

Greetings @arti69,

How would you feel about telling us the URL for the login page? As it's bank related we may not come up with a great answer but we will certainly do our best to figure out what is going on and see if there is anything we can do better. Financial institutes have always been problematic for two key reasons:

1. They can be very inventive with their login pages. Some of the oddest behaviour I've seen has been on sites for financial institutes.
2. Testing logging in with a real account. Unlike many sites creating a test account is usually impossible with financial institutes and creating a full blown and real account with each is also nearly impossible thanks to all the road blocks thrown up. It's a shame because we'd love to do a lot better with this class of sites :(

Now sometimes we can find something that allows us to work with a site so it isn't a hopeless task by any means, merely they represent the trickiest ones. Utility companies are also problematic for the second reason but their login pages tend to be a bit saner. Anyway, if you're happy to tell us what the standard login page for this particular bank is we'll see if we get lucky :smile:

Hello @arti69,

So this site is known to us sadly. The way this bank works is they alter the contents of the field after each character is entered and they must also have something that handles a password being pasted. The linear transformation it is applying to your password means that each subsequent letter alters the whole code stored and there is a key or parameter that changes, possibly based on the current time. How we fill means their code doesn't react in the same way it does if you type or copy and paste. I will be contacting you shortly though as one of our developers had an idea of something we could test. We don't know if it will help but maybe it will and you're in the perfect position to tell us :smile: As soon as I've got everything straight in my head I'll contact you from our ticketing system.

ref: OPX-650

Hi @arti69,

There's been a small delay but I haven't forgotten about you. We will be in touch soon.

Hi, @arti69. I've been having a look at the bankleumi.co.il site, and I'm sad to say that I'm not really any closer to an idea of what they're doing there. We have heard some reports that it works OK when viewing the site in English, so I wanted to mention that at the top since I don't see another mention of it in this thread. Apologies if it's been covered before. The rest of this post I'm cribbing from an email reply I just sent to another user. It gets a bit technical, but I thought it worth sharing so others can benefit from seeing the investigation process and perhaps understanding a bit better why 1Password performs so poorly on this site.

From what I can see, when you focus the password field, the site starts programmatically generating keyboard events every 400ms and firing them on the password field. If you add an event listener for "keydown" that just logs when it gets an event, you can see them coming in over and over. Here is the code I used for this:

function handler(event) { console.log(event.target.type + " field " + event.target.id + " received " + event.type); console.log("\tValue: " + event.which) }
document.getElementById("password").addEventListener("keydown", handler, true)

You can just run it in the browser console in Chrome or Firefox and then click into the password field to see the events leap into action.

Then there is another component where they are randomizing the characters that they are sending with these fake keyboard events. I haven't been able to make any proper sense of it just yet, but here is the code I found:

setInterval(function() {
    1487 < y && 1515 > y ? (s.Ca = "\u05d0",
    s.xa = "\u05ea") : (s.Ca = "!",
    s.xa = 
    "z");
    var b = s.Ca.charCodeAt(0)
    , b = parseInt(Math.random() * (s.xa.charCodeAt(0) - b), 10) + b;
    u(a, "keydown", b);
    u(a, "keyup", b);
    u(a, "keypress", b)
, 400})

Not only that, but they also replace the values you type with random values. Every time you press a key, the following code converts the character you typed into a new random character:

function Dd(a, b) {
    if (ma) {
        for (var c = (ab + bb).substr(0, b); c.length < b; )
            c += "!"[0];
            return c
    }
    for (c = a; c.length < b; )
        r = Math.floor(97 + 26 * Math.random()),
        c += String.fromCharCode(r);
    return c.substr(0, b)
}

The code is minified, so it is very hard to follow (Would be nearly impossible if Chrome didn't have the option to pretty print minified source!), but it seems that every 400ms they are dispatching a random character into the password field and also changing the values that you actually type. My best guess is that this is some security feature designed to confuse keyloggers or something like that. What's not clear to me is how the password field is to be expected to actually contain a valid password when you submit the form! When I inspect the network traffic after typing a username of "test" and a password of "Password", I see this in Google Chrome's network inspector:

system=Test&uid=test&__password=bvrykqdk&command=login&password=04df0fede59d60fe%7C%40%7C7301bf483cf5dc53%7C%28%23%29%7C

My best guess is that some combination of that the __password and the hexadecimal bits at the end of that string following &password can somehow be combined to validate your actual password.

I'll be honest, this is the first time I have ever seen anything like this, and I'm not sure if there's a way for us to support this kind of site that goes this far out of their way to interfere with normal typing.

I'm sorry I don't have a better answer for you right now. We will certainly keep this site in the back of our minds in case other developments might make it possible for us to work better here, but for right now, I just don't see a way forward.

--
Jamie Phelps
Code Wrangler @ AgileBits