Stored credentials in vault not working for banking website - Heritage Bank Australia
I captured the credentials by logging in to bank account then saving to 1Password. When trying to login using 1Password kept saying password was wrong. If I enter password manually it works and then 1Password asks me to update the entry. If I view the saved password in 1Password it has been changed. Looks like the banking website might be encrypting the password and this is the one saved in 1Password. If I try and manually change the password entry in 1Password it still doesn't transmit properly for some reason and I get a password error. The bank website won't let me copy and paste the password either.
1Password Version: 7.3.657
Extension Version: 4.7.3.90
OS Version: Windows 10 1809 build 17763.253
Sync Type: Not Provided
Referrer: forum-search:password changed on login
Comments
-
Hey, @andrewoz! Unfortunately, designing forms in such a way as to prevent filling with 1Password is something fairly common for banking websites. Their logic isn't entirely unsound – credential stuffing attacks fill much the same way password managers do, so preventing filling can serve as some protection against such attacks. The question is, of course, is the net gain in defending against those attacks worth the loss in security by preventing their customers from using password managers. Our view, of course, is that it's a poor security decision overall, but that doesn't change their minds.
Before we go blaming your bank, though, could you try manually updating the password saved in 1Password to be the correct one, then fill that password on your bank's website and let me know if that works? Might be that filling will work okay, but something is preventing saving from working properly and you genuinely are seeing something incorrect get saved. Let me know what you find! :chuffed:
0 -
Thanks for the speedy reply @bundtkate! If I get 1Password to enter them one at a time (select username to open bank login window, tab to password then select password to bank login window again) then click on bank login button it works, but the auto entry from 1Password doesn't work. I can't manually copy and paste into the password field on the bank web site either - it won't let me. Is there a way to change how 1Password enters the credentials on a web site like this? I've just started trialling 1Password and love it so far. Just this gremlin. I was using KeePass and it worked OK but they seem to use a more primitive method to enter credentials (yours is much more user friendly! :) )
0 -
Hi @andrewoz,
Thank you for the additional info!
Could you please specify the URL you use? I just created a Login item for Heritage Bank Australia (sign-in address:
https://ib.heritage.com.au/IB/login.aspx) myself and it works correctly:
Thanks in advance!
Cheers,
Greg0 -
Thanks @Greg! It appears to work... 1Password correctly fills in the username and password but then I get the following message: "You have entered an incorrect Member Number or Password. Please check your details and try again.". I'm assuming you would have seen a similar message but as you haven't got a login you would have been expecting it :) Yet if I allow 1Password to send the password to the individual fields it works OK. :p
0 -
@andrewoz: Ah, I think I now understand the issue. It will be hard to troubleshoot without an account at Heritage Bank Australia. :) I will discuss this issue with our team.
In the meantime, I would like to test something for me. Could you please try to install 1Password X and check how it fills your credentials on their website? Does the issue remain?
Thanks in advance!
Cheers,
Greg0 -
@andrewoz: This sounds like maybe your bank is looking for something to have been typed. Probably the password. Give this a try, would ya? Fill with 1Password X (so we know it won't autosubmit), then delete the last character and type it manually, then log in. Does that allow you to sign in? Thanks!
0 -
Hi @bundtkate. Tried that but still didn't work. Only works if I use the "Type in Window" from 1Password or type the whole password manually...
0 -
An oddity to be sure @andrewoz. Cool that type in window works, though! At this point, I'm fairly convinced this is something with the form and will require some digging to sort out, but given none of us have an account there, we'll probably need your help. I'm going to summon @littlebobbytables and see if he can lend his extensions and form filling expertise and get some better info about the form from you that may help us get this working better. If it is the form monitoring for typing, that might mean there's nothing we can do, but I never admit defeat until he says we should. I'll drop him a line internally as well so he can take a look. Hang tight for a bit and thanks for your patience. :chuffed:
0 -
Hi @andrewoz,
This page does pose a problem and so far I cannot see what might help. As you've already discovered, what you type into the field isn't what the page records. Instead each time you reload the page a new randomised mapping is created. So one time you visit the page typing
awill populate the field with1, another timeyand so on. When 1Password fills it tries to mimic typing but there are limitations. The extension sets the field to the characters stored in the Login item and then we fire a number of events to try and coax any needed response from the page and these take the form of various keyboard events likekeydown,keypress,keyupand other connected to a field's contents changing. Despite this the page doesn't react to our "filling" of the field. It means that when we fill your real password it isn't being mangled in the way we need it to for signing in to be successful.This looks like one of the situations where the best you can hope for is the autotype feature you've already found.
I don't know if it will help streamline stuff at all but one way of approaching this would be to save a new Login item using our How to save a Login manually in your browser steps but save after only filling the username field. Locate the new item and add a password field to the custom field section, don't use the normal password field. You could then use this Login item either to fill the loaded page or open-and-fill. You would then click on the password field, switch to 1Password for Windows and use the autotype feature which works on custom fields equally as well as it does on the standard username or password field. It's at best a small improvement in a less than ideal situation but it might feel a bit smoother as a result.
Given all the events we already try to fire I'm not sure we'll be able to modify the extension to better cope with the page. I apologise that I don't have anything more promising for now.
0 -
Thanks for trying @littlebobbytables ! Your suggestion does make it feel a bit smoother and may prevent the bank security staff from calling me to ask why I kept on forgetting my password :) (I was letting 1Password enter the credentials then using type to window to enter password after login failure...). Not as nice and smooth as the rest of the 1Password experience but I'm blaming the bank ;)
0 -
I'm glad @littlebobbytables was at least able to streamline things somewhat, @andrewoz! I summon him for a reason – it's rare he doesn't have some little trick up his sleeve to make things better, even when he's not able to make things perfect. Banks are fussy creatures and, while I understand the decisions they make, it is kind of hard not to get a bit grumpy with them at times like these. Hopefully, they'll improve over time and start to embrace the simplicity we consumers look for in the products and services we use, but until that day comes I'm glad you've got something that at least makes our best effort at coping with the insanity. Thanks so much for being patient and working with us on this and I hope 1Password has otherwise been making things easier and not harder. :chuffed:
0
