Partial passwords when logging in to some websites

Some websites ask for subsets of characters from passwords when logging in (e.g. character 1, 3, and 10 from a password). The requested characters will change the next time I login.

When accessing these websites I open the 1Password app and then reveal the password to identify the characters I need. I then manually type the characters into the relevant fields on the website. Having to reveal the password in 1Password seems incredibly insecure as it exposes it to anyone watching over my shoulder.

Is there a better (more secure) way of interacting with these types of login flows?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • YaronYaron

    Team Member
    edited August 11

    Hey @omzaz,

    The only way to make this process more secured, is to send a strongly opinionated email to that website's developers, telling them that this process is useless, and that there are far better alternatives (that are more secured as well) such as a one time password or 2 factor authentication.

    Honestly I don't know why this kind of login workflow ever got implemented in the real world, I'm baffled by how something that is not user friendly at all got out. But in order to work with it, the only suggestion I have for you is our large type feature:

    • Click the 1Password extension in your browser.
    • Select the relevant login and click the little arrow on the right of the password field.
    • Select "Show in large type".

    Large type will show you the password on the screen with the number of each character in the password, which will greatly help you to fill this form. However, it will not address the security concern you have as it will show the password in huge lettering on your screen. As I've said - the best course of action here is to talk the website developers into a more sane (and secured) login method. I mean, if someone already has your password, how is it more secured to have that process?

    I hope you will find this info useful. :chuffed:

  • omzazomzaz
    edited August 12

    Hi @Yaron

    Of the websites I use there are perhaps a dozen which implement this type of login flow. They are usually financial institutions. So even if one or two change their login flow as a consequence of customer requests (I suspect unlikely with financial institutions) its still not going to have a meaningful positive impact on me in the the foreseeable future.

    This has been an issue for many years and it has always seemed to me that 1Password could provide a much better solution than Large Type and one that would probably be relatively easy to implement. Instead of (or in addition to) Large Type why not have feature where we could manually and on-demand specify which characters we want to see and then show us only those characters? Call it "selective expose" or something similar. This could even be done one character at a time and could potentially stay hidden from view. We specify a number, you immediately load the character at that position to the clipboard and then we can paste that into the relevant password field. We then repeat for each requested character. Such selective exposure or selective copy would seem to me to be a lot more secure than exposing the entire password via Large Type.

    Also regarding Large Type - it only seems to show the number position of each character on desktop. On mobile it does not show the number position so is not much help for this type of login flow on mobile.

  • brentybrenty

    Team Member

    @omzaz: Thanks for the clarification! It wasn't clear from your original post what platform/versions you were using. Glad we're on the same page now. :) While it doesn't often come up (probably because having to do that dance at all on a mobile device is unwieldy), the character numbering is something we'd like to add to Large Type in the mobile app in the future as well.

    As you point out, some of the "security" measures websites put in place can be quite a pain, and, ironically, can potentially make you less secure, though most often that's because when people are faced with these kinds of hurdles, they just use weak passwords they can remember and type easily. When websites "go it their own way" and "roll their own securitay" like this, eschewing web standards, it really isn't possible for 1Password to understand or do anything useful with it. As Yaron mentioned, our best hope as users is to encourage companies to stop making it harder for us to be secure, as that benefits them as well. If it helps, we had a blog post on this very subject a while back:

    An open letter to banks

    That could either be a source of inspiration when writing to your bank in your own words, or, honestly, feel free to link to it directly, as it covers a lot of ground. The important thing is that we make our voices heard. My bank used to allow only 8 character passwords, and had a number of other hoops users had to jump through which wouldn't make things any harder for attackers, only their customers. That's changed over time, and I can only imagine that's as a result of feedback from myself and other customers. Otherwise there's just no incentive to spend time and money making changes. It doesn't happen overnight, as there are often legacy systems that will need to be updated or replaced outright. But progress needs to start somewhere, and having actual people say that they would appreciate improvements to login security is a good motivator.

    Another thing that I think Yaron was hinting at specifically with these "character n of password" prompts is that for that to even work, they pretty much need to know your actual password, and that means it could be stolen from them. Nowadays many websites are taking advantage of better security to protect their users and themselves by not caring what the password actually is, but instead saving a salted hash of it to compare against later when you login. This allows them to not restrict the length and composition of your password, since a fixed-length hash is created no matter what, and also not be in a position to have user passwords stolen from them -- which, frankly, is better for everyone: if they do it right, a website breach doesn't hurt their users or their reputation the same way it does when accounts get compromised. Everybody wins. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file