Okay... help me with the concept of "Generated Passwords"

Okay... I guess I must not be "getting" the intended workflow of using 1Password in this respect.

When I first started using the password generator in my browser, I'd use the "Fill" button, and it would fill in the password field on the web form, I'd click submit and then, my password would be changed, but I wouldn't know what the heck it was. 1Password didn't add it to my "logins" like it automatically does when I actually login.

So, what I ended up having to do is use the password generator, copy the password to the clipboard, and paste that password into the fields of the change-password page myself, and then go to the site's login page, and paste that password into the login page and then 1Password would ask if it should save that as a login item.

And now, on 1Password for iOS, I notice that there's a "Generated Passwords" section, but I couldn't make sense of it, because there were only 10 passwords in it, and I've used Password Generator to generate over a hundred passwords. So, something isn't making sense, here.

Now, since then, I've discovered that Generated Passwords is also in my PC version (it was turned off, somehow... probably when I was first exploring the program), and I've also discovered that I can access a password history with the button at the bottom of the Password Generator.

But that still doesn't explain why there are only 10 passwords in my "Generated Passwords" section. My first hunch is that this section only includes passwords which were pasted by clicking the "Fill" button, is that correct?

Second question is: How is the "Password History" button (in the browser plugin) different from "Generated Passwords"? Does it include passwords generated while at a site but not "Fill"ed? What if I delete an item from Generated Passwords; does it remain in the Password History? I've noticed that Password History only seems to show those associated with the site I'm currently visiting. Is there a way to see the entire history?

- Joe

Comments

  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    edited December 2012
    jemenake wrote:

    Okay... I guess I must not be "getting" the intended workflow of using 1Password in this respect.

    When I first started using the password generator in my browser, I'd use the "Fill" button, and it would fill in the password field on the web form, I'd click submit and then, my password would be changed, but I wouldn't know what the heck it was. 1Password didn't add it to my "logins" like it automatically does when I actually login.

    So, what I ended up having to do is use the password generator, copy the password to the clipboard, and paste that password into the fields of the change-password page myself, and then go to the site's login page, and paste that password into the login page and then 1Password would ask if it should save that as a login item.

    And now, on 1Password for iOS, I notice that there's a "Generated Passwords" section, but I couldn't make sense of it, because there were only 10 passwords in it, and I've used Password Generator to generate over a hundred passwords. So, something isn't making sense, here.

    Now, since then, I've discovered that Generated Passwords is also in my PC version (it was turned off, somehow... probably when I was first exploring the program), and I've also discovered that I can access a password history with the button at the bottom of the Password Generator.

    But that still doesn't explain why there are only 10 passwords in my "Generated Passwords" section. My first hunch is that this section only includes passwords which were pasted by clicking the "Fill" button, is that correct?

    Sort of. It also contains anything you generate from within the app itself. But if you just click the password generator without filling, it does not save the password (what would be the point?).

    Second question is: How is the "Password History" button (in the browser plugin) different from "Generated Passwords"?

    Generated Passwords are all the passwords you've generated and filled for any site plus those you have generated within the app. This is done so that you never lose a password (provided you don't delete them from there of course).

    Does it include passwords generated while at a site but not "Fill"ed?

    No, I think you have to fill before it makes it there otherwise they aren't really generated.

    What if I delete an item from Generated Passwords; does it remain in the Password History?

    I don't not 100% sure on this because I haven't tested it but I doubt it.

    I've noticed that Password History only seems to show those associated with the site I'm currently visiting. Is there a way to see the entire history?

    Generated passwords in the app.
  • jemenake
    jemenake
    Community Member

    Sort of. It also contains anything you generate from within the app itself. But if you just click the password generator without filling, it does not save the password

    It sounds like you just contradicted yourself. Either it contains all passwords you generate or it contains only passwords you generate and then click "Fill". Which is it?


    Generated Passwords are all the passwords you've generated and filled for any site plus those you have generated within the app.

    Okay... step me through that second way, whereby I generate a password "within the app" (whatever that means... the iOS app? The PC app? The browser plugin?), and then don't click "Fill", and have that password show up in Generated Passwords. How does one accomplish that?


    No, I think you have to fill before it makes it there otherwise they aren't really generated.

    I think you and I have different definitions of "generate". When I open the password generator, and there's a random sequence of characters in the text box, I consider that to have been "generated". When I move any of the sliders, and the characters all change, I consider another password to have been "generated". It sounds like you don't consider a password to have been "generated" unless it has been filled into a form.
  • khad
    khad
    1Password Alumni
    1Password only saves a Generated Password when you click the "Fill" button in the extension's generator (or the "OK" button in the generator in the main app). Otherwise you would overload your data with millions of generated passwords as you moved the slider. Why save a password that has been generated but not filled?

    Generated Passwords are a safety net. You can have several Generated Passwords for a site over the years after changing the password a number of times, but only one is current. That is the one that should be saved in the Login item for that site.

    They come in handy when "upgrading" your passwords from poor ones to strong ones. Please follow the steps in the User Guide carefully when changing a password on a site to a generated password.

    Changing a Login's Password

    The "Password History" in the extension will show only the [Generated] Password History for the site you are currently viewing. The complete history of all Generated Passwords is in the sidebar of the main app if you have enabled View > Generated Passwords.

    Please let me know if there is anything else I can help with.

    Cheers,
  • jemenake
    jemenake
    Community Member
    khad wrote:

    1Password only saves a Generated Password when you click the "Fill" button in the extension's generator... ...Generated Passwords are a safety net.


    Ooooookay! Got it. So, if all of my logins in 1Password are working, then I can delete the entries from Generated Passwords, I guess.

    khad wrote:

    Please follow the steps in the User Guide carefully when changing a password on a site to a generated password.

    Changing a Login's Password


    Uhhh... yeah. I read that after having a really frustrating time with trying to use the generator. I didn't know there was a Password History button, so I'd use Fill to fill in a form to change my password on a site, and then... >Poof<... my password on the site was changed, the generator had closed, and I had no idea what the password was.

    I quickly realized that the better workflow was to:
    1. NOT click "Fill", but just copy the password to the clipboard.
    2. Paste password into the "New Password" field in the webpage
    3. Log out of the website
    4. Go to the login page for the website
    5. Paste my password into the login form
    6. Tell 1Password to save the password (when it shows the little ribbon at the top of the browser).

    Now... keep in mind that that's the by-hand don't-have-1Password-do-any-of-this-for-me method. Now, let's look at how the User Manual says to do it:
    1. Click the 1Password button in your browser’s toolbar
    2. Select the Password Generator (the fourth section from the top represented by an icon of a safe dial).
    3. Click the Fill button to automatically fill the generated password into the website’s “new password” form field(s).
    4. Submit your new password to the site to confirm the change.

    and then...
    1. Click the 1Password button in your browser’s toolbar.
    2. Select the Password Generator.
    3. Click the “View password history” button. Your most recently generated password will be listed at the top.
    4. Click the circled > to the right of the generated password’s title to view its details.
    5. Click on the concealed password field to copy the password to your clipboard. The “copy” label will briefly change to “copied” to indicate that the password was copied.
    6. Select the Logins section (represented in the extension by a keyhole icon) and click the circled > to the right of the Login title you are updating.
    7. Click the Edit button and paste the newly generated password into the password field then click Save.

    Seriously? That's 11 steps. That's almost twice as many steps as doing things manually. For the life of me, since the first day I started using 1Password, I've never understood why 1Password doesn't offer to remember the password it just filled in from the generator for the website it just submitted it to.

    Imagine how many steps this would involve:
    1. Click the 1Password button in your browser’s toolbar
    2. Select the Password Generator (the fourth section from the top represented by an icon of a safe dial).
    3. Click the Fill button to automatically fill the generated password into the website’s “new password” form field(s).
    4. Submit your new password to the site to confirm the change.
    5. When the ribbon appears at the top of your browser asking "Save this password for all logins at { blahblah.com } ?", click "Yes".

    Or, it could be like the normal "Save login as { blahblah.com }" ribbon, it doesn't really matter. What matters is that 1Password should, when using the Fill feature from the Password Generator, offer to save the password you just filled over the existing one you have saved for that site (or create a new login if you don't already have a one for that site). And it never seems to do that for me.

    Oh, and another thing, while I'm at it...

    I've noticed that 1Password sometimes remembers 2 or more logins for a site. This is usually because the url's are a little different (like "http://www.blahblah.com/account_management/login.php/session_JKAFHHAGJHFG". LogMeIn does stuff like this, incidentally.).

    Now, it's pretty rare that you need multiple sets of credentials for the same domain name. There are cases, but they're rare. But 1Password seems to treat this as the default. Here's one annoying thing I've seen 1Password do.
    1. I go to http://blahblah.com/order_checkout.php and enter a username and password, and tell 1Password to remember it.
    2. Later, I go to http://blahblah.com/..._management.php and enter the same username and password. 1Password asks if it should remember it, and tell it to do so.
    3. 1Password saves them as separate logins.

    Why doesn't 1Password... 1) realize that I'm entering the same login credentials for a different document path at the same domain and then, 2) offer to adjust the saved URL for the login to be the longest common piece which appears in both URL's (in this case, "http://blahblah.com/")? The thing about 1Password which eats up the most of my time is that I have to, periodically, go through my list of logins, find duplicates, make sure they all have the same username/password, delete all but one, and then change the URL stored in it so that it applies site-wide. And it's silly that I have to do this when, as I said, the vast majority of the time, you only need one username/password for an entire domain name.

    One nice thing is that 1Password would only have to ask this once per domain, and then it could save that as a flag for that domain. If you have a login saved for "http://www.blahblah.com/AAA" and, later, you manually enter another username and password at "http://www.blahblah.com/BBB", then 1Password could ask "Use these same credentials for all logins at { www.blahblah.com }?". If you say "Yes", it would mark the login as being "site-wide" and/or adjust the saved URL to be "http://www.blahblah.com/" and update the saved username and password. If you say "No", then 1Password would mark the existing saved login as being for a site with multiple logins, and then offer to save the one you just entered (and will mark that as being for a site with multiple logins). Then, if you go back to that site and enter a third set of credentials, it wouldn't even have to ask you if you wanted site-wide credentials; it would know that you didn't, and it would just offer to save that username/password as a new login.
  • khad
    khad
    1Password Alumni
    edited December 2012
    Ooooookay! Got it. So, if all of my logins in 1Password are working, then I can delete the entries from Generated Passwords, I guess.

    I wouldn't. That sort of defeats the purpose of a safety net, don't you think? ;)

    I don't disagree with much else you wrote. There is always room for improvement and combining the "update password on site" and "update local copy" into a single procedure is something we're looking forward to doing. I don't have a time frame, but it is certainly on our radar.

    I split the rest of your post into a separate thread, though since it is a completely separate issue.
This discussion has been closed.