Why are duplicate Login items created?

khadkhad Social Choreographer

Team Member
edited December 2012 in 1Password 4 for Windows
[font=helvetica, arial, sans-serif]I've noticed that 1Password sometimes remembers 2 or more logins for a site. This is usually because the url's are a little different (like "http://www.blahblah.com/account_management/login.php/session_[/font]JKAFHHAGJHFG[font=helvetica, arial, sans-serif]". LogMeIn does stuff like this, incidentally.).[/font]

[font=helvetica, arial, sans-serif]Now, it's pretty rare that you need multiple sets of credentials for the same domain name. There are cases, but they're rare. But 1Password seems to treat this as the default. Here's one annoying thing I've seen 1Password do.[/font]
[font=helvetica, arial, sans-serif]Why doesn't 1Password... 1) realize that I'm entering the [/font]same[font=helvetica, arial, sans-serif] login credentials for a different document path at the same domain and then, 2) offer to adjust the saved URL for the login to be the [/font]longest common piece[font=helvetica, arial, sans-serif] which appears in both URL's (in this case, "http://blahblah.com/")? The thing about 1Password which eats up the most of my time is that I have to, periodically, go through my list of logins, find duplicates, make sure they all have the same username/password, delete all but one, and then change the URL stored in it so that it applies site-wide. And it's silly that I have to do this when, as I said, the vast majority of the time, you only need one username/password for an entire domain name.[/font]

[font=helvetica, arial, sans-serif]One nice thing is that 1Password would only have to ask this once per domain, and then it could save that as a flag for that domain. If you have a login saved for "http://www.blahblah.com/AAA" and, later, you manually enter another username and password at "http://www.blahblah.com/BBB", then 1Password could ask "Use these same credentials for all logins at { www.blahblah.com }?". If you say "Yes", it would mark the login as being "site-wide" and/or adjust the saved URL to be "http://www.blahblah.com/" and update the saved username and password. If you say "No", then 1Password would mark the existing saved login as being for a site with multiple logins, and then offer to save the one you just entered (and will mark [/font]that[font=helvetica, arial, sans-serif] as being for a site with multiple logins). Then, if you go back to that site and enter a third set of credentials, it wouldn't even have to ask you if you wanted site-wide credentials; it would know that you didn't, and it would just offer to save that username/password as a new login.[/font]


I split this post from the other thread since it is a separate topic and I want to make sure you get the attention you deserve. I hope you don't mind. :)

There are a couple factors at play here.

1. The 1Password extension will never automatically save a Login item without your explicit instruction.

2. If you already have a Login saved for a given domain (not just a specific URL, but the entire domain) and [crucially] use 1Password to fill the Login then 1Password will not prompt you to save a Login again.

If you have duplicates it is because you are saving them. That said, 1Password shouldn't be prompting you.

Can you confirm for me that you have disabled your browsers' own password manager as we recommend in the User Guide? If your browser is filling in the data rather than 1Password, then 1Password won't be able to check to see if it has already been entered.

Leaving your browsers' password manager enabled makes things both more confusing (“I thought I already saved that!”) and less secure (for more information on the security implications, try Googling for ”browser password manager security”).

Please let me know if you're still having trouble.

Comments

  • khad wrote:
    There are a couple factors at play here. 1. The 1Password extension will never automatically save a Login item without your explicit instruction.


    Noted. But I don't keep a manual log of which logins I've had 1Password save and which ones I haven't. I'm kind of relying on 1Password to alert me to ones which it considers to be new. This gets back to my original point about how 1Password, when I tell it to save a password for a different URL but the same host address (meaning that only the path-info is different) as a password which it already has stored, then its first suspicion should be that I'm visiting a site which has a few different URLs for logging in... and that I might want to "promote" that saved username/password to be site-wide for that host address... so it should ask me if I want to do that (as opposed to saving the same username/password info for two different URLs at the same site).

    khad wrote:

    2. If you already have a Login saved for a given domain (not just a specific URL, but the entire domain) and [crucially] use 1Password to fill the Login then 1Password will not prompt you to save a Login again.

    If you have duplicates it is because you are saving them. That said, 1Password shouldn't be prompting you. Can you confirm for me that you have disabled your browsers' own password manager as we recommend in the User Guide? If your browser is filling in the data rather than 1Password, then 1Password won't be able to check to see if it has already been entered.


    Well, that may be the issue. I'm still using Chrome's auto-fill, for a few reasons:
    1 - It already knows all of my passwords to the sites I visit. The easiest way to train 1Password was to just visit all of the sites I know of and let Chrome auto-fill as I log in and then tell 1Password to save the login that it just saw happen.
    2 - I sometimes visit these sites from my iPad or iPhone, and Chrome can auto-fill on those platforms (yes, I know that the new 1Password has a little browser in it, but I don't want to part with some of the features in Chrome). In order for Chrome on iOS to have all of my passwords, I need to have Chrome on my PC saving them. I had just assumed that Chrome wouldn't store form contents unless auto-fill was enabled (I figured that they were a package deal), but now, looking at the settings in Chrome, I realize that I can turn auto-fill off while still leaving form-content-saving on.
    3 - I didn't think that 1Password did un-prompted form filling. When I visit a site that 1Password has in my database (like, ebay.com, say) and if Chrome does not have saved info for that site (and, so, doesn't fill in any form elements), 1Password doesn't either. I end up having to go up to the 1Password plugin drop-down menu, and specifically click on the "ebay.com" listing at the top of the drop-down.

    But I want to touch on something you drew attention to: "...[font=helvetica, arial, sans-serif] If you already have a Login saved for a given domain (not just a specific URL, but the entire domain)...".[/font]

    Now... I'm not sure if you've actually watched users using your product, or if you've asked them what is going through their head, but here's how it goes:
    • User visits site for first time. The URL is something like www.store.com/checkout.php. When submitting their new password, 1Password offers to save it as "www.store.com". User wants it site-wide so they tell 1Password to save it as "store.com" (which, it seems, doesn't change anything about how 1Password matches the URL, it just changes the human-readable name it's listed under).
    • A few weeks go by. User decides to check on their order or whatever. They go to www.store.com/myaccount.php and are prompted for a username/password.
    • User thinks "Hmmm. I thought I saved a username/password for this. Guess I was wrong".
    • So, they open up 1Password and look and they see "store.com" listed there... and they think "Hmph... that's odd.".
    • They open up the "store.com" entry in 1Password and copy the password to the clipboard and then paste it into the web-form they're currently on.
    • 1Password prompts them, again, if they want to save the form contents.
    • User doesn't want to do this cut-n-paste thing in the future, so they tell 1Password to save... again, editing the "www.store.com" down to "store.com".
    • A few weeks go by, and the user goes back to store.com a third time. This time, they're viewing a product and they want to add it to their wishlist, so the site wants them to login, so they get a login form at www.store.com/login.php?return-to=product:37245.
    • Again, 1Password doesn't fill in the form.
    • User opens 1Password to get it manually and, now, they find two entries for "store.com".
    • Now... which one should they pick?

    Anyway, I'll turn off Chrome's auto-fill feature for a little bit and see if 1Password does a passable job of form-filling.
  • khadkhad Social Choreographer

    Team Member
    I'll turn off Chrome's auto-fill feature for a little bit and see if 1Password does a passable job of form-filling.

    It should work just fine once you disable your browser's password management.

    User thinks "Hmmm. I thought I saved a username/password for this. Guess I was wrong".

    If you are viewing any page on the [font=courier new,courier,monospace]example.com[/font] site any already-saved [font=courier new,courier,monospace]example.com[/font] Login item is listed at the top in the "Fill and Submit Login" section. One click fills and submits.
  • The most frustrating thing about using 1Password is the duplicate login problem that is perfectly explained by jemenake. After browsing through my logins I can see that about 60% of them have duplicate entries due to this problem with the Chrome integration constantly asking me if I want to save the login again. Note that I've turned off auto-fill a long time ago hoping it would fix the problem but it happens constantly.

  • khadkhad Social Choreographer

    Team Member

    It sounds like you are dealing with a separate issue then. The issue above was related to something other than 1Password filling in credentials on a site where there is already a saved Login item.

    If you are using 1Password to fill a Login it should absolutely not prompt you to save a duplicate of the Login item you just filled. Can you give me the steps to reproduce the issue including the specific URL? I'd love to take a look and get this sorted out.

    Thanks!

  • I have exactly the same issues as described here: multiple saved logins for all pages. In Chrome&FF&IE&Safari on Win7 Pro.

  • khadkhad Social Choreographer

    Team Member

    Please be sure to read my post at the top of this thread.

    Can you confirm for me that you have disabled your browsers' own password managers as we recommend in the User Guide? If your browser is filling in the data rather than 1Password, then 1Password won't be able to check to see if it has already been entered and you will be prompted to save a Login even if one already exists in 1Password. To avoid this simply disable your browsers' password managers and/or decline the prompt when it appears. A duplicate will not be created.

    Let me know if you're still having trouble.

  • Hi,
    I have the same problem that Jemenake so well described (duplicate logins for the same site.) Google Chrome never fills in my passwords.
    I have typed in my own username and password (I remembered them) and get the "save?" form 1Password. I click yes and then I have several entries for the same site on my password chain. Now when I save any of them, I type the date I did it along with the name of the site.
    If I simply use the 1Password log in all the time, this won't happen?
    Thanks.

  • khadkhad Social Choreographer

    Team Member

    If I simply use the 1Password log in all the time, this won't happen? Thanks.

    That should be the case, yes. Please let me know if you are being prompted after using 1Password to fill in your Logins.

  • I think what frustrates me about this process is that I will often visit a website and type my password manually just out of habit. 1Password then jumps into action and asks me to save it via the Chrome plugin. I enter my master password (thinking: hmm..doesn't it already have this one saved?) and go ahead and save it. I then open the 1Password app and, sure enough, it's saved a duplicate entry for exactly the same URL that's already in the database.

    My assumption here is that the 1Password database is still locked when I enter the website password and 1Password doesn't yet know that it's in the database. Once I enter the master password, it should definitely know that it's trying to create a duplicate and either not do it or at least advise against it. Your comment above ("[crucially] use 1Password to fill the Login") has the effect of unlocking the database, so perhaps it's better able to see that the entry already exists.

    Is this a plausible explanation? It just happened like that for wwws.mint.com, and the two entries that I have are identical in title, URL, and all parameters except for the thumbnail (for some reason). Surely, at the time that it's saving a password, it can be a bit smarter about whether it's going to duplicate an existing entry.

    Granted, this is different from the multiple URL issue described above (which does happen), but it also results in duplicate entries for me.

    Rob

  • khadkhad Social Choreographer

    Team Member

    I think what frustrates me about this process is that I will often visit a website and type my password manually just out of habit. 1Password then jumps into action and asks me to save it via the Chrome plugin. I enter my master password (thinking: hmm..doesn't it already have this one saved?) and go ahead and save it. I then open the 1Password app and, sure enough, it's saved a duplicate entry for exactly the same URL that's already in the database.

    I completely understand the frustration. Unfortunately, if you don't fill the Login with 1Password there is not a way for 1Password to check to see if a Login with that same password already exists.

    There are two things I would suggest which will help if you are willing to follow them:

    1. If you can type your passwords by hand you likely are not using 1Password as it is intended to be used. Obviously the choice is yours, but 1Password is designed to store strong, unique passwords like T9W+UKD-8_!gV731=om&IeFh'fu9?sG5QToGBz=y9AEc#UE58G and fill them automatically so you don't need to (and realistically can't) remember them. :)
    2. Then you would be essentially forced to use 1Password to fill your Logins. But even if you don't change your password(s) using the password generator, I would still recommend making CTRL+\ a habit when you come to a login page. Then if 1Password doesn't fill your password you can assume there is no Login saved and perhaps log in manually. 1Password will then ask you to save the password for the first time, and you can follow the instructions in the User Guide to change the password to a generated one.

    Does that help at all?

  • rccolemanrccoleman
    edited July 2013

    I had gotten into the habit of using command/control-\, but I found that it often didn't work for mysterious reasons. I suspect that the "helper" app would sometimes stop (crash or otherwise) and I'd find myself frustrated that the keyboard shortcut wasn't working. In any case, I understand that the automation is a large part of your strategy and I admittedly haven't taken advantage of it much lately. There are also some websites (like DirecTV) that go out of their way to hide their initial login fields using Javascript and that seems to get in the way of 1Password's automation. Luckily, they're in the minority.

    I'd like to reiterate one of my comments above:

    Surely, at the time that it's saving a password, it can be a bit smarter about whether it's going to duplicate an existing entry.

    I still think that this is possible once you've unlocked the database, and it may help avoid some of the mysterious "why do I have duplicate entries?" comments.

    Rob

  • khadkhad Social Choreographer

    Team Member

    I still think that this is possible once you've unlocked the database, and it may help avoid some of the mysterious "why do I have duplicate entries?" comments.

    Yes, of course. But it is not possible to check this unless 1Password itself is doing the filling.

    If you're having trouble with the keyboard shortcut or with filling Logins (even without the keyboard shortcut), please let me know some more details. I would love to help. In the case of trouble filling Logins, we would need to know the URL. Perhaps creating another thread would be best for the separate issues.

  • bjavorbjavor Junior Member

    Hi

    Sorry to drop in on this thread, but I have the same problem/frustration and I wanted to add something to what's been already said...

    I also have (currently) enabled the automatic saving/filling of passords in Chrome. As mentioned above, this may be the cause of the problem. However I wanted to add that the reason I have it enabled is so that in most cases I do not need to type anything! I can just hit the Login button on most sites an be logged in automatically. (I know this is less secure, but this is my own desktop PC at home and noone has access to it. I'm mostly using 1password as a backup/master storage for all my passwords...) Would I disable that I would need to constantly type in my 1password master password to unlock the 1password extension as it gets locked every time I close Chrome. Perhaps I would not need to do it every single time but quite often as I usually don't keep an open Chrome window around when I'm not needing it. And if I wanted to type in a password (almost) every time I login somewhere, then I might as well just type in the site's password directly...

    I guess the point of the somewhat lengthly rant is that it would be nice if one could at least keep the extension permanently unlocked until you reboot similarly as you can do it with Safari on the Mac if I remember correctly.

  • khadkhad Social Choreographer

    Team Member

    The problem is that 1Password can't check to see if there is an existing Login item in your data file unless 1Password is the one doing the filling. There are a few different solutions.

    As you mentioned, one simple solution is to just make sure 1Password is unlocked. You can adjust your security settings so that 1Password is always unlocked when you are at your computer.

    • If you disable 1Password's auto-lock settings 1Password will stay unlocked all day long. You will only need to type your master password after a fresh login to your Windows account.

    • If you use a laptop, enabling only the "Lock when your computer is locked" option means that 1Password will stay unlocked until you close the lid on your laptop. A convenient way to stay secure on the go!

    The latter is what I myself do. I only type my master password once per session (which is usually once at the start of the day). When I am done working I just close the lid and know that 1Password is secure.

    Some other options:

    1. When prompted to save a new Login simply decline to save it. 1Password will not save a [duplicate] Login unless you tell it to.
    2. Disable autosave. Many on the team here prefer to manually save Login items on their own terms using the + button in the top right corner of the extension popup. Autosave is most helpful for folks who need a bit more hand holding but can be annoying to advanced users.
    3. Use 1Password to fill your Logins. This is probably the best solution since it means you don't have to really change any settings. It is how 1Password was designed to be used. And it will also make logging in to websites a lot more convenient. Just press CTRL+\on your keyboard while viewing a login page. 1Password will log you right in, and you will never be prompted to save a Login when you already have one saved. You can also select the Login from the extension popup using your mouse, but CTRL+\ sure is a handy shortcut. :)

    Regarding option 2, many of us on the team keep autosave disabled. It's great for folks who need some more hand-holding, but advanced users like yourself often prefer to save Logins manually using the + button on an as needed basis.

    1. Visit a site's login page.
    2. Enter your credentials, but DO NOT submit the form.
    3. Click the 1Password button in your browser's toolbar, and select the "+" button in the upper right hand corner.
    4. Change the title and make any notes (if desired).
    5. Click the Save button in the upper right hand corner.

    Then you'll never be prompted by 1Password. 1Password will simply and quietly await your order. :)

    I hope that helps. Please let me know.

    Cheers!

  • bjavorbjavor Junior Member

    Many thanks for the reply!

    The manual adding seems like a good idea actually!

    Also for some reason I seemed to have remembered that the stay unlocked feature only worked with IE on Windows, but after checking it seems to work fine on Chrome as well. I stand corrected. Sorry!

    It's not really that important, though I find it a bit perplexing how 1password cannot check if the site is already in the database unless it filled the login itself. One would assume that in order to save the login it would need access to the database. And if it has access to the database then it could just do a quick query before saving in order to establish if a similar login is not already saved... Though I guess I'm missing some internal technical detail here... But as I said, not that imprtant, just strange...

    Many thanks again!

  • khadkhad Social Choreographer

    Team Member

    Great news! Thanks for letting me know that everything is working well. :)

    If we can be of further assistance, please let us know. We are always here to help!

  • I find it a bit perplexing how 1password cannot check if the site is already in the database unless it filled the login itself

    1Password cannot check if the login is already in the database unless it is unlocked. When 1Password fills the login itself, then it is has been unlocked.

    One would assume that in order to save the login it would need access to the database.

    Correct, and that is why we ask you to unlock the 1Password database on auto-save.

This discussion has been closed.