1Password Anywhere, autotype, the MAS and TD Bank

Maggie

I hope it's ok to put three topics in one post.

My main question is can I delete the 1Password.html file from the agile keychain? Is this safe to do, and will it just be re-created the next time the file is updated? Having this file hanging around on the web makes me uncomfortable. And could you please add an option to the preferences to not create the file? When I'm away from home and need a password, I look it up on my iPhone. Since a certain amount of my work involves removing viruses from infected PCs, if I were to open the file on a machine with a keystroke logger... (Due to my extreme paranoia, I have never had any kind of malware on any computer I've ever owned, and I've been computing nearly every day since the mid-70s.)

Reading the forum looking for this answer, I found the autotype suggestion in the thread at http://discussions.agilebits.com/discussion/12315/menubar-in-1password-mac-4-website-version. I would like to second that suggestion. I would also like to have the menubar icon if it eventually provides something useful -- I'm sort of fond of these sorts of things.

A couple of minor features you mentioned in the FAQ about the App Store vs. your website sounded interesting to me, but not enough to buy a second copy, mainly because I REALLY dislike the MAS. [Long rant deleted] Have you stopped development on the edition not available on the MAS and will 1Password 4 be available directly from you, or will I have to get it from the vile App Store?

I wrote you an email a few months ago about a problem with TD bank. The solution you gave didn't work, or the video you provided didn't clue me in sufficiently. I have since moved that user back to Safari, but he is now having difficulty NOT using 1Password for that one website. Asking TD bank to fix their security procedures is probably pointless. Can you give me some more specific instructions for using 1P / Safari to logonto TD bank? I think part of the problem is that I don't learn well from videos that don't even have narration or subtitles.

khad

Good questions. I'll try to address all of them in order. :)

1. The 1Password.html file will indeed be recreated if you delete it, so it is safe to delete. It will just come back. Its presence creates no security issue, though. A keylogger would only be able to capture your master password if you typed it on a compromised machine. So if you just don't use 1PasswordAnywhere (or don't use it on an untrusted machine) the existence of 1Password.html makes no difference. None of your data is in the HTML file. 1PasswordAnywhere pulls the data directly from the same files that comprise your data and are read by the main 1Password application. 1PasswordAnywhere essentially is your data file.

2. Noted. Thanks for your vote. :)

3. There really aren't any differences between 3.8 and 3.9 except things related to application sandboxing. You have me curious. What features sound interesting to you in 3.9 that are not in 3.8? Any new purchase of a 1Password 3 for Mac license in 2013 (direct from us or on the Mac App Store) comes with a free upgrade to 1Password 4 for Mac when available. We love the Mac App Store, and so do the majority of our customers, but the choice will be yours for version 4 just like it is for version 3. ;)

I hope it's ok to put three topics in one post.

4. Hey, this is more than three. :P I dug up your existing support ticket in our email support system. Kyle had asked you if things were resolved, but we never heard back from you after that.

Here are the steps I just performed to get a working TD Bank Login item.

1. Visit the site's login page: https://onlinebanking.tdbank.com
2. Enter your credentials, but DO NOT submit the form.
3. Click the 1Password button in your browser's toolbar, and select the "+" button in the upper right hand corner.
4. It looks like you will need to manually enter the username in the details at this point. TD Bank has coded the site in such a way to make the automatic capture of it difficult for 1Password.
5. Change the title and make any notes (if desired).
6. Click the Save button in the upper right hand corner.

Using the above technique I was able to save and fill a sample login at:

https://onlinebanking.tdbank.com

Manually saving a new Login can be useful for logins that are either problematic to begin with or were once working but have since stopped. Saving a new Login item allows 1Password to refresh everything it "knows" about the page. Login pages often change as websites are updated and this can be a necessary but very useful tip. :)

If you are still having trouble, please try disabling autosubmit for that Login and let me know if that resolves the issue. It looks like autosubmit may need to be disabled, but I don't have an account there. I was not able to verify autosubmit because of this.

I hope that helps. Please let me know.

LZX-16795-451

Maggie

1. When, or what causes the html file to be re-created? Regardless of your assurances, I'd be happier if it wasn't there. Maybe this will be the push I finally needed to learn more about creating and scheduling my own services on my Mac. I would still like it if you could make the creation of this file optional, and I'll bet there are a few extra-paranoid folks out there (especially current and/or former Windows users) who would vote for this. Looking up the password on my iPhone is no hassle compared to the warm feeling of safety.

2. Mainly the menubar option. The simplified help menu might be good, though I'd have to see it before I could cast a vote on it.Removal of settings for things no longer available. (Now that Ive seen this, I am wondering what they are -- as I've had it set the way I want it for quite some time, I don't open the preferences window often.) Some of the other "features" of the MAS edition of 1P are decidedly things I'd hate if they had any effect on me. I'm glad that 1P v.4 will still be available on your website. Do you expect the feature upgrades to move in step between the MAS and AgileBits store editions?

3. Sorry about not getting back to you on the TD thing. Basically, I thought that the user had lost interest, but it turned out that the real problem is that he had no idea how to log onto the bank without using 1P, despite the fact that he is barely able to use 1P correctly any of the time with any website. I will try your suggested steps, probably some time next week. I do not mind manually entering the username in the details.

4. New question, related to the TD bank answer: It would be nice if you could provide a guide as to exactly how these details work. I have managed to make sense of much of it, but some still remains a complete mystery. Why, for example, do the field names not always match what I see on a web site? (I can guess; this happens to be the only example I can come up with right now because I am trying to do too many things at once.)

Thanks so much for your top-notch support.

khad

When, or what causes the html file to be re-created?

Launching 1Password will recreate the file.

I'm not sure how the existence of the the file is any sort of security concern, though. Your data is encrypted with AES and key strengthened with PBKDF2. The existence of 1PasswordAnywhere provides no shortcut. There is no shortcut apart from some sort of keylogging that you already mentioned, but this is easy to avoid by simply never entering your Master Password in 1PasswordAnywhere.

I'm really trying to understand what scenario you are trying to protect against in removing the HTML file. All of your data is still there even if you remove the HTML file and can be attacked in the same way. The HTML file would be useless to an attacker. They would simply ignore it since they can attack the data directly. Why would an attacker go through the relatively slow JavaScript interface to attack your data file when they can attack it directly with a tool like John the Ripper? Even John the Ripper doesn't stand a chance if you use a strong master password, though.

Deleting the HTML file seems a bit like "security through obscurity" which is no security at all. It would merely be the illusion of additional security. Perhaps there is something I'm not thinking of, though. Please let me know.

Mainly the menubar option.

Yeah, right now the menu bar icon doesn't really do much of anything. I don't think anyone on the team actually uses it. As explained in that other aforelinked thread, it was only added out of necessity. :)

I will try your suggested steps [for the TD Bank Login], probably some time next week.

Please let me know how it goes. I'd love to get it resolved for you.

Why, for example, do the field names not always match what I see on a web site?

The field names are extracted from the page's HTML source. They do not necessarily correlate to text displayed on the visible page in many instances. For example, a site could use the description "Username" for a field on a page that you see in your browser, but the underlying code could call the field "uname", "user", "usernameField", "nameOfUser", or literally anything else the developer of the site wants to call it. 1Password learns the actual field names from the source code which are what matter when matching fields to fill. The page layout and visual representation may change but the field names may remain the same under the hood.

Thanks so much for your top-notch support.

You're too kind. It is my pleasure to help. I hope I have.

helpmehelpu

I am a four-plus year user of 1Password and for more than the last year have not been able to use it successfully to log into TD Bank. And it's very frustrating. I followed the instructions above and they did not work. I would appreciate it if someone from AgileBits would open an account at TD and figure out how to get 1Password to work with the site. I've got to believe there are more people beside me who have this issue.

Megan

Hi @helpmehelpu,

I'm sorry to hear that you are having difficulties logging in to TD. Here are the steps I just used to create a successful login:

• Open https://easywebsoc.td.com/waw/idp/login.htm?execution=e1s1
• Input Access Card information
• Un-check 'Remember Me'
• Input Password
• Click on the browser extension to save a new login (In 1Password 3 for Mac this will be a '+' button, in 1Password 4 for Mac you will see a gear icon)
• Name it something unique, and you're done :)

Please try this and let me know how it goes for you!

helpmehelpu

Megan--I just saw this now. That's a great suggestion; unfortunately, the link you provided leads to TD Bank Canada and I need TD Bank US. Any suggestions to change the link?

Megan

Hi @helpmehelpu,

My apologies there. I've done some testing for TD Bank US via https://onlinebanking.tdbank.com/. I was able to get a Login (with dummy information) to work by using the following steps:

• Enter username and password on https://onlinebanking.tdbank.com/
• Click the 1Password key (either in browser or menu bar)
• Select the gear icon (Settings menu) > Save new login
• In the Main App, go to Preferences > Browser and uncheck 'Animate Form Filling'
• Delete your information on the site
• Hit Cmd \ to test out your shiny new Login - it should fill and submit :)

Please let me know how this works for you with proper account information. If I'm still testing the wrong site, please send me the URL that you use for logging in and I'll see what magic I can work there!

kenyandave

It works, sort of... I get a message that the field is incomplete and an okay button. When I hit the okay button I'm logged in... would be nice not to get the message. Thanks for the post

Megan

Hi @kenyandave,

I just created another Login to test and it still behaves properly for me. Could you tell me what browser you are using (and just confirm for me the version number of 1Password and your operating system.)