Logging in with randomly selected password characters
When I log in to my bank account I have to provide my identifier first, and then I'm asked for several randomly chosen characters of my password. I tried to use 1Password in such cases, but it fails to fill in the password form correctly. The thing is that the form consists of multiple input boxes, and only some of them are enabled. These ones have to be filled in with appropriate characters of the password (only one character per input box).
See attached the picture or try this login method online: https://aliorbank.pl/hades/do/Login or https://online.ingbank.pl/bskonl/login.html. Just type in any random ID first and confirm it to see the password form. This authentication method is used for instance by Alior Bank, ING, and probably many other banks (in Poland at least).
Would you consider implementing support for this kind of forms in 1Password or let me know how to fill them in using it if that's already possible?
Thank you!
1Password Version: 5.3.2
Extension Version: Not Provided
OS Version: 10.10.4
Sync Type: Dropbox
Referrer: kb-search:bank
Comments
-
It's very difficult to have automated support for that (because obviously the login fields change on every visit) but the version of 1P for Mac currently in beta testing will help you with logins like that. There's an option to display your password in large type with consecutive numbers under each character of the password so you can see at a glance what you need to enter.
Stephen
0 -
Hi @marioo,
Thanks for taking the time to ask us about this! As Stephen mentioned, it's extremely difficult (if possible at all) to support automatic filling of fields that ask for random characters from your password. There are some suggestions in this discussion that might be helpful for now, but this will actually be much easier with the new large type option for passwords that our developers have added to a recent beta (which Stephen also mentioned), and you can see an example of that here. Barring any unforeseen circumstances, that feature should be included in the next update.
If you have more questions about that or need anything else, please let us know. :)
0 -
Understood. Thank you for your quick responses.
0 -
I was thinking for a while how my idea could possibly be implemented in 1P. As I noticed in the ING and Alior password forms, each password field has its own id specified (PASSFIELD1, PASSFIELD2, PASSFIELD3 and so on). If 1P knew which fields correspond to which password characters, it could fill them in, right?
So an advanced user could define a simple dictionary with the key being a selector for individual password fields, and the value being the index of a password character corresponding to them. I would also allow and/or conditions in the selectors to ignore password fields that can't be filled in or to select fileds by several attributes if they have no id specified.
A picture is worth a thousand words... I think you will know exactly what I mean if you see the picture I attached. What do you think?
0 -
Hi @marioo,
Thanks so much for taking the time to share that with us! And the mockup screenshot is great - you're right that it does a great job of showing exactly what you mean.
Now, I'm not a developer so I can't really say for sure how difficult something like that would be to implement, but from what I know about how this all works, that certainly seems like a decent idea. And in theory, something like that might even work correctly on your bank's site. However, the problem is that this type of login procedure works very differently on different sites. So even though the name of each field might always correspond to the same characters of your password that you need to enter in that web form each time, that's not the case for all sites that have a sign-in process like that.
Indeed, some sites may only show the fields for characters that need to be entered, and not the grayed out fields for the rest of the password like in your original screenshot. And the field names for the requested characters might not necessarily correspond to the same characters each time. It's even possible some sites will have a single field where you enter all the password characters it requests. If the field names don't always correspond to the specific characters that need to be entered, 1Password has no way of knowing which characters the website is asking for, or which character to enter in which field. So, even if 1Password could fill those characters on that one site, that doesn't mean it would work on any others - just the one. And it could easily stop working if that one site makes a change.
There are other problems with getting something like that to work, but that's the main one. Again, I'm not a developer and this sort of thing can be pretty tricky to explain, but hopefully my explanation makes a bit of sense. If you have more questions about any of that, please do let us know. And thanks again for your suggestion - we truly appreciate it! :)
0 -
Hi @Drew_AG,
Thank you for a detailed explanation. You are right that this is not a perfect solution. In fact, I checked only how these two banks ask for passwords and thought many other banks might do it similarly. But if it's not the case, then let's forget the idea.
Thanks for taking the time to respond.
0 -
You're very welcome, @marioo! You might be right, it's certainly possible that other banks use the same method for asking for specific password characters. If so, it would be great if we were able to get that to work, so at least people using 1Password with those sites could sign in with less trouble. I do think your idea is a good one, and I hope I didn't give you the impression that it wasn't! Like I said, there are some other things that would likely make this more complicated than it seems, but it's certainly something for us to consider. If it's possible and would help a lot of 1Password users, I'm sure our developers will look into it.
0 -
@Drew_AG, I just wanted you to consider the idea and you did, which I'm grateful for :-). I trust in your experience; mine is quite narrow in this field. I just thought the idea could cover at least a few percent of possible cases, but actually this was only a guess. I'm also aware that the settings I proposed may be too difficult to adjust for an average user.
0 -
Greetings @marioo,
Actually, having a broad experience of bank login setups is remarkably hard and we benefit every time somebody comes to the forums about one. I fully confess, I groan a little as well because they are the toughest to work with and the best tool in our arsenal for understanding - by directly testing the site in question is often unavailable making it feel so much more like a shot in the dark - I much prefer having a solid belief that what I'm suggesting works.
Your bank's approach isn't one I've seen that often at all but I'm not surprised because the banks are inventive and varied in their approaches when it comes to asking for certain characters. We've seen their approach now, I know of a few that use the one Drew refers to (three fields with names and IDs that don't change but the characters requested do) and I've also seen it where a site asks for the three characters to simply be typed into a single field one after the other. We've seen some sites do really funky stuff to the password field using JavaScript as well.
I'm not sure we'll ever come up with a really nice way of interacting with so many 'inventive' ways designed to avoid simply having a strong password. We'll see how are large type offering does which you can check out if you try the beta version. The best way to try it out is to anchor the Login item first and then select the large type option as it will display on the screen and still allow you to type in the browser. I haven't tried it much yet but it could be useful.
0 -
Thanks for your detailed response. I've just checked the large type feature you suggested. But when I use it, the password banner covers the login page so I don't see password fields at all. At the same time, when I click the browser, the banner disappears. But I understand it is a beta (or am I doing something wrong?).
However, when I saw the banner, an idea came to my mind. I hope you don't mind me telling you about it. I imagined an interactive password banner whose characters can be used in a web form by clicking them or by using a shortcut assigned to them (a number key). Whenever you click a character in it, that character appears in the focused field of the web form.
This way I would be able to put keyboard focus on the banner, but concentrate my eyes on the form. Then just press the following keys for instance: 4, 5, 6, 8, Alt+2 to enter the 4th, 5th, 6th, 8th and 12th character of the password quickly.
It might sound stupid, but in this case you switch your eyes only between the keyboard and the web form, right? On the other hand, when the banner is not interactive, you switch your eyes between the web form to read a number, the banner to find a corresponding character, and the keyboard to type that character in.
What do you think?
--
The two banks I use switch focus to a next enabled input box when you type a leter in a previous one. However, Alior switches focus on key up, so I think the idea wouldn't work with it, unless 1Password triggers key events as well. ING should work fine, on the other hand. I think the solution could also work in the case you mentioned, that is when there is only one field in which you have to provide only specified characters of the password.0 -
I'm not sure if that solution would always work the way I would like to (the Alior's key up events), so it's OK if you ignore it. I'm myself not fully convinced if it makes sense. But it would be great if you made a few optimizations to the existing password banner.
- Let it be opened more easily. When you display a login item, pressing the Alt key causes the password to be uncovered. Why not add another shortcut for displaying the large type password banner? Or is there one already?
- Let the banner be moved across the screen, so that it does not cover the login page.
- Don't let it hide when it loses focus, until the user closes it explicitly.
It's just for your consideration.
Thank you!
0 -
@littlebobbytables said,
The best way to try it out is to anchor the Login item first and then select the large type option as it will display on the screen and still allow you to type in the browser.
This is a puzzling recommendation to me. If I have a web page open, then go to mini and pick the appropriate login to anchor, then select large type, that display shows up in the center of the screen, probably where the login fields will be that need to be filled in with the randomly chosen characters. If I click on the page again, the large type display disappears,
But there is more! If I again invoke large type, after it has disappeared the first time, the display does remain on the screen, and I can move the underlying web page around behind it to show the fields I need to fill. At first I thought the suggestion was completely useless, but it turns out that a second try makes it OK. In fact, after the second invocation of the feature, you can't get rid of the large type display at all, until you close the anchored login window. Why doesn't the display persist in the first place? I'm guessing many users will never invoke large type a second time, once it disappears from view.
I know there is discussion elsewhere about needing the ability to move the large type display itself around the screen and to permit anchoring it so it doesn't disappear. And I know the feature is still in beta, so perhaps all this confusion will be resolve when large type finds itself into the official release.
0 -
@marioo, thanks again for your suggestions! I think your ideas for making it easier to enter specific password characters are really interesting, and I'll be happy to forward that to our developers for consideration. As for the large type feature, it's a brand new feature and I agree there are some things we can do to improve it and make it even more useful, so I can certainly send those ideas to our developers as well. Thank you! :)
@hawkmoth, thank you for the feedback! After reading your comments, I did a little experimenting with the large type feature, and I think there must be a small bug causing this strange behavior. When I anchor a Login item from 1Password mini and view the password in large type, I can still scroll through the website, but if I click anywhere on the screen or try to type something, the large type password disappears.
However, if I immediately view the password in large type again, I'm able to click anywhere (aside from on the large type password itself) and type in text fields in the web browser, and the large type password remains visible. When I want to close the large type password, I can do that by clicking on it (which seems to be the correct behavior). Re-opening the large type password a third time seems to work like the first time, so it seems like the behavior alternates each time I do that.
Can you confirm that it behaves the same way for you? I'll likely need to submit a new bug report for this, but would like to make sure you're seeing the same thing. Thanks!
0 -
When I anchor a Login item from 1Password mini and view the password in large type, I can still scroll through the website, but if I click anywhere on the screen or try to type something, the large type password disappears.
Exactly my experience too.
However, if I immediately view the password in large type again, I'm able to click anywhere (aside from on the large type password itself) and type in text fields in the web browser, and the large type password remains visible. When I want to close the large type password, I can do that by clicking on it (which seems to be the correct behavior).
Yes, also, in the same detail. I had missed being able to dismiss the large type window by clicking inside it, until I followed your lead.
Re-opening the large type password a third time seems to work like the first time, so it seems like the behavior alternates each time I do that.
Well, this is a bit complicated for me. If I successively go through the three steps you describe, the third time also behaves like the first time. But while I was writing this, I let some time elapse before displaying large type a third time, and then it behaved like the second time - I could move windows, scroll, and type, and only dismiss by clicking inside the large type widow.
Let me also repeat here the request to be able to drag the large type display window itself around the screen.
0 -
Thanks @hawkmoth! You're right, it seems like the behavior doesn't change every time I open the large type view - I tried it again and it's a bit inconsistent for me too. I submitted a bug report for this.
ref: OPM-3257
Let me also repeat here the request to be able to drag the large type display window itself around the screen.
I noticed someone here has already added your request to our internal tracker. I think that would also be pretty useful!
ref: OPM-3217
Thanks again for your help with this! :)
0 -
Hi, I have the same problem as @marioo for the same bank... At least 1Password did something, I have been trying to suggest similar feature to mSecure several years ago but it was not introduced. In the end how hard it is to offer numbers below password for separate fields...
Unfortunately 1Password implementation of the same is very poor. The large type password opens and... disappear. Sometimes stay on the screen, sometimes not. It is not possible to move it around and sometimes it covers password area of the website itself. Completely unreliable.
Guys, can't you spare a day or two to implement this thing right? The way it works now is essentially useless and definitely annoying as an experience. Looks likes something has been done and abandoned. If you really want to make this window in a fixed position, please choose top or bottom but not a middle.
0 -
Hi @Malbec,
I've added your comments to the ticket Drew mentioned earlier and even repeated sections of your third paragraph to highlight what is a very reasonable opinion. I can't make any promises as that's just the policy but I would hope this can be improved upon.
ref: OPM-3217
0 -
I wonder if there are any updates on this? This feature is really annoying and the large window always disappear upon showing up for the first time (when you click to browser window), it only stays when you open it for the 2nd time.
0 -
Hey @Malbec,
Thanks for poking us on this issue. I'm sorry to say we don't have any news to share about this yet, but I've added your latest comment to our bug tracker to remind the devs that you (and certainly other users) are still waiting for these Large Type improvements.
0
