USBank.com site displays unobscured password when filling from 1Password Browser Extension
When logging into the USBank website I fill in my username and then use cmd-\ to fill in my password. Recently it hasn't been obscuring my password but showing it in plain text until I hit the submit button and the next page loads. I've reported this to US Bank as well; not sure if the problem has more to do with the website or your software.
1Password Version: 5.4
Extension Version: 4.4.3
OS Version: OS X 10.11.2 Beta
Sync Type: iCloud
Referrer: forum-search:usbank
Comments
-
Hi @tkolstee,
Can I ask, USBank's login page, is it a single page where you enter both your username and password or is it a two page login process where you're manually filling the first page and using 1Password for the second? The reason I ask is I'm wondering how accessible their login page is for us to take a peek ourselves and see what we can ascertain. If I can view the page I will certainly take a look and see what I can discover. Would you be happy posting the URL for their login page here in our public forums? it's just the generic URL I'm after here, we definitely don't want to know any of your personal details.
Banks are usually tricky because unlike Facebook or Twitter we can't just create a test account to really delve into a login issue but we always try out best :smile:
0 -
I have the same problem and started a discussion a few weeks ago on this topic. At that time, I identified a work around which sadly is not working as of today. An AgileBits Team Member said the problem would be reported to the software group and I would be notified if a fix for the US Bank site was identified. I would appreciate any information regarding a fix for this site. It is frustrating to manually load the rather cumbersome password when I want access to the site.
Thanks,
cab0 -
Hi @tkolstee,
After @cab's post I see references to the site working with Firefox and Chrome but there being a specific issue with Safari. I'm not a customer of theirs so I can't see past the first page. I'm still trying to piece together details as I wasn't involved in the initial investigation here.
0 -
littlebobbytables,
I'll take one more shot at this. To update you on my earlier emails with Laura (Team Member), she said she was going to update agile bites programmers to see if the log in issues with US Bank can be fixed.Here's a summary of my issue (and I don't want to derail @tkolstee's concerns but I do believe mine are totally aligned):
1. US Bank recently updated their site and the two step login method I once used - hit 1PW icon to enter ID, wait for the bank's password page to appear and enter a second 1PW icon to enter my password and the site - which worked great - no longer functions.
2. The updated bank site goes to a page requesting the ID be entered. No problem, the first 1PW icon can be clicked and the ID is entered and a new box appears requesting a password. The interesting aspect of this new box, however, is that it appears in the same webpage as the ID request. The page is identical to the page requesting ID - just the top right corner changes to request a PW. At this point, clicking 1PW to enter a site password fails. I've tried every flavor I can think of to make this accept the password but no luck. So, like @tkolstee, I tried to copy and paste the site password into the site but it does not conceal the password. All the password letters, numbers et all are quite visible for anyone to see. At that point I chose not to go any further. My only recourse was to type in my password.
3. I added Firefox to my Mac because it allegedly allowed 1PW to be functional. I have not been able to prove that myself. When the site requests an ID I can click 1PW and that is accepted. But, when the site requests my password, I cannot get Firefox to enter the password and I cannot enter into the bank site. BUT, I can (why I have no idea) copy and paste my password with Firefox and enter the bank site.So, until Safari or Firefox is able to enter the site using all the functionality of 1PW, I am stuck with a less than seamless methodology for doing my banking.
Hope this makes sense. Difficult to explain all this in text.
cab
0 -
The new US Bank site is not working with the 1Password short cut (command + ) to fill in the password. It fills the username again, not the password.
1Password Version: 5.4.1
Extension Version: Not Provided
OS Version: OS X 10.11.1
Sync Type: iCloud
Referrer: kb:fix-website-login, kb:check-extension-version0 -
Hi @vonner,
To help us out could you supply a little more detail please.
- What is your preferred browser and the version of that browser?
- What version of the 1Password extension is installed?
- What is the URL for the page you are having trouble with?
It kind of sounds like one I've heard of recently but without knowing the specific bank it's hard to say, especially as I don't know the US banks very well at all - I'm a bit more knowledgable of the UK banks due to my location :smile:
With that additional information we should hopefully be able to start figuring out what is happening and ideally how to get it working.
0 -
- I use Safari (9.0.1)
- 4.4.4
- https://www.usbank.com/index.html
Thanks.
0 -
Greetings @vonner,
It turns out we do have an ongoing query regarding this bank, one started earlier this month. As you can see from cab's post earlier in the conversation there are issues although it's almost like your issue is slightly different from theirs.
Can I ask, is it the case that your username is visible when it's filled into the password field and that's why you know it has filled the username?
0 -
Yes, the username is visible when it's filled. It also submits and the site tells me that my "password" is wrong.
0 -
Yes, it seems to be the same or similar issue as the cab post.
0 -
Hi @vonner,
I've sent you an email, in fact you will probably see the email before this post. We'll continue the discussion there.
ref: VYI-83697-574
0 -
I am having issues logging into usbank.com on my mac using Safari, my password is being shown in visible text instead of "dots" (unobscured). I recently upgraded to latest Mac OS. After upgrade, the USBANK.com password would not be entered by iPassword. I removed old versions of iPassword and the extension, and downloaded/installed latest versions from your website. I then deleted and re-entered the 1password listing for this login for usbank.com. Now it enters the password, but does so in VISIBLE TEXT (not dots). I believe all versions of everything to be "the latest." Advice?
1Password Version: 1Password 5 Version 5.4.1 (541003) Agile Web Store
Extension Version: 4.4.4 (Safari)
OS Version: 10.11.2
Sync Type: dropbox
Referrer: kb-search:upgrade to latest password for mac os 10.11, kb-search:upgrade to latest 1password for mac os 10.11, kb-search:upgrade , ug:mac/installing-from-the-agilebits-site, kb:check-app-version0 -
Greetings @greggehr,
I've merged your post with an existing thread we have that discusses this. To the best of my knowledge the likely cause is the use of JavaScript that is meant to react to individual key presses rather than the use of a more standard password field. As filling doesn't mimic individual key presses their JavaScript doesn't react and the password is visible.
Now this is guesswork based on previous examples found as it's almost impossible for myself as a non US Bank customer to see the second or third login pages for their site to say for sure. I believe even though visible the login process works suggesting that 1Password is filling the correct field with the correct value, it's just very disconcerting to see for the obvious reasons. Does this match your observations?
0 -
Hi @Stephen_C
My Safari has no autofill passwords or user names, I checked in preferences, the pane is blank (I only use 1password).
You asked how I use 1Password. I go to usbank.com, enter my username manually, then, the small pane on the bank home page changes, and usually, I have to answer a security question, then finally, the pane in the home page of the bank changes one more time, and I get the password field.
To enter the password, I go to the 1Password lock icon in the top bar of safari and click that to open the saved password choices. Other times I right click on the password field itself and select 1password from the popup menu. Either way exhibits the same behavior.
I have multiple accounts with the bank, and found that after I upgraded to the latest versions of 10.11, as well as upgrading 1password and the 1Password browser extension, the password entries that I have would not be entered into the field when selected in 1Password. I could "reveal" them and then manually enter them, but 1Password failed to enter them for me when selected by one of the methods I detail above. The password field on the bank site would remain blank.
I followed some tech support notes on the Agile site, and deleted the old 1Password entry for access to one of my multiple login accounts at USBank and set the bank up again as a new entry and then the password would be then entered into the password field by 1Password, but as visible text, not obscured text as it is supposed to be.
I now have one bank user account (with the old entry into 1Password as it was before upgrading), that will not fill in the password at all and a second user account with the same bank where I deleted and reset up the entry, that will now only enter visible passwords. Neither of these behaviors are what we want obviously.
I am unclear about your javascript comments, are you referring to the code on the bank's page?
0 -
Hello @greggehr,
I am referring to the code on the bank's page when I talk about JavaScript. Basically JavaScript is what allows extensions to do anything at all and is responsible for a lot of the expected behaviour we see on sites these days.
Now the vast majority of sites when asking for a password will simply use a password field. No JavaScript required, the browser simply masks the password by virtue of it being a password field.I haven't seen one of these that we don't fill in properly because they're usually so distinct. It's not common but I have seen examples where for reasons unknown to me a site will instead use a standard text field, just like the kind they'll use for your username and attach various JavaScript functions to the field which are fired when the 'event' occurs. Their JavaScript function is fired after each keypress and it's job is to copy the password somewhere else and replace the character in the text field with a •. It looks like a password field until you try and fill and see your password is visible. I don't know for certain that they are doing this, merely this is a plausible explanation for what people have reported. The visibility of the password on the page does not affect the security of the page when your browser sends the information to the bank to authenticate you.
Does that explanation help at all?
0 -
US Bank has changed their login. The home page only offers a place for entering a username, not a password. When you enter your username, the password field shows up in the same place on that same page - not in a new page - which causes 1 Password to see the password field as the username field again. Thus, 1 Password fills the password field with your username.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
Hello @Rob Radencic,
I've merged your post with an ongoing thread relating to US Bank. Can you give this thread a read for me please. I would be interested in knowing if the issue persists if you create a new Login item using our How to manually save a Login guide. From everything I've learned of the page it is likely you will see that your password is visible as they seem to be using JavaScript to conceal the password rather than using a password field. Given other people's experiences though it should be possible to have it fill in your password correctly even if it is temporarily visible before you submit.
Please let us know how you get along.
0 -
Nope.
Whatever US Bank changed, it's a very recent change.
I deleted US Bank from 1 Password entirely and started over following your guide. Here's what happened.
I entered my username on US Bank's login page. Then, the US Bank page replaced the username field with a password field, and I entered my password. As US Bank logged me in, 1 Password (correctly) asked if I wanted to create a login for the site, which I did (and I saved it as US Bank). Then, to test the login in 1 Password, I logged out of US Bank and tried using 1 Password to log me in. Instead of saving the username I'd entered on US Bank, 1 Password saved "Temporary Access Code" as my username. What the heck? I edited my login in 1 Password and replaced "Temporary Access Code" with my username and saved it. I tried again to log in to US Bank's site with 1 Password. In the username field, 1 Password entered my username. Then, the password field was shown. I clicked 1 Password again and it filled the username field with my username, not my password.
I tried again by completely deleting my US Bank login in 1 Password, again. This time, I manually created everything. In the 1 Password app, I clicked the + to create a new login. I typed a name for it, a username, a password, and pasted in links for US Bank. I then went to US Bank's site in Safari on my Mac and tried using 1 Password to log me in.
Same result. The password field keeps getting filled in with my username, which I have to assume is because 1 Password sees that field as being for the username due to wonky code on US Bank's end.
Clearly, there's some code voodoo going on in the background at US Bank's site that is breaking 1 Password.
All you have to do is go to this page and you'll see that there's no place for entering a password.
0 -
A follow up on what's going on here. The issue is between 1 Password and the code US Bank is using.
US Bank only shows a username field. I can use 1 Password to enter my username for me. This works.
After the username is entered and the Log In button is clicked on US Bank's site, the password field appears.
If I type my password instead of using 1 Password, asterisks appear, concealing my password, and I can log in. BUT, if I use 1 Password to enter my password for me, my username is entered in the password field without asterisks, meaning that something is causing US Bank to revert the password field back to a username field. If I DELETE what 1 Password entered into the password field (my username) and start to type my own password, it's entered as asterisks again, meaning that for some reason, the site again recognizes that the field is now a password field.
Something is very wrong here.
I'm using the latest version of 1 Password, Safari and OSX. Interestingly, I'm not having this problem with Chrome. Only Safari.
0 -
Hi @Rob Radencic,
I've been mulling this over.
The last approach to multi-page login items if all else fails is to create a separate Login item per page. What our Using 1Password with login sequences split across multiple pages page says is
What to do if your multi-page Login item doesn’t work
If 1Password still does not fill in the right details even after following the steps above, then you may have to create separate Login entries, one for each page.Repeat the steps above. But this time, save a new entry in 1Password for each page in the sequence instead of updating the original one. Use a naming scheme that will help you keep all the entries organized while make it clear which one is associated with which page: e.g. call the Login for the first page “BoA – username” and the one for the second page “BoA – password”. When you want to log in to the site, trigger the appropriate entry for each page in login sequence.
So the first thing to see is if this allows for reliable filling.
0 -
"If 1Password still does not fill in the right details even after following the steps above, then you may have to create separate Login entries, one for each page."
You seem to be missing the fact that US Bank's website does not use multiple pages for username and password. Nor do they show fields for username and password on a single page. Instead, on one single page, they have multiple fields but only one field is displayed at a time. In other words, the password field is not displayed until the username field has been filled, at which point, the username field disappears and the password field appears in its place. They only show a field for entering a username. When you enter a username, the field on that page changes to become a password field, but it's on the same page. Not multiple pages as the example above specifies.
Regardless, I tested the above steps as follows:
I created a new login from scratch named Testing USBank Username, and in it, I entered a username but no password.
Then, I created another new login from scratch named Testing USBank Password, and in it, I entered a password but no username.
The "Testing USBank Username" login fills in the username correctly.
The "Testing USBank Password" username fails in Safari. It doesn't do anything on US Bank's site - I assume, because it can't find a password field... because 1Password still sees a username field.
Let's take this a step further, because here's further proof that 1Password only sees a username field on USBank's site even after the field has switched to become a password field: I edited the "Testing USBank Password" login I'd created in 1 Password (which only had a password but no username). I deleted my password for US Bank and instead typed my password into the username field. When I used it to log in to the second half of the US Bank login process (where the site asks for my password), it worked - but - my password was shown in text on the US Bank site instead of being shown in asterisks. And when I held down the delete key to remove the password in US Bank's site so I could try typing the password manually, the password was shown as asterisks, not as readable text.
0 -
@Rob Radencic: Indeed, I had a test login I've used there in the past, and the behaviour is very different now — maddeningly so. As you pointed out, without a valid account, it's impossible to test the "second step" which is apparently on the same page now. Of note, I had to manually clear out "Personal ID" in order to even enter anything. I'm not sure which browser this is designed for, as I wasn't able to find one that seemed to work in any sane fashion whatsoever. And that's without even bringing 1Password into the mix.
While we'll continue to try to improve 1Password going forward, this site in particular seems problematic, so the only hope I can offer you at this time is that there seem to be a number of different login forms, and perhaps there's one that would work better for you:
https://www.usbank.com/index.html
https://www.usbank.com/online-banking/manage-your-money-online.html
https://onlinebanking.usbank.com/Auth/LoginThat last one seems the most promising to me from previous experience, but I can only guess what might work without a valid account. And of course, even if the login process is not split across multiple pages strictly speaking, lil bobby's suggestion still applies, since you're saying only a single field is present at a time. In principle this is the same. Please try the opposite method you outlined in your last post: submit your username, fill in your password, and then save the login manually. Edit the username-less login in 1Password to add the username, and then see if you can fill both one at a time with
⌘ \.As far as I can tell, no one here has a US Bank account that could do more thorough testing, but I'll double check just in case. Please let me know if that helps!
0 -
I just now directed Safari to usbank.com (redirects to https://www.usbank.com/index.html) and pressed Command-\, which caused 1Password to fill my saved username and submit the form.
The form then changed to display a prompt for a security question; I typed the answer and pressed Enter.
The form then changed to display a prompt for my password; I pressed Command-\ again, which caused 1Password to fill my saved password and submit the form.
All of that was just how I expected it to work, as I've been using a US Bank account online for several years without having to changed my Login item (saved lo-o-ng ago :D ) even as the web site has changed several times.
The saved username and password values in my Login item are associated with fields named USERID and PSWD, respectively, and correctly designated as the username and password fields.
Note: At https://onlinebanking.usbank.com/Auth/Login, though, pressing Command-\ fills the password prompt with my saved username. If I click the 1Password "mini" icon in the Mac menu or the 1Password icon in the Safari toolbar, 1Password correctly fills the password prompt with my saved username. This "quirk" occurs on at least one other site with a login form that is similarly designed, though I've never gotten an answer as to why it happens consistently there.
(Merry Christmas!)
0 -
Ready for another piece of bizarre 1Password behavior? I've never used a hotkey to enter passwords before. I always right-click and select 1Password from the popup menu, and then select my login... but after reading Brenty's comment above, I decided to give it a try. Here's what happened.
I went to US Bank's site and hit my 1 Password hotkey to automatically fill in my username. It worked, as expected. Then, when the field changed on US Bank's site from username to password, I again hit my 1 Password hotkey to fill in my password - and it worked... but the password was shown in text on the page, not in asterisks as it should be. So, it's incorrect behavior, but it's functional and it logged me in, though with less security than should be expected (since it displayed my username in text instead of asterisks).
Next, I logged out and repeated the process, but this time, instead of using the 1 Password hotkey to automatically fill in my details, I right clicked to bring up the popup menu where I selected 1 Password, and then I clicked on my US Bank login. My username was filled in, as expected. Then the username field on US Bank's site changed to become a password field, as expected. I right clicked again to bring up the popup menu where I clicked 1 Password, and then I again selected my US Bank login. And what happened? My username was entered in visible text into the password field.
Lastly, I tried a third time. But this time, I used my mini 1 Password Mini hotkey. I clicked on my US Bank login. My username was filled in, as expected. Then the username field on US Bank's site changed to become a password field, as expected. I used my 1 Password Mini hotkey again to bring up i Password Mini, and I again selected my US Bank login. My username was entered in visible text into the password field.
So... the plot thickens. 1 Password behaves differently when using a hotkey versus when right clicking for the popup menu or using 1 Password Mini.
0 -
Ready for another piece of bizarre 1Password behavior? I've never used a hotkey to enter passwords before.
@Rob Radencic: I'm glad I brought it up then! I'm not a heavy keyboard navigator, but I prefer doing it that way, since it seems more convenient to me to use the keyboard shortcut to fill with 1Password. :chuffed:
I went to US Bank's site and hit my 1 Password hotkey to automatically fill in my username. It worked, as expected. Then, when the field changed on US Bank's site from username to password, I again hit my 1 Password hotkey to fill in my password - and it worked... but the password was shown in text on the page, not in asterisks as it should be. So, it's incorrect behavior, but it's functional and it logged me in, though with less security than should be expected (since it displayed my username in text instead of asterisks).
That's great! Thanks for confirming, since it isn't something I wasn't able to test thoroughly myself.
Regarding the "incorrect behavior", this is the website itself. 1Password never obfuscates the data it fills, as it could interfere with your ability to actually login (asterisks are probably not valid login credentials ;) ). It is also the responsibility of the website to mark fields as
passwordso that the browser obfuscates the data entered there. You'll note that on most websites this is the case, and that it works that way with or without 1Password. This ensures that what you enter is still present (so you can actually login), but that it can be hidden if the site developer wished it to be. This has been a web standard for decades. The browser is just virtually hiding the information in this case, without modifying it.With this particular site though, they're trying to be clever and it's causing trouble when it comes to both filling your presumably awesome login credentials that no one can guess, and also making it so they are not obscured when they're filled as you'd expect. I really hate this because it encourages people to use crappy, easy-to-remember-and-type passwords that will, of course, also be easy to guess. If you haven't at least considered doing so amid the frustration here, you're a much more patient person than I am. :lol:
So... the plot thickens. 1 Password behaves differently when using a hotkey versus when right clicking for the popup menu or using 1 Password Mini.
Indeed, I'm reporting these inconsistencies to the development team to see if we can find a way to address these issues with this particular site. Thanks so much for the detailed description, and your willingness to work with us to troubleshoot this! Now, it may be that this is due wholly or in part to differences in Safari's extension framework (which isn't quite as advanced as Chrome's, for example), an interaction with the site and Safari, or both, but we'll see if there's anything we can do to improve things on our end.
However, I also encourage you to contact US Bank in regard to this, since you're their customer too. We have a knowledgebase article devoted to designing compatible websites using web standards, so be sure to let them know that you're just trying to use 1Password to help you stay more secure by using a long, strong, unique password for their site. This is not only important for their customers using password managers, but also for accessibility, as 1Password leverages accessible web technologies to help it understand the page, just as screenreaders and other interfaces assist the visually impaired. And we're always happy to help if they have any questions!
I'm glad to hear you were able to get the login for to work for you, and hopefully in time it will get even better. :chuffed:
ref: OPX-1077
0 -
I have the same problem as described by Rob Radencic, but forgive me, I don't know what "1 Password hotkey" he's referring to in his last post.
0 -
@tobindia: Sorry for the confusion! This was in reference to an earlier post of mine, but I'm happy to repeat myself because this is one of my favourite things about 1Password:
In 1Password for Mac,
⌘ \will fill the current login, and you can also use⌘ ⌥ \(Command Option Slash) to bring up the extension menu.The corresponding keyboard shortcuts in 1Password for Windows are
Ctrl \andCtrl Alt \respectively.Try it! You'll like it. I hope this helps! :)
0 -
Great! Tried it, and had the same results as Rob Radencic. Thank you.
0 -
Greetings @tobindia,
If I'm understanding correctly you're saying brenty's post helped and things are working again. If this is the case that's great news :smile:
If not please do let us know if I've misunderstood so we don't accidentally ignore an open query.
0
