Website is anti-1Password??

This has been troubling me for a year and I can't let 1Password lose.

I am a realtor and use the MLS system in Southern California. It seems to have some sort of anti-autopassword recall. I have NOT come up against that in the myriad of different account types I have worked with. Basically, it accepts my username and seems- momentarily- to allow for the password to be autofilled but then it disappears.

What is going on? and, how can I get around it?

Thanks.


1Password Version: 6.5.2
Extension Version: Not Provided
OS Version: 10.12.1
Sync Type: Not Provided

Comments

  • Hi @StuLev,

    I won't lie, some sites seem to go to great lengths to force people to type passwords out and I will never understand how that is going to help anybody be secure given we're all going to pick easy to type, memorable passwords if forced to rely on our grey matter. Still some sites do.

    Can I ask, would you feel comfortable sharing the URL for the login page with us here in our public support forums or if that makes you uneasy how would you feel about emailing us at [email protected]? and include a link to this forum post so we can connect the two. Basically if you don't mind sharing the URL with us we'll happily take a peek at the site and see if there is anything we can suggest to help it work for you right now or after an inspection we file a report because there's possibly a change we can make to 1Password that will help with this site.

    If that sounds acceptable to you let us know and we'll see what we can do :smile:

  • jxpx777jxpx777 Code Wrangler 1Password Alumni
    edited December 2016

    Thanks, @StuLev. Unfortunately, this site is doing a few things that are either not particularly good or downright bad practice.

    First, they're faking the "password" field. It's not a password field at all, which would be coded as <input type="password">. This one is just a plain text field, which is coded like this <input type="text">, and then they use Javascript to take the keys you type, replace them with * and then put the real value into another hidden field (<input type="hidden">) and that is what is submitted as your password.

    What is frustrating is that when I disabled Javascript in Google Chrome in order to show that their site doesn't work without it, they gave me a proper <input type="password">! Of course, 1Password can't run its extension Javascript without Javascript enabled, so this isn't an answer, but it is a curiosity to note that they know they're being cheeky with the text field.

    Aside from replacing the text of your password with bullets, proper password fields also trigger operating systems to treat input differently. For instance, when I'm in a proper password field, TextExpander is not able to read my keystrokes, for hopefully obvious reasons. Once I'm out of the password field, the system leaves secure input mode and I can once again expand my snippets. This is just one example.

    Another thing I noticed about the site is that it's loaded over HTTP rather than HTTPS and it does not even submit the form over HTTPS. While submitting to HTTPS from a site loaded over HTTP isn't sufficient security a site that is only using HTTP is downright dangerous. Without HTTPS, you should assume that any- and everything you do here can be read by anyone since the traffic between your computer and their server, including how ever many computers are in between the two (You can see how many "hops" there are between the two by using the traceroute program in the Network Utility on macOS.) and that anything you submit there, including your password has been intercepted. The difference between HTTP and HTTPS is like the difference between a postcard and one of those security envelopes with the blue and white printing on the inside. HTTP is like the postcard, which isn't a very safe place to write anything sensitive like a password.

    Overall, I would do as little with this page as I can. Make sure it has a strong password and that you do not use that password anywhere else. And if your account there can do anything special or cost you money, be sure to keep an eye out for unexpected activity.

    I'm sorry I don't have better news for you about this site. For now, the best approach is to copy and paste your information there and reach out to them and encourage them to improve their handling of your information.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

    ref: WPD-96514-451

This discussion has been closed.