Kanto.aliorbank.pl - Problems filling in the 'nth' characters of the password

RTemi
RTemi
Community Member
edited April 2015 in 1Password in the Browser

I have an issue with my bank's currency exchange portal login in both Chrome (39.0.2171.95 m (64-bit)) under Windows and Safari under Mac Yosemite.

The bank uses a very peculiar login form:
https://kantor.aliorbank.pl/login (you can enter any identifier, e.g. demo to see the password form).

Comments

  • DBrown
    DBrown
    1Password Alumni
    edited January 2015

    Sigh.

    Banks are so helpful.

    :(

    The first page in the login sequence doesn't include a password field, so the 1Password extension doesn't offer to save a Login item for you. You can still save one manually, so that 1Password can fill in the username page for you, on subsequent visits.

    The second page in the sequence is the killer, though.

    • The first problem is that it appears to limit you to a seven-character password. Yikes!

      I don't even know how to respond to that, other than to suggest you consider contacting your bank to let them know the 20th century ended some time ago.

    • The second problem is that you have to enter random characters from that password, which may explain why they don't expect you to remember more than seven of them. Ugh!

      The best you can do it to edit the Login you save manually, adding a custom field for each of the seven (sheesh!) characters in your password. Then you can copy the appropriate characters from the Login item into the corresponding field on the form.

      It's also possible that you could determine the field names of the seven characters on that second page by reading the HTML and edit the saved Login to include a row for each of them (near the bottom of the edit window). Then 1Password might be able to fill in whichever forms are requested, each time you get to the form again.

    In case you can't tell, we're occasionally left just shaking our heads at the shenanigans some sites get up to, in the effort to put on a good show of security. Personally, I'm reminded of the TSA.

  • svondutch
    svondutch
    1Password Alumni
    edited January 2015

    you have to enter random characters from that password

    If they are asking for this, then they have your password stored in plain text and this is a big security no-go.

    http://plaintextoffenders.com/about/

    in the effort to put on a good show of security

    If you cannot use a password manager than what they are actually doing is lower your security.

  • RTemi
    RTemi
    Community Member
    edited January 2015

    Thanks for your reply. When it comes to the login, I was able to save it manually and have 1Password fill it in.

    To be fair on the bank, they do allow you to set passwords up to 25 characters, which will change the number of password fields in the login screen. The problem is that it seems that the html code for those fields is somehow in a conflict with 1P logic. Could the issue be that 1P distinguishes between fields by name, while the form below uses different IDs, but the same name?

    <ul id="masked-password">
        <li class="disabled">
            <input id="lif-mask-1" class="size-XXS  disabled field-disabled" name="j_password" disabled="disabled" size="1" maxlength="1" type="password"> 
            <label for="lif-mask-1">1</label>
        </li>
        <li>
            <input id="lif-mask-2" class="size-XXS " name="j_password" size="1" maxlength="1" type="password" data-id="1"> 
            <label for="lif-mask-2">2</label>
        </li>
    
    <MORE PASSWORD FIELDS :) >
    
        <li class="disabled">
            <input id="lif-mask-19" class="size-XXS  disabled field-disabled" name="j_password" disabled="disabled" size="1" maxlength="1" type="password"> 
            <label for="lif-mask-19">19</label>
        </li>
        <li>
            <input id="lif-mask-20" class="size-XXS " name="j_password" size="1" maxlength="1" type="password" data-id="5"> 
            <label for="lif-mask-20">20</label>
        </li>
    </ul>
    
  • RichardPayne
    RichardPayne
    Community Member

    If you cannot use a password manager than what they are actually doing is lower your security.

    I agree with you but I can understand the thinking. They're set in a traditionally corporate mindset that says that unless they control the data then they can't be sure it's secure. They don't want third party software to have access to your login details as that is outside their control. My bank has basically told me just that, even going so far as to say that use of password manager would count against me if my accounts were breached! Sadly that attitude seems to be all too common with banks.

    Mind you, I'm not sure why I am surprised given that some of them are still running Windows NT4 on some of their internal, non-connected systems.

    @RTemi

    Could the issue be that 1P distinguishes between fields by name, while the form below uses different IDs, but the same name?

    As far as I'm aware it checks ID first. Certainly, it worked on the manually saved login that I just tried.

    @svondutch
    Oddly though, having just tried again, it is now not working. Very bizarre.
    The username fill worked ok but the password digits did this:

    It filled the first digit correctly but then stopped. Also note that it is filling a disabled field, which I didn't think it was supposed to do any more.

    It also now seems to have broken the url matching too. Restarting the helper temporarily solves that but then it seems to break again randomly.

  • svondutch
    svondutch
    1Password Alumni

    They don't want third party software to have access to your login details as that is outside their control. My bank has basically told me just that, even going so far as to say that use of password manager would count against me if my accounts were breached!

    @RichardPayne they are wrong: http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html

  • RichardPayne
    RichardPayne
    Community Member

    I know @svondutch. Like I said, it's an old fashioned way of thinking, but then the banking sector is a very old fashioned place.

  • DBrown
    DBrown
    1Password Alumni

    in the effort to put on a good show of security

    If you cannot use a password manager than what they are actually doing is lower your security.

    That's precisely my point, @svondutch: it's only a show of security, not real security...just like the TSA.

  • DBrown
    DBrown
    1Password Alumni
    edited January 2015

    @RichardPayne‌: because all the fields have the same NAME value ("j_password"), try editing each row, giving it the appropriate value from the ID attribute, instead ("lif-mask-2" and "lif-mask-3" and so on).

    You might also try removing the "password" Designation from the first one. Since only one can have that Designation, maybe none of them having it will work.

    I'd be interested to hear whether either change helps.

  • RTemi
    RTemi
    Community Member

    Sorry for a delay here.

    I tried adding "lif-mask-1" thru "lif-mask-3" to 1Password (all with designation of "none", this did not work).

    Tried same with 3 "j_password" entries, no success either.

  • Megan
    Megan
    1Password Alumni

    Hi @RTemi,

    I'm sorry to hear that you're having trouble making this work. Ideally, as is discussed above, we'd love to see banks do away with this type of 'security' in favour of true secure measures (such as supporting long and random passwords, and making it easy for users to fill with trusted password managers). While we wait for that magical day, however, we're left with some very unique login forms.

    At this time, 1Password does not officially support the filling in of the 'nth' character of passwords. We are looking into ways to better handle these fields, but for the time being, you may have to copy and paste those details.

    ref: OPM-1720

  • giacecco
    giacecco
    Community Member

    There still is something you can do easily, that is changing the 1Password UI so that when "revealing" a password you also show markers that help the user find easily the nth character, e.g. showing little dots every third character. What do you reckon?

  • RichardPayne
    RichardPayne
    Community Member

    I like that @giacecco

  • Megan
    Megan
    1Password Alumni

    Hi @giacecco ,

    Thanks so much for the suggestion! I'll share it with the team. :)

  • MrC
    MrC
    Volunteer Moderator

    @giacecco, and others...

    Until there is something in 1Password to help identify the character value of a given character position, this post may help.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Verified by Visa or 3D Secure (their names may very well differ depending on the country) are two examples of where you might be asked for nth characters. My current setup is as I mentioned in my last post in that thread and here is how I have it set up in 1Password.

    I use two password fields as they use constant character spacing allowing easy alignment and I give the index no name. When I use it I have to reveal two fields but it works fine for me. So I tend to use 1Password mini to reveal the Item details then anchor it. I reveal the two passwords and now I'm used to it I find it works for me.

    Obviously a much better solution would be something baked into 1Password and if it can't be automated you want a nice easy way of highlighting to the user what character you're focussing on. Until then hopefully something in the post MrC linked to can make it a little easier to tolerate.

    nth.png 14.7K
This discussion has been closed.