Complaint: too many bugs for me

I am trying 1Password because version 4.0 of LastPass is suddenly full of bugs, but I'm finding bugs in 1P also. This is very frustrating.

@DavidSpector: I agree that it can certainly be frustrating! Unfortunately all software has bugs. But I really appreciate you taking the time to reach out so we can improve 1Password by fixing them!

From the Edit dialog, it seems impossible to set either the folder or the password of a Login item. And to change the URL one has to remember to click Edit first instead of just editing the URL. Not user-friendly at all, and I'm glad I haven't paid for 1P yet.

Sorry for the confusion! The username will be at the bottom with the rest of the saved data that 1Password uses for filling — just double-click the field. A folder cannot be added to an item by editing though; rather, you can drag an existing item to the folder you want to add it to in the sidebar.

In fact, I was unable to save a new password into a Login item anywhere that I could find, once the password was on the clipboard.

It sounds like you're trying to create a login item by hand. Is that the case? This isn't recommended, since that will result in 1Password knowing nothing about the form you actually want it to fill. A better option is to save the login using the browser extension. However, you can create form fields themselves by hand if you wish. Just edit the item and then click the + icon in the lower right. It just will be difficult for them to fill correctly when created in this manner.

Another problem happened when I imported many Login items from LastPass via a CSV file. Although the LastPass folder was in the Info field, it didn't get into the list of folders or the folder for each Login item. How can 1P be so buggy?

If the data was exported from another app, that hardly sounds like a bug with 1Password. Unfortunately it isn't possible for 1Password to account for everything in a closed 3rd party data export. You may find that using a converter will help get the data into a usable format for import into 1Password though.

Unless this post is replied by information that I just didn't know that solve these problems, I'm through with 1P. In my testing, it seems just as unreliable as LastPass, sometimes filling its data and sometimes failing to fill data when opening an Login item.

Unfortunately without some basic information it's hard to say what might be going wrong and how we might right it! Please tell me the exact steps you're taking, and what is (or is not) happening the way you expect so we can figure out the best plan of action. The more information you can give, the better. For instance, are you having trouble with specific sites? If so, knowing the URL will be helpful, since we can test it and offer a solution, workaround, or find ways to improve 1Password going forward.

Must I really write my own password manager? It's a lot of work to figure out how to inject javascript, especially on secure sites.

I think you've hit the nail on the head: It isn't easy. Never mind secure sites, there are just so many of them regardless. But we enjoy a challenge, so be sure to let us know specifically where you're running into trouble and we'll do what we can to help! :sunglasses:

Hi @DavidSpector,

Please explain how a blind person, or someone who simply prefers to use their keyboard, is supposed to set up the folder structure they want. 1P's design is quite limited for users who do not particularly want to adapt themselves to its peculiarities.

Right now, they can't. We have an open bug report to add a contextual menu support to the item(s), so they can use the keyboard to bring up the contextual menu, select the Move to Folders submenu, then select a folder or create a new folder to move the item to. You could do this on multiple selected items as well.

We plan to overhaul how the organization works in 1Password in the future.

I do not wish to have the hassle of installing perl or following those instructions. Have you tried out LastPass to see how well it imports from 1Password? I would hope it was better than this.

Yes, we intentionally released our own open JSON-based format, 1PIF, to make it easier to import and export the flexible 1Password data structure for all apps to use.

CSV itself is very strict in how it formats its data, which forces developers to create custom code to support different export formats as not all apps have the same data structure.

We do plan to add better import support to focus on popular tools but we do not have a timeframe on this. For now, @MrC has been helping us out with his converter scripts that he's been writing with our users to support as many apps as he can.

A better solution (which I would implement if I could figure out Javascript injection) is to show the login form nicely on the screen, showing the programs's guess for username, password, category (folder), and actual login URL (for use during registration).

That is an alternate method we'd like to try in the future along with our Auto-Type feature. An overlay on top of the site, so the user could click the username to be filled into the username field and so on. However, this becomes difficult if the site changes to use random character input fields, which means you then have to split the password into individual character pickers and the UI then becomes even more complex to maintain.

We actually have something similar to this with the 1Password keyboard on Android, where we use the accessibility framework to let the user tap on the username/password buttons to fill into the specific fields they want.

In general, I would TEST MY PRODUCT with many websites and fix my bugs before releasing it.

We do test the top 1000 sites as much as we can and we have an automated test suite to test the said sites. However, it is not feasible on certain sites like bank sites that locks you out or to test hundreds of thousands of sites out there.

Also, many sites hide the username/password fields behind hidden fields with the same input names, so there's no way to determine in advance that it is correct. Not to mention, many sites uses Javascript to create the login field on the fly that may not work for automated testing either.

Just to be clear, we are not saying it is acceptable, we don't like bugs and it degrades the 1Password experience. We are constantly updating our extensions to improve compatibility with the sites but it's a never-ending battle as site design changes all the time.

Hi @DavidSpector,

I never imagined that so many obstacles to password managers have been designed into login forms.

Many financial institutions do this to prevent automated tools from performing brute force attacks on their sites. The latest big criminal money-maker is identity theft and online data. They would breach one site, use its database to attempt the same combination on other sites.

There's a very thin line between these tools and legit password managers, so more and more sites are adopting techniques to prevent automated filling (another one is to censor the username as soon as you tab out of the field, which prevents 1Password's auto-save from working correctly). We are trying to catch up to work around these techniques but it takes time and require us to get more info from the customers.

I had in my 1P testing already run into a website that changed the username field as soon as the blur event occurs. I counted that as one of your bugs, but you can easily test such a site with other password managers--that should tell you if a fix is really urgent. I can't reconstruct what site that was, but you can easily create your own test login form that changes the username. In fact, all the mechanisms you mentioned should be easy to simulate.

@DavidSpector: (Emphasis mine.) The problem is that we literally can't test something like that (never mind compare it to other software) without knowing where to start — in this case, the URL. We have tests we run, but we can only do so against known quantities, such as those users report, or that we encounter (or create) ourselves.

If there were only a single way to construct a login form that modifies the username as you describe, we'd be victorious already, because we've solved "this" problem many times for many different websites. But this is usually done in Javascript, so in some ways when you see a simple problem, 1Password is (metaphorically) engaged in combat with competing code that wants to do just the opposite. Mike touched on this in his earlier reply, and it sounded like that was a bit of a revelation:

I never imagined that so many obstacles to password managers have been designed into login forms.

And he really only scratched the surface. The net is vast and infinite, and it would be easier to find a needle in a haystack and then build than it would be for us to ostensibly crawl the whole thing and test every form. If we haven't seen or tested it, we can only make educated guesses about how to handle hypothetical login pages we haven't encountered. A lot of the time this works, but given the possibly infinite variations, 1Password hits a wall with some sites. :(

The fact that it works as well, as often, and as consistently as it does in this environment is a testament to the work the development team has put into it, and how much has been learned over the years. Are we satisfied? Hell no! And that's why I'm here helping folks every day, and the devs are hard at work on 1Password and its browser extensions to improve login filling. :)

I achieved my freedom from bugs in my professional work by trying to break things, asking my colleagues to try to break things, putting lots of internal consistency tests into my programs, inventing ways to avoid common bugs, putting all code and data relating to one feature in one place in the code, and by using a variety of testing methods. Lots of current software looks like it hasn't been truly tested at all.

Indeed! Software has only become more complex over time, as we've asked it to do more and more. And then each piece of software can interact with others — whether that be apps, websites, or whathaveyou.

Testing is a big part of what we do — not only to make sure that we've fixed the issue with one site, but that the change hasn't had a negative impact on others. Your methodology is sound, and I'm certain that's why you've enjoyed so much success. But I suspect that your software didn't need to be able to interact with nearly every website on the internet. And even if it did, you could really only fix bugs if your colleagues (or other users) reports included the relevant details.

Perhaps the biggest problem in software development is not so much outright bugs as feeling so close to your product that you begin to believe that it is the gold standard, that customers' bug reports and suggestions are stupid because "we don't do things that way". Most of the automatic and boiler-plate responses I get from software companies are of this nature. They frequently don't even want to open the discussion, so they give a cliche (sometimes unrelated to the suggestion or bug report) and then make the customer work hard to convince them that the suggested feature or the bug is worthy. Such communication habits are unprofessional, unhelpful, and alienating to the customer.

I couldn't agree more. And frankly we know that what we're doing with 1Password — given the scope — is insane, but we believe it's worth doing. The "Gold Standard" is everything "just working", and that's what we aspire to. And as Mike and I have both touched on, we need feedback about issues our users face, because if we don't — especially with browser filling — we may not only never hear of the problem, but the website itself. And in either case, we're only able to rely on fixing it by chance (perhaps due to a change made for a similar site).

An example from your product might be the representing of categories (you call them folders, which is fine) as tiny icons manipulated only by the mouse pointer and its context menu. Since you have always done it this way, it seems perfect to you.

Whoa whoa whoa, let's not get crazy! Folders, categories, icons — these are all common conventions, which what makes them useful to computer users. But they certainly not the end-all-be-all of user interface design. 30 years ago many people thought the command line was. I think both are valuable, but we're always excited by new possibilities.

Even when it is pointed out that blind users cannot access folders at all, you just basically shrug your shoulders, trusting that it will get handled "in the future" instead of having already been addressed prior to product release, as should have happened. If you were a blind user, you would be coming from a fresh direction and would not see things that way (no pun intended).

I don't think anyone is shrugging their shoulders about this. I know firsthand that it's something we've been putting a lot of thought, time, and effort into improving this past year. We have a long way to go yet, but the only way we're going to get there is day by day. As a developer yourself, I'm sure you can appreciate that making significant changes to an existing application can't happen overnight, and nor can building a new app from the ground up with something like accessibility in mind. We're doing both, and while the big payoff is still a ways off, the progress is encouraging, both for us and for users. I'll take action and optimism over mere words and arrogance any day. Thanks again for the inspirational feedback! :chuffed:

If you wait for accurate and useful feedback from your customers, you will wait forever and perhaps go out of business. They will not tell you what you need to know. I could help, but I'd charge for my time, and that would not work for you, I'm sure.

@DavidSpector: I couldn't disagree more. We've been fortunate to have really passionate customers, and for nearly a decade now they've been providing us with great feedback. I think it's a really virtuous cycle: customers let us know what they want, we improve 1Password, and then we get additional feedback on those changes and others that people want. In fact, while it sounds like you're not technically a customer, this dialogue is a good illustration...and the fact that we're still working on 1Password 10 years later is a testament to this as well I think. :)

"Right" means in the way the user wants, when the user wants it. One useful principle of user friendliness is "least astonishment".

Well, that's the challenge, isn't it? "Right" or "least astonishment" mean very different things to different users. While automatically generated organizational elements will certainly be appealing to some people, to others something happening on its own can be terrifying.

The interesting part of his cycle is "now that you are done, start over and rewrite the whole product". I've followed this maxim and find that it works.

We've done this a few times over the course of 1Password's lifespan, to varying degrees. I think the development team would love to do this all the time...but given the complexity of both 1Password itself and its browser extensions, they'd die in the process. In an ideal world, everyone would be designing compatible websites, and the extensions would have lines of code in the double digits. Then we'd have the time to both rewrite 1Password continually to make it more streamlined and incorporate new features that our customers request. But of course even when we do take on a task of this magnitude, a lot of people don't want this: they want the same 1Password with "just one" (or two, or three) more things added. It's a delicate balance.

I guess my point is that while this is a fantastic ideal to aspire to, the operating systems and hardware of today that we need to support are themselves several orders of magnitude in complexity beyond what was available in 1968. Even only 20 years ago rewriting the average application from scratch was a much smaller task. It's quite an expensive luxury these days!

If any of my words show arrogance, I humbly apologize.

Oh dear. That wasn't what I meant at all! I'm sorry for giving you that impression. :(

Rather, I had taken some of your comments about companies not listening to users as a criticism of the arrogance that certainly exists in the software industry.

I admit to feeling frustration with most modern paid software, which seems inadequately designed and poorly implemented. Perhaps my frustration fuels my impatience and arrogance. Bug lists for OSs, browsers, and other major software run into the tens of thousands, and some software producers put little effort into fixing them, preferring to make money by adding features (Microsoft).

Indeed, it's a bit staggering, and especially frustrating when we get bitten by these bugs. But in their defense, Microsoft is a "victim" of their own success, building their software up until it became unmanageable. And this kind of goes back to the subject of software complexity: the browsers and other apps certainly have bugs, but they don't exist in a vacuum. All of these has to coexist in a competing ecosystem that's exploded over the past 30 years, with OSes, hardware, and other software all interacting and depending on each other to varying degrees. After all, Mozilla doesn't have a bug-free environment (IDE, OS, etc.) to exist in in the first place. 1Password certainly has it's share of bugs, but we also file plenty with Apple, Microsoft, and Google as well. We're all fortunate to be in this industry, which is still relatively young. It's an amazing time to live in, and we've got to work hard to earn our place.

And while money is nice (and critical to stay in business), so long as we're making enough to keep going, having people care about our products becomes more important...and after all, the two often go hand-in-hand!

And, so far as optimism is concerned, it should be based on actual achievements and measurements, not hope and wishes. How many bugs got fixed last week? How many favorable reviews has 1P received in the last month? How have customers rated 1P on Amazon.com and other distribution channels? I'll take measurable quality over optimism any day.

True enough! While I don't think any of those are an accurate measure of quality, they are at least quantifiable, and certainly they give us a general sense of how we're doing and motivate us to keep going. Bad review? Let's make it better! Good review? Let's get even more! :chuffed:

As to action, I charge for my time, and I've used lots of it to give you the general and philosophical feedback in this thread. I hope it is helpful.

It certainly is! Thank you so much for taking the time to share your thoughts on 1Password in particular and software in general. As you suggested, having an outside perspective is incredibly important, and I think yours is rather unique. Even if you decide that 1Password isn't a good fit for you right now, we'll keep improving it, and perhaps someday it will be. And regardless, it's great to have another voice in the community. :blush:

Thanks again, David. It's been illuminating having this conversation with you. :)