Five fails in a row for wife trying to use 1Password family

Bank of America:
autofill with password generator doesn't update account, recovering the password is possible in the "password" section in the app but very frustrating for new users

Capitol One 360:
(same as BofA, generator fill doesn't save change)

Wells Fargo:
(same as BofA, generator fill doesn't save change)

Fidelity One:
Generator actually updated the account this time (yay?)
Username is saved with asterisks, i.e. "******endofname", manually editing the data in 1Password is required.

UCLA Health Billing:
1Password never asks to remember the password

Not sure what's going on here, but it's feeling extremely flakey and not inspiring confidence. I also realized that after using 1Password for many years myself I've got habits of doing all of these things manually because I don't trust 1Password.


1Password Version: 6.3.5
Extension Version: 6.4.1.90
OS Version: osx
Sync Type: 1password family

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    I'm sorry for the frustration, @seanhoughton. Password change forms are some of the hardest to get right and we generally err on the side of not prompting you too much or erroneously prompting to update a password when that's not the right thing to do. I have accounts at Capital One 360, Wells Fargo, and Fidelity, so I will definitely take a look at these to see how we can improve. As for UCLA Health Billing, can you send us the URL so we can take a closer look and see why autosave isn't working?

    We definitely want 1Password to be something you trust, and given that most of my work is on the extension and form filling, I'm sad to hear that the browser extension is a source of your distrust. We'll do better. Thanks for keeping the expectations high. Time now for us to go meet them. :)

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • seanhoughton
    seanhoughton
    Community Member

    The difficulty of munging through arbitrary HTML and Javascript is understood - but that's the role of your application so I would expect large and heavily used sites to work.

    The login screens are public, so can I suggest adding automation to periodically look at the login page and compare the key elements with a known-working pattern? This would help alert you to changes in the implementation. You could also submit a random login with an instrumented version of 1Password to check that it properly intercepts the username/password pair. This could then be used as an acceptance test for any new releases.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @seanhoughton: Unfortunately neither the size nor the popularity of a site seems to correlate to the complexity of the webform. Some are easy, some are seemingly impossible, and most are somewhere in-between. Those are some great ideas, but we simply don't have the scale of something like Google, to be able to crawl sites like that regularly for automated testing. Maybe someday though! And just like feature requests, everyone has a different idea of what sites are most important. So we really appreciate you letting us know where you're running into trouble so we can see what we can do to improve 1Password going forward. Thanks for your feedback! :)

  • jxpx777
    jxpx777
    1Password Alumni

    As promised, @seanhoughton, I looked into a few of these, and here's what I found.

    First, I looked at the Capital One 360 change password form, and I see there is an edge case there that we need to take into account. It never ceases to amaze me the lengths some sites will employ rather than just using the simplest thing like an <input type="submit"> or <button type="submit"> tag… One thing that may help is to press return in a password field when submitting forms that 1Password should know about. I readily admit this isn't your responsibility, but I do want to equip you with something that can help skirt some of the issues that these creative markup approaches can present.

    It looks like Wells Fargo is using a similar but slightly different approach. A quick check of the markup in the W3C validator indicates that the control attribute isn't valid in pretty much every place they're using it, so I'm not sure what function they think it is serving. Here's what the validator says:

    In fact, I haven't ever even seen the control attribute before, and I can't find any information about it. There is a controls attribute for <video> tags, but that's quite a bit different. Seems like what they would be wanting here is a role or possibly aria-controls. This isn't the only place they're using non-standard attributes on their markup though. The body tag has attributes like ismobile, contextPath, and others that seem to be basically specific to their implementation and should probably be in data- attributes or something like that.

    These are two examples from your list of just a few sites where there are strange markup situations on pages that look to the human eye to be really simple. "It's just three password fields and a Save button! How hard can it be for crying out loud?!" is the obvious reaction to 1Password not grappling well with these pages. I thought the same thing when I initially loaded the page and then I went spelunking to see what creativity I was about to discover on the part of these financial institutions' web programmers.

    For Fidelity One, could you let us know if the URL is different from just the regular fidelity.com page? I tried fidelityone.com and got an under construction notice. The reason I ask is because we have code in place specifically because of Fidelity to handle that username obscuring process that they have, so we shouldn't be saving the masked username there. This was a change in the last several months, though, so it would also be worth double checking the 1Password version where you attempted the save to make sure it has this code in place. I see you said you are on 6.3.5, but I'm wondering if maybe your wife's computer is lagging behind a bit or something like that.

    On the subject of automated testing, this is something we do but not in the way that you describe. Testing things like change password forms on financial sites is pretty difficult because you need to sign in before you can get to the change password form and it's not possible to create fake accounts at these financial sites and using my real accounts in test data is not a valid option for hopefully obvious reasons. (Plus, I don't have accounts at all the financial institutions. :)) But when it comes to the data that 1Password collects from a page and how it transforms that into either a new Login or a series of steps for filling your data, we do have a large number of tests that we use to confirm our progress forward on our form filling logic does not cause regressions. Many of these are for the very popular sites, but many are also to handle particular categories of sign in forms such as when the form has fields that change their type or the page swaps fields around in response to user activity. In all we have nearly 1,000 automated tests that help keep us on the right track. In the future, we do hope to do more with tracking sites and seeing when they change their markup, but I don't have a timeframe to share for when that might happen. When we do get to it, though, it will almost certainly start with public sign in pages and if change password forms ever do come along, it will be further down the road.

    Thanks again for your posts and feedback. Do let us know if we can be of any other assistance.

  • seanhoughton
    seanhoughton
    Community Member

    Thanks for looking in to it. Maybe we just got really unlucky with the sites we tried. The password sharing feature on the family account definitely made up for the rough start with password saving.

  • jxpx777
    jxpx777
    1Password Alumni

    Sadly, I think it's less bad luck and more a combination of financial sites being some of the most important sites for most people plus the various terrible web design practices in use on many of these in the name of ""security" plus being some of the most difficult to test and verify because it's not possible to create test accounts. Add to that a dash of antagonism from most financial institutions when it comes to password managers, and you've got a recipe for some fragile behaviors and a cat and mouse game where 1Password tries to understand the various things that are happening and the websites inventing ever more broken ways to thwart them.

    On a more positive note, I'm glad to hear you're enjoying Families! It's been a lifesaver for me and my wife too. :)

This discussion has been closed.