[Feature request] Dealing with masked passwords

Hi,

I'd like to make a feature request for a Masked Passwords. I know it's a problem to figure out a perfect solution for this, but I have a workflow that works quite well, yet I do believe it could be made simpler.

Masked passwords are something like this (quite popular in Poland lately):

What I'm doing to work with them is, instead of creating a password of, let's say 15 characters, I'm making 15 passwords, every 1 character in length. Then, what I'm doing is I'm anchoring data when I'm on the site like this:

I'm selecting the input of the first empty slot and I'm copying the elements into the place. This goes usually like:
1. Select input
2. Click on masked password with number associated with the input (in this example - 2)
3. I'm pasting
4. Input automatically goes to the next form
5. I'm clicking the masked password with the next number (10)
6. I'm pasting

...and so on.

This brings two problems:
1. Creating such password is a hassle
2. Initial setup (I need to click on 1Password Mini Icon, select the entry, anchor the input and move it out of the way) is also a problem

What I would like to propose is, having something like the "Looking glass" feature (i.e. the one where the password is shown in plain text in big type), but instead of having it visible I would like it still to have star characters and copy the clicked characters without stealing the focus.

If you'd consider implementing this and you'd give possibility of setting this version to popup instead of autofill on some pages I would be ecstatic :)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Inputing masked passwords

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    Hi, @pkaminski. Thanks for your detailed post. This scenario comes up from time to time. I wrote a fairly detailed reply about this a couple of years ago and I think it still stands up. I remain skeptical of the security practices of these password prompts and while they do seem to be more common in some locales as you state, we don't find ourselves facing that many of them in the grand scheme of things across the thousands of sites we look at on a regular basis, even financial institutions. I remain hopeful that this practice will fall further out of favor and we'll see more movement toward meaningful security practices.

    --
    Jamie Phelps
    Code Wrangler @ 1Password
    Fort Worth, Texas

  • pkaminski
    pkaminski
    Community Member

    Thanks for the answer. I’ll argue your point about non-meaningful practice, though.

    I have heard some implementation details, but they don’t really matter (unless you’re really curious :) )

    What I think matter is that lately I’ve seen increase in implementation throughout different european institutions. This happens in place, where it’s the bank, who is responsible financially for the breach (even if I carelessly put my password on keylogged machine). While inconvienient, it’s not the end of the world, since the law is on my side. If I can see increased adoption of masked passwords, it means that it proves successful for the banks who implement this and others are following.

    I understand that Agilebits is in core american company which sees mostly american trafic and doesn’t see as much of this as people in Europe, but please don’t cross it out just because of this.

    In the end between the security specialists at banks who implement this say “don’t use password managers, they’re insecure, you should remember your passwords” and you who say “it’s bad security practice on receiving end” there is me, a consumer, who is losing the convience (which is the main reason I recommend 1Password to everyone) because the two ends don’t meet.

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited May 2018

    Hello @pkaminski,

    I'm based in the UK so I have a long standing awareness of this sort of nonsense, the banks in the UK have loved this x, y & z characters from a PIN or password for years now. It used to be you either had to do as you have or add carefully crafted entries to notes to help determine a particular character. In current versions of 1Password we have the Large Type option in 1Password and it's precisely for these sorts of pages. It doesn't meet all of your criteria but as somebody who does have to muck about with sites that use this approach I find it does help immensely. Here is a link to a post I wrote a while ago on the matter of Large Type and how it works. It does display the password prominently so not suitable for coffee shops but otherwise should make these pages more palatable. Is this of any use?

  • archifishal
    archifishal
    Community Member

    I'd like to vote for this too - I don't know if the web page reveals enough in the HTML in general to tell you which cell is asking for which character (so you could just have the whole password in 1Password and then it would magically pick out the appropriate characters). But it would be nice :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2018

    Thanks for chiming in! Unfortunately the websites which are designed this way, often intentionally to prevent using a password manager, they tend to obfuscate the fields as well, using nonsensical or even randomized field names. It doesn't pertain directly to this, but you may be interested in reading and sharing this blog post:

    An open letter to banks

    There isn't much we can do in the face of such hostility other than keep working to not only improve 1Password but also join with the rest of the security community (and users/customers!) to encourage them to change their practices to allow people to be more secure by using a long, random, unique password for each site -- which is really only feasible with the help of a password manager, like 1Password. :blush:

This discussion has been closed.