Feature request - ability to search and select arbitrary login
I'm liking 1passwordX so far, but I've run into one thing it won't do that's regularly inconvenient for me. There are some very large companies (looking at you Microsoft) who's authentication systems pop up under different domains depending on conditions I don't pretend to understand. With the old extension, it presented the close matches and if none of those were right I could search for the right one and select it. With X I just get the close matches and no option to search or select anything else. I can click the toolbar icon and find it there but I have to copy/paste the fields instead of it filling them (there's a Go button but no Fill button). X is really great in a lot of ways, but this is one scenario where the old extension worked much better.
Thanks!
1Password Version: 7.2.581
Extension Version: 1.10.3
OS Version: Windows 8.1
Sync Type: Not Provided
Comments
-
@jboren: Curious that you see different behavior between 1Password X and the standard extension in this case. Their matching should be identical and, like 1Password X, the standard extension shouldn't be willing to fill on a page where the domain doesn't match leaving you copying and pasting all the same. Ultimately, this is a security feature. 1Password makes the assumption across the board that you don't want to fill on a non-matching domain as a means of phishing protection. After all, a site can look very much like the real accounts.google.com to us with the URL displayed properly and everything while actually being stealyourstuff.sneakymalware.com. 1Password will see this where we won't thanks to how domain matching works.
I'm curious whether matching is actually being handled the same between the two in this case. Could you possibly give an example of a site where you want a given Login to fill and 1Password X won't do it? Please also share the URL saved in the Login item you're looking to fill on that page? Might be the domain you're on should be a close match and isn't being recognized as such.
0 -
Hi @bundtkate !
You know what, I just double-checked it and you're right. The old extension will let you search for other entries but if you click them it doesn't fill the current page, it goes to the page for that entry. But you can right-click and copy the username, password,etc. The X extension only shows matches and there doesn't appear to be the ability to search for other entries (I love that the password generator is there though :)). That's the only difference, the ability to search for, then right-click a different entry, from the pop-up. In X you can still do it from the toolbar.
The biggest offender for me is Microsoft. Portal.azure.com, account.azure.com, account.microsoft.com, login.live.com and many other domains and subdomains use the same backend authentication system, same creds. But the first two go to the Azure portal, and the second two go to the Microsoft account management page. The problem arises when you get forwarded from one to another and have to re-authenticate. For example if you go to Azure billing and try to retrieve your Support invoice you get forwarded to account.microsoft.com and have re-authenticate. Since the login entry is under portal.azure.com the *azure.com matches are all you see in the extension.
Is there some kind of alternate valid domain matching feature in 1password? I remember lastpass had some feature where you could enter alternate domains for a particular entry and it would match those too. I guess I could create a second entry, but then when I change the password I have to remember to change both 1password entries. I just noticed that if I go to accounts.logme.in, the extension offers up all the join.me entries also. That's similar to what I'm describing. It looks like maybe the extension is matching The site's SSL certificate SAN's?? If so, that's awesome! Very smart.
I get what you're saying about phishing protection, but that's (half of) what HTTPS is for. I'm not sure you can really protect the user from themselves this way. It just adds some steps (toolbar icon -> search -> copy -> paste), but doesn't prevent the user from filling the login, just makes it less convenient. If they're going to ignore the giant warning that the browser throws at you if you try to go to a site with a mismatched cert or the insecure icon in the address bar for an HTTP site, I'm not sure a lack of close matches in the extension is that much of a barrier. Maybe it helps the least technically savvy users and it's worth it for that.
Honestly, just the ability to set valid alternate domains for an entry would solve the problem for me.
Thanks!
0 -
Hello @jboren,
You can always add secondary website fields to a Login item. If the current page matches a domain in any of the website fields it will allow this Login item to fill on his page.
Now we do also encode certain domain equivalencies into 1Password to help make things easier with certain sites. It sounds like maybe we need to look at the ones for Microsoft as by the sounds of it they've been either expanding or changing the domains for which a single Microsoft account is used on.
0 -
Hi @littlebobbytables !
That sounds perfect, and should work for what I need. MS has been slowly unifying those authentication system for years. Office.com still has it's own separate auth system but I think everything else thy offer online, including VSTS is on the same auth system or at least references the same credentials.
Thanks a ton for the help!
0 -
@jboren: Glad lil bobby was able to help. I'll also return to this:
The X extension only shows matches and there doesn't appear to be the ability to search for other entries (I love that the password generator is there though :)).
Just to clarify in case it helps you or anyone else, you can search for any items from the 1Password X toolbar menu. Cheers! :)
0
