BDO Unibank Log in Error

1Password works fine for other websites. But on the login for personal online banking the website deletes the entries and gives an error. I can enter the user name and password manually without issue. When I click on reveal in 1Password the password for the website cant be revealed. It displays as red asterisks. Have tried and tried.
https://online.bdo.com.ph/sso/login/wicket:interface/:4:loginUnifiedPanel:loginForm::IFormSubmitListener::


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:website

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    It looks like the system is down for maintenance, but sometimes what happens is the site changes a field to a masked value, but after you save it, you can go to the item and see if it contains the real information or if it was saved with the masked value. You might need to click the "web form details" button once you edit the item to see all the fields that are saved.

    Let us know how it goes! I'll also check back on this site to see when it is available so I can investigate further if needed.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • chrisss
    chrisss
    Community Member

    Hi, I'm having the same problem with the same website.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @chrisss,

    I have a couple of questions in order to learn a bit more.

    1. If you copy and paste can you successfully log in?
    2. If the answer to 1. is yes, can you create an entirely new Login item please using the steps outlined on our support page How to save a Login manually in your browser. What happens if you try to log into your BDO account with this new item?
    3. What is the URL stored in the new Login item and is the sign-in page directly reachable from this URL?
    4. What version of 1Password do you have installed?
    5. What browser do you use and what version of the 1Password extension do you have?

    While I don't have a BDO account to test the actual sign-in process, learning these details will at least give us a good place to start with some testing to see if we can identify what might be happening.

  • chrisss
    chrisss
    Community Member
    1. No there’s a script that blocks copy and paste.
    2. same url as above
    3. the latest version
    4. safari, firefox and chrome (all latest versions)
  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hello @chrisss,

    So no matter what I do I cannot get that URL to load, it always goes to a maintenance page. I can find a sign-in form at https://online.bdo.com.ph/sso/login and the limited testing I can perform suggest 1Password is filling the fields correctly. If focus leaves and returns to the password field the page will clear the field but that happens regardless of whether 1Password is used or not.

    I don't know the page linked with the URL in the first post is different or not or what I would need to do to get it to load. I would be interested to learn if you can log into your BDO account using the URL in this post and what happens if you manually save a new Login item with this sign-in page. I would also really like to learn exactly what version of 1Password you have. 1Password could be reporting its up-to-date and it isn't the current version for a number of reasons. From a troubleshooting perspective saying the latest version reveals nothing. I've also seen Firefox claim its up to date and in actuality it was several versions behind and that was the source of the issue the user was experiencing.

  • chrisss
    chrisss
    Community Member

    @littlebobbytables There's a maintenance window that happens every 1am (UTC+08:00) onwards, I don't know how long, maybe you are getting that. This is bank site, most bank sites here in my country have that kind of maintenance window. Also it would be wise to mask your IP to Philippines via VPN or something not sure if they are blocking IPs outside of the country.

    For the versions, here are they:
    1Password 7
    Version 7.2.1 (70201001)
    Mac App Store

    Chrome:
    Version 69.0.3497.100 (Official Build) (64-bit)

    Firefox
    62.0.3

    Safari
    Version 12.0 (14606.1.36.1.9)

    I also suggest coming from this domain:
    https://www.bdo.com.ph/personal

    Then click online banking, then personal should be selected, and then click BDO Online Banking.

    I would be interested to learn if you can log into your BDO account using the URL in this post and what happens if you manually save a new Login item with this sign-in page.

    I see the password is saved as **** instead of the actual password. Please do note that my password saved on my original login does have the correct password. Also It's working on iOS, it's just broken on desktop.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @chrisss,

    So I don't have anything new to report at the moment. No matter when I try visiting the original URL I get a maintenance page and if I follow their link to return to the login page I can reach https://online.bdo.com.ph/sso/login and that loads. I don't know what the bank is doing if you can directly visit https://online.bdo.com.ph/sso/login/wicket:interface/:4:loginUnifiedPanel:loginForm::IFormSubmitListener: While the VPNs I use have endpoints in a number of places none have ones for the Philippines so I can't test that theory.

    The other oddity is that I tried saving a new Login item at https://online.bdo.com.ph/sso/login first in Vivaldi and then in Safari and in both cases the password was correctly recorded. If you see **** that suggests a site is using a fake password field and substituting characters with asterisks as you type. I've seen it before but I can't reach a page on this site where it's happening. I don't know why we're seeing such marked differences or what I can do to reproduce what you're seeing.

  • chrisss
    chrisss
    Community Member

    @littlebobbytables I assure you it's working properly (not in maintenance)
    img

    Maybe it's the time, may I know what time you are trying to access it? right now its 3:41 am (UTC+08:00) ( and I'm able to access it. I also tried a VPN using Tunnelbear with Singapore server, it seems to work?

    Please do note I'm able to login via IOS Safari fine. It's only broken on desktop. Also I was able to login in Firefox via manually copy and paste, I have to disable dom.event.clipboardevents.enabled to make paste work. If I use 1password, it gives me an error. It only works if I manually copy and paste the password.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @chrisss,

    As I'm sure you can appreciate, troubleshooting is deeply connected to the details and in the majority of cases we need to ensure we're being precise.

    The original URL reported was https://online.bdo.com.ph/sso/login/wicket:interface/:4:loginUnifiedPanel:loginForm::IFormSubmitListener, this is the one that none of us have been able to reach. I can visit https://online.bdo.com.ph/sso/login/ which I stated in my previous reply. I only say this because the image you supplied indicates the latter, not the former. The path in the image does not have any of the wicket:interface... path.

    Part of why I possibly appear pernickety is that earlier you said a Login item saved ****. 1Password can only save what is present on the page and at the moment I haven't found a page that exhibits this. One possibility is that there are multiple and different sign-in forms and it wouldn't be the first time we've seen this. Citi for example had several distinct pages, each different enough and most using the trick that could result in 1Password saving **** thanks to fake password fields. If there are different pages and they react differently then what might work on one isn't guaranteed to work on the other.

    On a surface level 1Password seems to fill the page at https://online.bdo.com.ph/sso/login/. I'm not discounting the possibility that the page is doing something weird, something that only becomes evident only when you submit but we need to ensure we're both testing the same page and at least partially seeing similar results, such as what 1Password stores when a Login item is saved. Without that it's hard to say with conviction whether any other odd behaviour is a result of the page or if because we're not seeing consistency in our tests.

  • chrisss
    chrisss
    Community Member

    I’m reporting this url https://www.bdo.com.ph/personal, since it’s the same bank I just replied to the same thread.

    Do you wany me to post a new thread?

    I you read carefully what I said, I asked you to visit via this url https://www.bdo.com.ph/personal

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @chrisss,

    Let's start afresh.

    1. Can you directly load https://online.bdo.com.ph/sso/login/ and does it load the sign-in form for you?
    2. If you manually save a new Login item on that page using the steps laid out on our support page How to save a Login manually in your browser does it correctly record both your username and password?
    3. If you let 1Password fill using the new Login item, what happens when you try to submit?
  • chrisss
    chrisss
    Community Member
    1. I can directly load that url.
    2. If I manually save the login, the password becomes obfuscated, eg, if the password is pass, then it'll become ****, so it just saves a bunch of asterisks.
    3. Login error.
  • chrisss
    chrisss
    Community Member

    @littlebobbytables follow up, I do hope it won't take a year for this to be resolved. The original url that this thread have posted is an error url unique to each customer. So if someone paste it other than your computer, it'll show maintenance. Now like I said, I provided a new url and also with the url you provided where all the queries have been removed.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    @chrisss,

    If 1Password is capturing asterisks that's because the site is placing those in the field. I don't have a good explanation as to why some banks think this helps with security over a standard password field. Filling with that item will fail.

    Assuming you still have the item, if you edit it and replace the password with your real one what happens when you try to fill with this modified item?

  • chrisss
    chrisss
    Community Member

    @littlebobbytables it won't login using the auto login, even if I edited the password with the real one.

  • ag_sebastian
    ag_sebastian
    1Password Alumni

    @chrisss When you say auto login, which exact steps are you taking? What happens if you try to Autofill using the Cmd-\ shortcut, and then click Login?

    This site is trying really hard to make it difficult for us to fill the password. :( Another curious thing: If you click the Password field, click away from it, and then click it again, the password entered will be cleared. As much as it pains me to say it, I don't think there's much we can do in this case.

    Having said that, @littlebobbytables might be able to find a workaround, as he's much more experienced than me.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @chrisss: I think that you're not the same person I've been conversing with via email about this specific website, but please correct me if I am mistaken. :lol:

    Either way, I just happened upon this forum thread and thought to myself, "Wow, that seems familiar!" It turns out I've spent some time on this again recently investigating the issue to see if there's something we might be able to do to help. It doesn't seem promising at this time (I'll go into that later), but we do have an issue filed for this with the details so we can hopefully find a way to work around this in the future.

    To elaborate, unfortunately 1Password cannot help you sign in here at present, and perhaps won't be able to unless the website itself changes. In testing, they seem to be actively preventing people from using a password manager to fill a strong password.

    Actually, while we can use 1Password to fill, the site just doesn't accept the input (the text appears "greyed out"). They seem to want the user to enter it manually. One trick that often helps with sites that do this is to enter a character at the end of the filled password manually, and then delete it, leaving what was originally filled, but satisfying the site's user input requirement. However, that does not seem to work in this case, as the site clears out the password field again when I try to interact with it.

    Also, this normally the point where I'd suggest copying and pasting your password, since that's much easier than typing it...but they seem to block pasting there too. I'm not sure that there's much we can do to work around that ourselves, given how aggressive this seems, but we'll continue to improve 1Password to see if we can figure something out. The difficulty is that 1Password is doing everything right here -- filling when and where it's told to -- but the site actively rejects a login attempt made without you entering the credentials yourself. I don't really see the benefit in that, since most people will just use a weak password that's easy to remember and type when faced with this obstacle... :(

    But one practical thing that might help while they continue to actively thwart 1Password's efforts on your behalf is to change the password: have 1Password create a random word-based password, to give you something strong that is also memorable and typeable. If you use four words, that will be strong enough to stop anyone from guessing it, even using a computer, for the foreseeable future*.

    *We recently ran a contest with a cash prize to guess a three-word random password, and that took more than 6 months even with hints.

    Anyway, I'm sorry we can't be of more help to you or other customers of this institution at the moment, but if we can find a way to work around this to make it easier for you and others to use 1Password to make it easier for you to do the secure thing there, I think we'll all be happy. :)

    /cc @littlebobbytables, @ag_sebastian

    ref: x/b5x#748

  • chrisss
    chrisss
    Community Member
    edited April 2020

    @ag_sebastian

    @chrisss When you say auto login, which exact steps are you taking? What happens if you try to Autofill using the Cmd-\ shortcut, and then click Login?

    It doesn't log in, I'm pretty sure I tried it 3 times but it seems it doesn't lock my account, so not sure if it's even submitting.

    @brenty

    @chrisss: I think that you're not the same person I've been conversing with via email about this specific website, but please correct me if I am mistaken. :lol:

    I've only converse through this forum, and not by email.

    I've try doing some workarounds. On Firefox, disabling "dom.event.clipboardevents.enabled" and pasting it manually logs me in successfully. So if I was able to log in manually, shouldn't 1Password be able to disable the clipboard events and paste the password as well?

    There's also this extension but I haven't tried:
    Don't [removed] With Paste

  • AGAlumB
    AGAlumB
    1Password Alumni

    It doesn't log in, I'm pretty sure I tried it 3 times but it seems it doesn't lock my account, so not sure if it's even submitting.

    @chriss: To be clear, 1Password can fill your login credentials, but you will need to submit the form, either by clicking the button ("sign in", etc.) or pressing Return. Does that work?

    I've only converse through this forum, and not by email.

    Thanks for confirming! I'm kind of glad because I'd hate to bore you with the same long explanation twice. :lol:

    I've try doing some workarounds. On Firefox, disabling "dom.event.clipboardevents.enabled" and pasting it manually logs me in successfully. So if I was able to log in manually, shouldn't 1Password be able to disable the clipboard events and paste the password as well?

    There are limits to what 1Password can (and should) do to modify the webpage, and messing with things can have unexpected results.

    There's also this extension but I haven't tried:

    Interesting. I'm always wary about installing other extensions since they often have the ability to read what I do on webpages (like my passwords), but thank you for sharing that!

  • chrisss
    chrisss
    Community Member

    @brenty Sorry for a late reply, fast forward today, still not working. Also your last question, it does submit the form, but I think it's only sending a masked password; it intercepts 1password password and changes it to a literal *. What does work is I have to disable their paste disable the script, and manually paste my password.

  • @chrisss thanks for keeping us in the loop, even many months later. :smile: I don't have anything new to report on 1Password's front, but it sounds like you have a manageable workaround for yourself for the time being. :+1:

  • kiamoyman
    kiamoyman
    Community Member

    Still not fixed in 2020 :( LastPass was able to implement a workaround on this though.

  • ag_ana
    ag_ana
    1Password Alumni

    @kiamoyman:

    Sorry about this, but thank you for the update. We will do our best to work on this as soon as possible.

This discussion has been closed.