Is it possible to update manually matched item with the website I am using it on?

I imported from Keepass 1.x and since I used it manually for years, I never updated website data in my entries. For example, I have a Twitter username and password, but I never needed to add that the website was twitter.com, since the name of the entry was "twitter".

In 1Password it does not find a match for the website, which is fine, I read the Phishing reason...but if I go to 1Password in Chrome and specifically search and choose my Twitter item, shouldn't it update existing with the website data, or at least ask me if I want to update the chosen item? I am telling it specifically to try and use that (which it does not, by the way, and I still have yet to figure out how to manually update the website field)

In this case I had to make a duplicate and delete my old entry... :(


1Password Version: 7.3684
Extension Version: 4.7.3.90
OS Version: Win10
Sync Type: Not Provided
Referrer: forum-search:no website

Comments

  • Thanks for reaching out, @mattnlynn, and welcome to the 1Password family! Alas, the same matching that informs that phishing protection is also what allows 1Password to know which item you need to update when making changes on the website itself. If you're on twittter.com and you change your password, 1Password will suggest updating the item associated with twitter.com. Plus, if merely attempting to fill on a non-matching site prompted you to update your item with the new site, that would wholly bypass that phishing protection. What if you're on a phishing site when you try to fill?

    I feel bad because I honestly can't think of a better way forward than to add a website to each of your items in the main 1Password app. The extension simply doesn't have any way to know that your Twitter item is for twitter.com. Here's the workflow I'd recommend:

    As you visit sites and search for the Login items you want to match to that site:

    1. Right-click the item when its found and select "Edit in 1Password".
    2. Copy the URL from your browser.
    3. Paste it into the website field and save the item.

    Once you've done that, it'll match it properly moving forward. :+1:

    You present an interesting conundrum here as well (whether intentionally or no). I instinctively like the idea of looking to titles to at least suggest a default website for your item when it has none saved. Despite that, I also see a few potential security concerns there. First, we'd definitely need to prompt you to give 1Password the okay to add that data to your item. We have strict policy of not mucking with the data you save. It's yours, not ours, and if you want to save things differently from how we envisioned, we should allow you to do that. We'd also have to make sure this sort of thing doesn't get naggy to folks who purposefully don't include websites. Plus, it would need to use a system that doesn't suggest things based upon the site you're viewing since it could still be a phishing site as I mentioned above. It's a pickle – I'd love to see us do better here, but I'm not sure what would both feasible and helpful. 🤔

    Anyway, I'm sorry for the extra work here, but I hope the explanation of how this works at least helps make it as easy as possible. I'll also be sure to share your experience with the team. I'm not sure how we could improve this sort of situation within the confines of our security standards, but I definitely feel like it's worth a ponder. :chuffed:

  • mattnlynn
    mattnlynn
    Community Member

    Hi @bundtkate

    Thanks for the reply!

    You said, "If merely attempting to fill on a non-matching site prompted you to update your item with the new site, that would wholly bypass that phishing protection. What if you're on a phishing site when you try to fill?"

    I think by this you mean, what if I told 1Password to update my item with the website I am on...but I was accidentally on tw1tter.com, and not twitter.com? Correct?

    The resolution proposed for that is to Copy the URL and paste it into the item?

    How does that make me better avoid the phishing? In both methods, I am manually updating the item in 1Password with the (wrong) URL I am currently on. (and in this particular case, I actually just copied and pasted my password from the 1Password item into the site anyway to login)

    At some point, the user has to take responsibility to update 1Password manually/correctly. If I am on a site where there is no website match, but I find a title match manually, and I specifically tell 1Password to fill it in...then 1Password says "The sites do not match, are you sure you want to update this item with [URL1], or keep the existing website data [URL2}?" ...and I choose Update. (in my example URL2 would = blank) I can't see how this would be less safe than a copy/paste without any warnings?

    That being said, I won't drag this out, and I could be missing something, :) it's just some manual "fine print" steps that I did not realize that I would have to do, which I think others should be aware of ahead of time. Thanks for considering!

  • mattnlynn
    mattnlynn
    Community Member

    Wow...that entire response disappeared when I removed the dashed line? Too tired to re-type it in. I guess I will live with it.

  • MrC
    MrC
    Volunteer Moderator

    @mattnlynn ,

    I’d take a lazy approach, and just add URLs as needed, when you use them. You’ll find you get the majority of the sites you frequent, pretty quickly.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'll second that. When I started using 1Password, rather than killing myself (or at least a lot of time and energy) trying to do it all at once, I started with the most important (security-wise) accounts, moved on to those I used regularly (adding them as I went), and eventually worked my way through everything -- and then added much, much more. "Lazy" FTW! :lol:

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2019

    Wow...that entire response disappeared when I removed the dashed line? Too tired to re-type it in. I guess I will live with it.

    @mattnlynn: I was confused by these comments a bit ago, but I think you were referring to the longer post I just dug out of the spam queue:

    I think by this you mean, what if I told 1Password to update my item with the website I am on...but I was accidentally on tw1tter.com, and not twitter.com? Correct? The resolution proposed for that is to Copy the URL and paste it into the item?

    No. If you already have a Login saved for twitter.com, it already has the correct URL. Don't add a fake site. Kate's saying that you can, at your discretion, add additional URLs for legitimate sites where you need to use login credentials (e.g. microsoft.com, live.com, etc.) You're talking about putting a fake site there. Why would you do such a thing? I mean, you can add whatever you want by manually editing the item in 1Password, but we're not going to have it facilitate phishing scams by filling places other than the Login's specified URL(s).

    How does that make me better avoid the phishing? In both methods, I am manually updating the item in 1Password with the (wrong) URL I am currently on. (and in this particular case, I actually just copied and pasted my password from the 1Password item into the site anyway to login)

    I think you just answered your own question. :tongue: Do you feel that we should disable copying from your items, or prevent you from making changes to your own data? I don't really think it's reasonable to say that because the user can do something by going out of their way that it's not worth ensuring that 1Password isn't facilitating insecure behaviour, or that it's somehow 1Password's fault if you manually take your password and enter it somewhere you shouldn't -- 1Password can't and won't even know about that.

    At some point, the user has to take responsibility to update 1Password manually/correctly. If I am on a site where there is no website match, but I find a title match manually, and I specifically tell 1Password to fill it in...then 1Password says "The sites do not match, are you sure you want to update this item with [URL1], or keep the existing website data [URL2}?" ...and I choose Update. (in my example URL2 would = blank) I can't see how this would be less safe than a copy/paste without any warnings?

    1Password isn't going to help you make these kinds of mistakes, by filling for you at a URL that doesn't match where you've told it that Login should be used. That's the phishing protection. That's what we're talking about here.

    That being said, I won't drag this out, and I could be missing something, :) it's just some manual "fine print" steps that I did not realize that I would have to do, which I think others should be aware of ahead of time. Thanks for considering!

    I am not sure I understand what you have in mind, but if you'll be more specific I'll discuss it with the team in case we need to update some documentation. What you've been saying so far just doesn't seem to be in that context, so I'm sorry if I'm missing something you're alluding to.

  • mattnlynn
    mattnlynn
    Community Member

    Hi @brenty,

    Yea, I think I did not post that clear enough. My import from Keepass gave me an entry for twitter:

    Name Twitter
    Website::
    Username: ted (for example)
    Password: 12345 (for example)

    I then went to Twitter (twitter.com), and pressed sign-in, and no matches were found. (since my import did not contain any websites) So in the extension in Chrome, I entered into the search field "twitter" and my entry above appeared, and I clicked it to fill in the username and password on the screen. Nothing happened.

    I was asking if 1Password could prompt (only if my website is blank) and say "Are you sure you want to use that username and password here, the websites don't match?"...and if I say yes..."Do you want to update the website on the entry "Twitter" with the current URL?"

    In this case, I would be manually saying "Use this password for this site", and 1Password is warning me that the websites don't match, and I can then say, "Yea, I know, it's OK"

    Instead, I had to manually copy 12345 and paste it into the sign in, and then 1Password said, do you want to save this as a new entry? I said yes. Now I have 2 Twitter entries and I have to open 1Password search for both Twitter entries, discern the good/bad and delete the old. (not to mention there were no warnings to make me stop and double check the URL's)

    MrC is probably right, and I will eventually get through it. I figured I would just try and clear up my prior entry. Thanks for grabbing it from Spam, but it sounds like it deserved to be there, lol :)

    Thanks again for replying, +1 for responsiveness and customer service!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mattnlynn: Ohhh. No URL. Other LastPass users have reported similar mangling of their data when exported. :(

    I was asking if 1Password could prompt (only if my website is blank) and say "Are you sure you want to use that username and password here, the websites don't match?"...and if I say yes..."Do you want to update the website on the entry "Twitter" with the current URL?"

    Thanks for clarifying! Actually, I think that's a really reasonable suggestion. It's something we'll have to discuss. Thanks for bearing with me earlier and taking the time to make you request clear to me. :blush:

    As you can tell, I'm pretty passionate about 1Password not helping users fall prey to phishing attacks. But I agree that this is a bit of a different case. Maybe it's something we can incorporate as part of the "Update Login" feature in the future. I think we need to be realistic about the priority of something like this, since (as far as I can recall), you're the first to suggest it (there are, mercifully, not a lot of users who end up with zero URLs in their Logins). But I will absolutely bring it up with the team. Likewise, thank you for your thoughtful comments on this! :)

    ref: xplatform/b5book#972

This discussion has been closed.