1Password X saves new password even if rejected by website

This scenario is a problem when using the 1Password X Chrome Extension to update a password on a website and the new generated password is rejected by the website.

At the password change form on the website, 1 Password X correctly populates the "current password" and suggests a new secure password for the new password and automatically fills the new password confirmation field. However, BEFORE the form is submitted, 1Password X immediately prompts me to "Update Saved Login" to save the new password for the website or cancel.

If the website rejects the password, it's too late. 1Password X has already saved the new (invalid) password for the login. In fact, this happens even if the form is not submitted and the password is never updated on the website.

it would seem to me that the password for the login should not be updated in 1Password until AFTER the form is submitted and the website indicates the password was updated successfully. I don't expect that 1Password X to be able to determine when this happens, but I would expect to have the option to wait until I know the website accepted the new password before choosing to save it.

This is exactly what I do when using the 1Password app with the 1Password Safari or Chrome browser extension. I wait until after form submission and an indication from the website that the password was successfully updated, before selecting "Update Saved Login". Is there a way to have 1Password X behave like the 1Password app browser extension when updated the password for an existing login?


1Password Version: 7.2.4
Extension Version: 1.13.2
OS Version: 10.14.2
Sync Type: Not Provided
Referrer: forum-search:1password X password update

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Michael Mercurio: Thanks for reaching out. I’m sorry for the confusion! 1Password will never save anything unless you tell it to. I think maybe the question you're really getting at is, "Why doesn't 1Password wait until after the form is submitted and the password is accepted to offer to save?"

    First, that's pretty difficult, since no two websites are the same, so it isn't always possible for 1Password to detect a situation where it should offer to save a login at all.

    Second, it cannot, in fact, know something which may be obvious to you as a human: whether or not the password was even accepted. There may be ways to do that in the future, but again, this is very site-specific. As far as I know, there is not even a standard for this currently. Login form standards exist, but not many websites follow them. When it comes to passwords being accepted, some websites have a different "error" or "failure" URL, but many don't. Generally there will be a human-readable message letting you know the problem, but this is phrased differently. You understand the language, probably English, and can comprehend this, but 1Password does not -- as with most software.

    Finally, like 1Password X, even the 1Password desktop app/extension does not know if the password was accepted, either for logging in or changing login credentials; it can only see the form submission and make an assessment of whether login credentials were submitted at all, to offer to save them, not whether they are valid according to the website's (often unclear even to humans) rules.

    I agree it would be really cool if 1Password was smarter about all of this though, and maybe it's something that machine learning can help us accomplish in the future. But for now, you have a pretty easy out: if the password you save turns out to not be accepted, try again, and save/update that Login again. That way, if and when you manage to get one the website is happy with, you'll have it. And you've got password history if you need to backtrack due to a disagreement with the website. :)

  • Michael Mercurio
    Michael Mercurio
    Community Member
    edited January 2019

    Apologies if my wording was unclear, especially the title of the post. To me, it looks like a UI design decision of 1Password X vs 1Password. As I tried to say, I'm not asking for 1Password X to be smart and understand when to save the new password. I'm just asking to have the option to control when the password is saved. This is how 1Password app and extension works.

    With 1 Password X, the UI forces me to either save the new password (often prematurely) or cancel the operation completely AND it prevents me from interacting further with the website until I make this selection.

    With 1Password app the UI allows me to continue interacting with the website while the "update saved login" window floats above the main browser window. Once I'm happy and know the website accepted the new password and it was updated successfully, then, and only then, I click on the "update saved login" button. If the website rejects the password or the password fails to be changed, I click on the cancel button.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Apologies if my wording was unclear, especially the title of the post. To me, it looks like a UI design decision of 1Password X vs 1Password. As I tried to say, I'm not asking for 1Password X to be smart and understand when to save the new password. I'm just asking to have the option to control when the password is saved. This is how 1Password app and extension works.

    @Michael Mercurio: Ah, gotcha. That makes sense. I'm not sure that's really feasible, but I agree that would be nice. With the desktop app/extension, we've got native code running outside the browser, so it can present you with a dialog box that you can keep around and interact with at pretty much any time (or not). That's what allows you to hold off and actually complete the save once you're sure the website is all good with the password or whatever -- the app affords us all that luxury. With 1Password X, it's running entirely in the browser, right on the web page you're viewing. If you navigate to a different page, it goes away. There is no opportunity for it to be persistent across multiple pages (say, from the initial login page to whatever you end up on after that), or tabs, or windows. It's being added to the specific webpage you're currently viewing.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I would too suggest that 1Password X shows a floating window, which is not blocking page interaction, and waits for me to accept the new password after making sure the website confirmed the password change.

    @janxb: Perhaps that's something that could be possible in the future. It's just problematic due to browser security, which is a good thing. But I can see how something like that might be helpful. We just don't have a native app we can count on, external to the browser, to manage these things with 1Password X currently. But maybe someday we can find a way. :)

  • Strate
    Strate
    Community Member

    LastPass using floating window with prompt to save password, this is pretty useful.

  • kaitlyn
    kaitlyn
    1Password Alumni

    @Strate – Thanks for sharing that with us! Brenty's last comment still holds true, but as he mentioned, perhaps something like that could be possible in the future. :)

  • koraykupe
    koraykupe
    Community Member
    edited July 2019

    +1

    I agree with the author. I have also a few related topics about it.

    https://discussions.agilebits.com/discussion/101920/saving-the-login-item-after-logging-in-not-before
    https://discussions.agilebits.com/discussion/104944/1password-x-doesnt-offer-to-update-my-username

    I see it's about browser security, but a floating window that keeps the state between pages would make the app much much better.

This discussion has been closed.