Partial passwords when logging in to some websites

Some websites ask for subsets of characters from passwords when logging in (e.g. character 1, 3, and 10 from a password). The requested characters will change the next time I login.

When accessing these websites I open the 1Password app and then reveal the password to identify the characters I need. I then manually type the characters into the relevant fields on the website. Having to reveal the password in 1Password seems incredibly insecure as it exposes it to anyone watching over my shoulder.

Is there a better (more secure) way of interacting with these types of login flows?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited August 2019

    Hey @omzaz,

    The only way to make this process more secured, is to send a strongly opinionated email to that website's developers, telling them that this process is useless, and that there are far better alternatives (that are more secured as well) such as a one time password or 2 factor authentication.

    Honestly I don't know why this kind of login workflow ever got implemented in the real world, I'm baffled by how something that is not user friendly at all got out. But in order to work with it, the only suggestion I have for you is our large type feature:

    • Click the 1Password extension in your browser.
    • Select the relevant login and click the little arrow on the right of the password field.
    • Select "Show in large type".

    Large type will show you the password on the screen with the number of each character in the password, which will greatly help you to fill this form. However, it will not address the security concern you have as it will show the password in huge lettering on your screen. As I've said - the best course of action here is to talk the website developers into a more sane (and secured) login method. I mean, if someone already has your password, how is it more secured to have that process?

    I hope you will find this info useful. :chuffed:

  • omzaz
    omzaz
    Community Member
    edited August 2019

    Hi @Yaron

    Of the websites I use there are perhaps a dozen which implement this type of login flow. They are usually financial institutions. So even if one or two change their login flow as a consequence of customer requests (I suspect unlikely with financial institutions) its still not going to have a meaningful positive impact on me in the the foreseeable future.

    This has been an issue for many years and it has always seemed to me that 1Password could provide a much better solution than Large Type and one that would probably be relatively easy to implement. Instead of (or in addition to) Large Type why not have feature where we could manually and on-demand specify which characters we want to see and then show us only those characters? Call it "selective expose" or something similar. This could even be done one character at a time and could potentially stay hidden from view. We specify a number, you immediately load the character at that position to the clipboard and then we can paste that into the relevant password field. We then repeat for each requested character. Such selective exposure or selective copy would seem to me to be a lot more secure than exposing the entire password via Large Type.

    Also regarding Large Type - it only seems to show the number position of each character on desktop. On mobile it does not show the number position so is not much help for this type of login flow on mobile.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @omzaz: Thanks for the clarification! It wasn't clear from your original post what platform/versions you were using. Glad we're on the same page now. :) While it doesn't often come up (probably because having to do that dance at all on a mobile device is unwieldy), the character numbering is something we'd like to add to Large Type in the mobile app in the future as well.

    As you point out, some of the "security" measures websites put in place can be quite a pain, and, ironically, can potentially make you less secure, though most often that's because when people are faced with these kinds of hurdles, they just use weak passwords they can remember and type easily. When websites "go it their own way" and "roll their own securitay" like this, eschewing web standards, it really isn't possible for 1Password to understand or do anything useful with it. As Yaron mentioned, our best hope as users is to encourage companies to stop making it harder for us to be secure, as that benefits them as well. If it helps, we had a blog post on this very subject a while back:

    An open letter to banks

    That could either be a source of inspiration when writing to your bank in your own words, or, honestly, feel free to link to it directly, as it covers a lot of ground. The important thing is that we make our voices heard. My bank used to allow only 8 character passwords, and had a number of other hoops users had to jump through which wouldn't make things any harder for attackers, only their customers. That's changed over time, and I can only imagine that's as a result of feedback from myself and other customers. Otherwise there's just no incentive to spend time and money making changes. It doesn't happen overnight, as there are often legacy systems that will need to be updated or replaced outright. But progress needs to start somewhere, and having actual people say that they would appreciate improvements to login security is a good motivator.

    Another thing that I think Yaron was hinting at specifically with these "character n of password" prompts is that for that to even work, they pretty much need to know your actual password, and that means it could be stolen from them. Nowadays many websites are taking advantage of better security to protect their users and themselves by not caring what the password actually is, but instead saving a salted hash of it to compare against later when you login. This allows them to not restrict the length and composition of your password, since a fixed-length hash is created no matter what, and also not be in a position to have user passwords stolen from them -- which, frankly, is better for everyone: if they do it right, a website breach doesn't hurt their users or their reputation the same way it does when accounts get compromised. Everybody wins. :)

  • omzaz
    omzaz
    Community Member

    @brenty

    I appreciate your point of view that the systems used by banks and other financial services websites are undesirable. But the reality is that is what is common today and has been for a long time. Even banks receive many requests to change I can't see change happening quickly (because quick change is not in the nature of banks).

    In the meantime, the existing solutions in 1Password to help us identify the nth character in a password (Large Type or Password Reveal) make the situation worse (because they expose the whole password on the screen for a period of time). Therefore I reiterate the pragmatic suggestion I made in an earlier post to provide us with a means of selectively exposing only certain characters in a password (achieved by user prompt rather than auto-detection by 1Password). This would be a helpful stop gap until the time banks stop asking for nth character in a password (if that ever happens).

  • ag_ana
    ag_ana
    1Password Alumni

    @omzaz:

    Thank you again for sharing your thoughts :) As brenty mentioned, this is something we would like to add to the mobile app as well.

  • omzaz
    omzaz
    Community Member
    edited August 2019

    @ag_ana I think he is referring to adding character numbering to Large Type in the mobile apps rather than what I think is needed (selective character expose).

  • ag_ana
    ag_ana
    1Password Alumni

    @omzaz:

    I agree, I think that character numbering is what he was referring to. I am not aware of any plans to add the exact feature that you are wishing for, so large type numbering would be the closest help to your needs among the features that we are considering.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @omzaz,

    I'm guessing you're based in the UK as I am and I know the majority of banks I have experience with do love that whole nth character from your password nonsense. So as somebody who experiences this on a regular basis as well I am impacted by whatever 1Password allows. The truth is sites like this are far from common and the vast majority of sites don't require anything this annoying. It means even though I would personally benefit I cannot think of a compelling argument for spending the time to develop something more intricate, not when there are so many other deserving tasks that will benefit a much larger portion of our users of which I include myself. Your scenario doesn't even extend to all UK users as for many the large type option is all they need and they're not somewhere public where shoulder surfing is a possibility.

    I never enjoy telling somebody their request is unlikely to happen but I would rather be honest with you than offer any false hope.

    Just as an aside, have you ever asked yourself how your bank is able to verify individual characters from your password? I've wondered and I pretty confident I won't like the answer. I feel it's a flawed approach to security and I'm doubtful it provides any real security over a single password field.

This discussion has been closed.