Does 1Password send my login and password to the wrong login page?

Can you tell me what happens when a login fails, and what information, if any, is sent out over the Internet? I know this is kind of like asking "I saw a tree and it was green - what was it?" But please bear with me and read on a bit. I have perhaps 500 logins saved. Some of them are pretty old, and I haven't had time to use or test them all since I moved from Roboform to 1Password. When I attempt to login to some, (actually many), the site I am trying to access has changed their login procedures/process/page URLs or other aspects of the login, such that the page where the old login URL takes 1Password to is no longer correct or functional. However, the old login page may still have a login ID and Password blank. It appears that 1Password enters the information, and then nothing further happens. Is that the case? If the page has a place for ID and password, do they get sent as they would for a correctly functioning page? I'm just thinking about what could happen in such a situation. Compromised login data would seem to be possible. I'm not suggesting this is AgileBits' fault - it is mine for not updating the URLs, etc. However, I simply don't have time to test and revise rarely used entries, until I use them. Do you have a suggested approach to minimize any potential issues from these "changed" websites? When I come across them, after I get it working with the "new" login page, I change my passwords, but that seems to be the only thing that makes sense, at least to me, for the present.

More generally, what does 1Password do to try and minimize the chance that it is sending sensitive data to the correct place, and not an incorrect or potentially bogus site/URL? Does the establishment of a encrypted link to the intended site assure that it is the right site? What else is done?

Thank you for helping me try to better understand how such details are handled,
BobC4000


1Password Version: 7.3.712
Extension Version: 4.7.5.90
OS Version: Windows 10 Pro v1903 B18362.592
Sync Type: Native?
Referrer: forum-search:Does 1Password send my login and password to the wrong login page?

Comments

  • Those are great questions, @BobC400, thanks for asking about this. So the best approach here I think would be to actually start with those protections against submitting data to the wrong place because the reason you're seeing 1Password still fill on those "dead" sign-in forms is the result of those protections. I know, sounds weird, but bear with me, ok?

    So 1Password will only fill for you when the domain of the site you're visiting matches the domain of the URL you've saved in 1Password. If that doesn't match, 1Password will just refuse to fill. Now, you might be able to surmise from this that this ultimately means that you determine where 1Password fills given Login info. The first way you do this is by choosing that URL – either by saying a Login item from that URL automatically or setting it via importing or editing the item to designate a URL. You also need to expressly tell 1Password to fill.

    You can do this in a number of ways, but it sounds to me like you're using what we call "Go & Fill". That's where you either select a Login item in your extension or click the URL for an item in the main app. When you do this, 1Password will go to its associated URL and fill your data for you. This is actually a form of phishing protection and it's intent is to do precisely what you said – minimize the chance that you fill on an incorrect or bogus site. We do, however, make the presumption that by saving a particular URL within your Login item, you're making an implicit statement that you'd like to fill that Login item's data on that URL. If that URL has changed on the live site, but you've not changed it in 1Password, 1Password doesn't know that. You need to tell it so it will still fill on that old page so long as it's able.

    So, what risk does this entail? Time for my least favorite answer – it depends. Generally speaking, these old URLs will at least be on the site's domain. The same company owns the old page and the new one so it's not a big deal to submit your data for that site to a page they own that wasn't the one you intended. To give an example, a Login item for site.com may be site.com/login one day and site.com/signin another. Our hypothetical site.com owns both of those URLs so if you have a Login item with the former URL saved, it would actually fill on both URLs and that's fine. If you break down your intent in filling to a very basic level, your goal is to send your credentials for site.com to site.com. Whether you do that on the former URL or the new, updated URL, it's ultimately going to the same place. As another example, if I accidentally submit my personal Microsoft account data on the sign-in page for one of my varying work Microsoft services, I'm not fussed – that data is going to Microsoft either way so it's not a big deal. If I accidentally filled my Microsoft account data on the Google account sign-in page, then I would be concerned because I haven't decided that Google needs to know that data. 1Password will allow the former (filling a Microsoft Login on a microsoft.com page other than the exact URL I have saved), but it won't allow the latter (filling my Microsoft data on a Google-owned page).

    Now, with that said, companies occasionally get acquired, they get sold, their name gets changed, or they change their domains entirely, etc. When this happens, most companies will redirect any old URLs to the new one, direct it to a page that explains what happened, or just kill it off. In addition they generally won't release the old URL out into the world. If PayPal rebranded to PayBuddy tomorrow, paypal.com might stop working or redirect to a page for paybuddy.com, but it probably won't release the domain such that We Steal Your Data, Inc. was able to buy it and set up a phishing site on the actual domain such that they could steal everyone's PayPal turned PayBuddy account credentials. But it could happen. Not everyone follows best practices, humans make mistakes, or maybe they decided to only take those precautions for a time because they assume everyone would have seen it by a certain point. Regardless, this is one case where you might be reasonably concerned. While 1Password can't and won't stop you from filling on a URL that matches the one you have saved, even if that URL is no longer owned and operated by the company you have an account with, this should be fairly rare and is likely something you will notice. After all, you're noticing even in cases where the URL you visit is still owned by that company, but just isn't the proper sign-in page any longer. And you're already doing the right thing in those cases – changing your password.

    So, now that we've run through what protections are in place and what potential risks still exist, the question remains – what's best practice in your case? That's a bit of a tough call. The risk you're taking by continuing to use Go & Fill isn't huge, but threat models are personal. If this is something that concerns you, it likely is best to at least consider a change in habits. Personally, I'm a bit old school and open sites myself rather than using Go & Fill. Once on the proper sign-in page, I press Ctrl + \ to fill. This provides the advantage of being able to examine the site before I fill so that if something has changed and I need to update my Login item, I can do that before I fill. With Go & Fill, filling happens automatically so while I might notice something has changed, the only way I can stop that filling is to do something like Alt + f4 to close my browser before the page fully loads and 1Password fills. My internet is fast enough I may not even manage that. Ultimately, I skip using Go & Fill simply because it's my habit to fill the way I do, but you might consider doing so to give you that extra chance to examine that site and make sure it's the right one since you know you've got some old URLs saved.

    At this point, you might already be tired of my babble, but I want to take some time to also address something you mentioned more directly – what gets sent over the internet. Nothing is sent over over the internet until you press Submit or Sign in on the page, but I wouldn't focus so much on that per se. Whether you submit or not, the web page itself can read anything you enter on the page generally speaking. A good rule of thumb is that as soon as data is outside 1Password and entered on a website, assume that website has that data and act accordingly. If you don't want the website you've filled on to have that data, changing it is best practice, in my opinion. Filling doesn't always mean your data has been compromised, but it's far better to assume the worst and take action to protect yourself than assume the best and later find out that your data has been compromised when something actually goes wrong.

    I hope this helps and wasn't too much more than you bargained for, but if you have any further questions, I'm happy to help. :chuffed:

This discussion has been closed.