Query: What fields are actually submitted to a website & security of default web hyperlink

snowboardorange

Hi,



One question ( and some related follow-ons) and a point of concern.



1) For a default login, you can create two standard fields (user & password). What isn't clear is what fields are submitted to the website.(all of them?) If I create additional fields, can you advise if they are submitted to t website?

The reason being that I presently use additional fields to store additional security information, like the backup questions etc? By doing this are these fields being submitted to the website?

Would I be better using the notes field and if so how to conceal this valuable data that is designed to recover the password?



2) Also, just a note on the fact that any new password entry has the default internet hyperlink set to http://www.example.com/.......while I can see it as useful demo field, is it not a security risk as anyone who hasn't set up a hyperlink will go to that page and submit their credentials if they accidentally click it. If their username happens to be a creditcard number or similar, then they've just handed their details away. Might I suggest it be left blank.



Cheers

khad

Whatever fields are filled on the page are what will be submitted. You can disable autosubmit to review what fields are filled if you want:



[url="http://support.agilebits.com/kb/browser-extensions/autosubmit-trouble-login-is-being-filled-in-but-i-am-not-being-signed-in"]http://support.agile...being-signed-in[/url]



Every site is different so it depends on the site. 1Password has some intelligence to try to guess which field is the username field and which is the password field (the latter is usually much easier since it is a special HTML input type).



That said, we always recommend saving Logins via the browser extension so 1Password can actually "learn" the specific fields of the site. That way 1Password isn't guessing the fields but filling the exact ones for every given site.



We recommend using the Notes field for [in]security questions and have some additional tips as well:



[url="http://blog.agilebits.com/2012/08/11/blizzard-and-insecurity-questions-my-fathers-middle-name-is-vr2ut1vnj/"]http://blog.agilebit...e-is-vr2ut1vnj/[/url]



----



Example.com is specifically designed for such a use. As the page says:



[indent=1]As described in [url="http://tools.ietf.org/html/rfc2606"]RFC 2606[/url], [IANA] maintain a number of domains such as [b]EXAMPLE.COM and EXAMPLE.ORG[/b] for documentation purposes. [b]These domains may be used as illustrative examples in documents without prior coordination with us. They are not available for registration.[/b][/indent]



From section 5 ("Security Considerations") of [url="http://tools.ietf.org/html/rfc2606"]RFC 2606[/url]:



[indent=1]Confusion and conflict can be caused by the use of a current or future top level domain name in experimentation or testing, as an example in documentation, to indicate invalid names, or as a synonym for the loop back address. Test and experimental software can escape and end up being run against the global operational DNS. Even examples used "only" in documentation can end up being coded and released or cause conflicts due to later real use and the possible acquisition of intellectual property rights in such "example" names.[/indent]



[indent=1][b]The reservation of several top level domain names for these purposes will minimize such confusion and conflict.[/b][/indent]



There are no form fields on the example domains.