Overwriting of username, URL when changing PW

Tom Harrison

<div class="IPBDescription">Also, re-prompting to save new password needlessly</div>I have been changing passwords on sites since the Gawker event of last weekend. URLs, Userids, pws all stored in 1P.



In many cases, when 1P prompts to save a new password, I have selected the option to update (replace?) the password. Frequently I have been finding that the username has been overwritten with an empty one, and the URL is set to the change password page.



I think I understand now -- I guess this is the auto-save function from within the browser, which I assume is triggered when something changes. But this seems like a poor implementation -- if I am on the change password page, there's often not a username for 1P to grab, and it semi-silently overwrites my username with blank. I have also noticed apparently "random" cases where I'll go to Gmail, for example, and be prompted to log in, use the 1P Go and Fill Login and get prompted as above, even though the username and password is the same ... and I think even the URL. Both of these make the workflow of changing passwords cumbersome (since the change password page is usually not the normal login page).



It would be great if 1P were able to provide a little more information about [u]what[/u] it's about to do in this case, and perhaps even some intelligence about what fields to update. I had incorrectly assumed it was just password. At the very least, replacing a username with a blank should trigger some "Are you sure?" kind of prompt. I am working to get my spouse to use this product, so it needs to be bulletproof -- she's a usability design person.



Anyway, enough complaining <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' /> 1P is a great tool!



Tom

MartyS

Welcome to the forums, Tom!



I'm sorry for any confusion. You are right that 1Password is automatically detecting the password change whenever it can, and updating (if you choose that option) the existing Logins item that's shown to you. I'll let the developers in on this because you're right: we shouldn't disrupt an otherwise working item just because of changing the password (of course, the web form may have let you change much more than that... and that may be part of the issue here).

jxpx777

Tom, were you using Chrome for this process? I noticed today that the Chrome extension was prompting me to save a new login on pages that I was pretty certain should have been recognized as a change password operation. I'm going to mention this to Dave as well to make sure there's not an oversight with the update password logic.

Tom Harrison

[quote name='Jamie' timestamp='1292425471' post='17643']

Tom, were you using Chrome for this process? I noticed today that the Chrome extension was prompting me to save a new login on pages that I was pretty certain should have been recognized as a change password operation. I'm going to mention this to Dave as well to make sure there's not an oversight with the update password logic.

[/quote]

Jamie --



Yes, I mostly use Chrome (on a Mac).



Thanks!



Tom

Tom Harrison

[quote name='MartyS' timestamp='1292376427' post='17615']

Welcome to the forums, Tom!



I'm sorry for any confusion. You are right that 1Password is automatically detecting the password change whenever it can, and updating (if you choose that option) the existing Logins item that's shown to you. I'll let the developers in on this because you're right: we shouldn't disrupt an otherwise working item just because of changing the password (of course, the web form may have let you change much more than that... and that may be part of the issue here).

[/quote]



Thanks Marty --



As I have changed more passwords, I think the larger issue is that there can be several variants of login screens, along with the really confusing ones, like Change Password. A couple cases that come to mind for me include sites that let you log in with a Google account, or other Google services like Google Analytics, and various different places you might log in to Amazon (I am a software developer, so use Amazon's AWS service and several others). All can use the same credentials, but may live at a different URL or have different fields. One set of credentials may have many login screens. I am not sure if it's the same or different in a case where a site lets you use Google credentials to authenticate their account -- an example of this is a site I use called Wattvision.com (look at the sign in screen in to see).



So an "account" is different than "credentials" and that may be different than a "site".



Anyway, just my thinking aloud. An awesome product.



Tom

scott.houchin

I've also been going through the password change dance over the last few days, and I've seen exactly the same behavior, specifically when it sees a change when I submit the change password form (which sometimes covers changes to the rest of my profile). Sometimes I get an actual pop-up dialog asking for an item to be updated, and sometimes I just see the bar appear at the top of the window. At least in the bar case, the modified 1Password entries are then broken. It looked like it was trying to take all of the entries of the new form and add them or replace them with the old form.



Sometimes this level of update might be what is desired. For example, I use 1P for some non-login forms, and updating those forms would involve a large change to the fields in the 1P entries.



However, in the most common case, I agree its going to be a simple change, and what I expect is for 1P to see the new password in the fields and either just change the password field in the old entry, or give me a button to "just update the password."



What I have found that works for now is to decline any updates based on the password change form. I then log out of the site and log back in, pasting the auto-generated password in. In most cases, 1P then sees the change, and since the current form matches the stored fields, accepting an auto-update of the entries works correctly.

dteare

[quote name='scott.houchin' timestamp='1292691976' post='17804']However, in the most common case, I agree its going to be a simple change, and what I expect is for 1P to see the new password in the fields and either just change the password field in the old entry, or give me a button to "just update the password."[/quote]



When we detect a Change Password form, we do exactly this by opening a Change Password window asking for confirmation that you want to do this (caveat: this is not supported in Chrome yet). If we detect a new password being submitted and we do not think it is a Change Password form, then we show the Autosave bar.



If the Change Password form simply has a New Password field and nothing else, we won't think it is a Change Password form and will ask you to Autosave it. If you save it, you'll be left with a Login that has [b]only[/b] the password, which is likely not what you want.



[quote name='scott.houchin' timestamp='1292691976' post='17804']

What I have found that works for now is to decline any updates based on the password change form. I then log out of the site and log back in, pasting the auto-generated password in. In most cases, 1P then sees the change, and since the current form matches the stored fields, accepting an auto-update of the entries works correctly.

[/quote]



This is a fantastic way to do this. Not only do you get the username+password saved, but you also get the proper login url. This makes the Go&Fill feature work much more reliably.