Why

Lewis

<div class="IPBDescription">strange password format</div>Boy, I hate it when apps do something utterly non-obvious that I didn't ask it to do with no explanation anywhere in help or the UI. Learn from Apple: obvious and direct and only one way is good. Devious, secret, hidden is BAD.



I go to a nice normal site and register for the site, which involves creating a password. NEVER save these registrations in 1password, because the form has fields that don't apply to a normal login and won't work subsequently when you attempt to login. So, delete the bad login from 1password.



Login manually to the site. 1password prompts to save the login. Nice--what the product is meant to do.



Logout of the site and login to see if the 1password login works. Glory be--it does.



Now go LOOK at the login to see if it REALLY matches what I did.



What do I see: vb_login_md5password with a huge random string as the password, which is obviously an md5 digest of the real password.



Did I ever ask for this? NO. Did this happen for any other password I have in 1password (141 logins)? NO. How would I ever figure out the plaintext what my password is? Apparently, 1password doesn't think I "need to know."



WTF guys? Why do stuff like this? I never set any option to create or display encrypted passwords. Suddenly this behavior occurs. Please follow Apple's philosophy. Stop being so creative in unhelpful ways.

Lewis

A partial answer but still a 1password problem though not 1password's "fault."



Some bulletin boards use an MD5 hash to send the password from your browswer to their site using javascript or vbscript (in this case) on the client to calculate the hash. This prevents sending the password in plaintext across the internet. OK, great. But, why not use https like all of the rest of the world?



So, 1password can only catch the hash not the plaintext.



Of course this means I don't know what my own password is, which means I can never really change it because I can't type it into the change password form of the bulletin board. I tried this. When you enter the hash directly into a form it doesn't work because of course the script makes a hash of the hash. It's only when 1password submits directly to the html form of the site, which includes a field for the hash itself that submitting the hash works.



Soooo..... ....1password should recognize pages that use script to encrypt passwords and should save both the plaintext and the hash as part of the login. Or else the user will be screwed later because 1password has never captured the plaintext.

Stefan von Dutch

[quote name='Lewis' timestamp='1296581442' post='19884']

Did I ever ask for this? NO. Did this happen for any other password I have in 1password (141 logins)? NO. How would I ever figure out the plaintext what my password is? Apparently, 1password doesn't think I "need to know."



WTF guys? Why do stuff like this? I never set any option to create or display encrypted passwords. Suddenly this behavior occurs. Please follow Apple's philosophy. Stop being so creative in unhelpful ways.

[/quote]



We store whatever fields the login page is POST'ing to the web server. In other words: what you're looking at is a field on that particular web site. We do not "make up" fields ourselves. We store whatever is on the login page. For example: if some login page would contain a field named "xena_warrior_princess", than we store that field. That is how it works.

Lewis

How do I know this works?



I manually created a login for the site (generally more reliable than letting 1password do it as long as you paste in the url of the page that is really asking for the login).



Naturally, I used my plaintext of my password as only a human can do.



I logged in with this and it worked perfectly. 1password matched the password to the human readable part for of the sites html form and then the local script did the hash conversion and submitted.

Stefan von Dutch

[quote name='Lewis' timestamp='1296581973' post='19885']

Of course this means I don't know what my own password is, which means I can never really change it because I can't type it into the change password form of the bulletin board.

[/quote]



This is why our strong password generator stores a copy of your password in the "generated passwords" section (View > Generated Passwords). You DO use our strong password generator, don't you?

Stefan von Dutch

[quote name='Lewis' timestamp='1296581973' post='19885']

1password should recognize pages that use script to encrypt passwords and should save both the plaintext and the hash as part of the login.

[/quote]



We cannot reliably "recognize" this, and even if we could, we cannot save the plaintext because the plaintext isn't POST'ed to the web server.

Lewis

[quote name='Stefan van As' timestamp='1296582567' post='19889']

We cannot reliably "recognize" this, and even if we could, we cannot save the plaintext because the plaintext isn't POST'ed to the web server.

[/quote]



Well, it all makes sense but it's sort of inconvenient. The only real problem is that the user has no way to reliably change the password, not knowing his original password. I have to say that out of 141 logins, this is the only site I've encountered that works this way. The work around is ok.

DBrown

[quote]I have to say that out of 141 logins, this is the only site I've encountered that works this way.[/quote]

Indeed, every site is different, and we do our best with all of them.



[quote name='Lewis' timestamp='1296617805' post='19915']Well, it all makes sense but it's sort of inconvenient... The work around is ok.

[/quote]

Thanks so much for understanding, Lewis!