This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Misc questions, looking for advice on how to best use 1password

Hi,



I just bought 1Password, quite like it, but there are some annoyances. I would like to hear your opinions on how to best solve them.



1) Egg website ### BAD BAD ONE ###

Egg is a british bank, and here is a link to the login webpage: https://your.egg.com/security/customer/login.aspx?URI=https://new.egg.com/customer/youraccounts

While the login details saving mechanism works just fine, 1password thinks "post code" is the username, and "mother maidden name" is the password. Ok, maybe, I can live with that, at least it works. BUT THEN, in the all fields, there is one named "password", which contains my actual password, and it is always displayed, never hidden!!!!!! So if I happen to use 1Password, everybody can see my password!!!! BUG!!!!!!!!



2) etrade

there is 1 password to login, and 1 password to trade. Where am I supposed to save the trading password? If in the notes of the login details, its in plain view, no way to hide that (as question 1)). So where?



3) login details

In the login section, I save not only the login and password, but also the answers to the security questions in the notes. But it is in plain view! There is no way to hide that, like for the password. Would it be possible to make it hidden as well?



Thanks in advance.



xgt

Comments

  • Oh, and also sometimes, sites ask for passwords with only numbers, no characters. It'd be nice to add such choices in the strong password generator.
  • Hi xgt,



    Thanks for the posts. Let me preface my answers by saying that as it stands right now 1Password is designed to, mainly, work with standard logins, the type that use a username and password. More complex logins, like the one Egg are using for example, have evolved because users were using weak passwords and their accounts were getting hacked, so rather than banks educating users on the user of strong passwords, they've gone down the route of complicating the login process, which often doesn't actually add security.



    So, with that said, let me try and give you some answers to your questions:



    [quote]1) Egg website ### BAD BAD ONE ###

    Egg is a british bank, and here is a link to the login webpage: https://your.egg.com/security/customer/login.aspx?URI=https://new.egg.com/customer/youraccounts

    While the login details saving mechanism works just fine, 1password thinks "post code" is the username, and "mother maidden name" is the password. Ok, maybe, I can live with that, at least it works. BUT THEN, in the all fields, there is one named "password", which contains my actual password, and it is always displayed, never hidden!!!!!! So if I happen to use 1Password, everybody can see my password!!!! BUG!!!!!!!![/quote]



    This isn't a bug as such, but instead is because Egg have marked the fields for 'Mother's Maiden Name' and 'Password' as password fields in the code. Right now, 1Password can only treat one of these as a masked password field, we are looking to change this in a future version though.



    The way to fix this is to change the 'password' checkmark on the right hand side of the 'All Fields' section of the Login item so that it's on the password field. You can also do the same for the 'username' checkbox if you want this to show something else.



    [quote]2) etrade

    there is 1 password to login, and 1 password to trade. Where am I supposed to save the trading password? If in the notes of the login details, its in plain view, no way to hide that (as question 1)). So where?[/quote]



    If you have one password to login to etrade and another to then trade, you may want to consider saving these as separate Logins so they can both be filled by 1Password. Without having an etrade account I'm guessing I won't be able to see the prompt for the trading password, would that be right?



    [quote]3) login details

    In the login section, I save not only the login and password, but also the answers to the security questions in the notes. But it is in plain view! There is no way to hide that, like for the password. Would it be possible to make it hidden as well?[/quote]



    The problem is that there isn't really a way for 1Password to handle these security questions, because there's no way for us to tell which question is being asked at a given time. You could try to save the form for each security question as a Login item, by using the 1P > Save Login button within the browser, but in general the question field probably won't be set as a password field in the code, so 1Password won't mask it as such.



    [quote name='xgt' timestamp='1299609151' post='22065']

    Oh, and also sometimes, sites ask for passwords with only numbers, no characters. It'd be nice to add such choices in the strong password generator.

    [/quote]



    That may be something we can look into, but numeric only password are fairly weak and the idea of 1Password is to generate strong unique passwords.



    I hope the above helps.
  • brenty
    edited March 2011
    Take heart!



    While setting up 1Password with all your logins and other sensitive data can be a daunting task, once you get to the point where your most-used password and site info is safely (and conveniently) stored, it is a huge timesaver and removes a great deal of hassle to help you get things done. This is a case where an up-front time investment can really pay off in the long run, and you'll be zipping around smoothly in no time, with only the occasional new site or password change to slow you down. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • I second brenty here: I switched to [i]1P[/i] about a month ago, must have driven Agile tech support people crazy with my questions (though they never said so!) and went through the process of importing over 850 items from a variety of sources… my old password manager, my login keychain, [i]Safari[/i]'s settings, various uncollected locations and so on.



    Once the dust had settled - and settle it [b]does[/b] - using [i]1P[/i] has turned out to be one of the most satisfying pieces of software to use.



    This forum is a friendly, receptive place and there has proved (for me, anyway) to be an answer to every single one of the challenges I faced.



    Hang in there and good luck!



    [quote name='brenty' timestamp='1299641412' post='22117']…This is a case where an up-front time investment can really pay off in the long run…[/quote]
  • [quote name='Mark Sealey' timestamp='1299647829' post='22123']

    I second brenty here: I switched to [i]1P[/i] about a month ago, must have driven Agile tech support people crazy with my questions (though they never said so!) and went through the process of importing over 850 items from a variety of sources… my old password manager, my login keychain, [i]Safari[/i]'s settings, various uncollected locations and so on.



    Once the dust had settled - and settle it [b]does[/b] - using [i]1P[/i] has turned out to be one of the most satisfying pieces of software to use.



    This forum is a friendly, receptive place and there has proved (for me, anyway) to be an answer to every single one of the challenges I faced.



    Hang in there and good luck!

    [/quote]



    Whoa. You did all of that already? You, sir, are a machine. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/blink.gif' class='bbc_emoticon' alt=':blink:' />



    Seriously though, I'm relieved to hear that you made it, Mark. I myself wasn't as sophisticated with my previous data storage setup, so everything I had essentially needed to be entered manually. I sure didn't have the volume you did, so I can only imagine the monumental undertaking that was... <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/huh.gif' class='bbc_emoticon' alt=':huh:' />



    But in the end, finally: relief! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />
  • [quote name='stu' timestamp='1299631576' post='22106']

    That may be something we can look into, but numeric only password are fairly weak and the idea of 1Password is to generate strong unique passwords.

    [/quote]

    1Password's Random generator can do this already up to 10 digits when the same value is set for both Length and Digits.
  • Many thanks for the quick reply, nice to see a company that takes cares of her customers <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    [quote]

    The way to fix this is to change the 'password' checkmark on the right hand side of the 'All Fields' section of the Login item so that it's on the password field. You can also do the same for the 'username' checkbox if you want this to show something else.

    [/quote]



    I tried that, but it does not work. It puts "first name" in "post code", and it is refused. There may be other errors with mothers name and password, but I cant see because it 1st fails on post code.





    [quote]

    If you have one password to login to etrade and another to then trade, you may want to consider saving these as separate Logins so they can both be filled by 1Password. Without having an etrade account I'm guessing I won't be able to see the prompt for the trading password, would that be right?

    [/quote]



    In a way, both the complex website (egg) and etrade (2 passwords) are kind of related conceptually. Essentially, most websites tend to be more than simply username/password, especially the ones where security matters most, like banks. In such cases, more info is required, and needs to be stored somewhere, ie all the details of a complex login, or other security details (extra password, or answers to ssecurity questions to reset passwords, etc ... So it'd be nice to be able to handle such cases, and this is not so much more complicated actually. 2 ideas:

    a) in the login section of a website: strictly speaking not all are login info, but it makes sense since that info is related to one website. It actually is possible to store extra info in notes, but they are never hidden. Having a check box to make it hidden would be a possibility. But still a plain to copy/paste an extra password. In this case, having extra user-defined fields (copy/pastable and hidden just like main password) would help a lot. None of these is very expensive, quite easy to implement actually <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

    <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' /> In another section of the vault (wallet? or accounts?): works right now, but a bit more of a pain, info about a unique entity is split in 2 places. Does not sound clean.



    I would love to hear your comments on these, as experienced users.



    [quote]

    That may be something we can look into, but numeric only password are fairly weak and the idea of 1Password is to generate strong unique passwords.

    [/quote]



    agreed, but you have to play by the rules (set by websites).





    Another question also: in the login section of my vaults, most of the icons are crap, ie a blue earth with the favicon on the bottom right, apart from 2,ebay and facebook, which are nice big icons. But in your docs, all the website seems to have big icons, and the websites are the same as mine. What gives?!



    Thanks again



    Thanks again
  • [quote name='xgt' timestamp='1299691988' post='22139']

    Many thanks for the quick reply, nice to see a company that takes cares of her customers <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />[/quote]



    You're very welcome, I apologise if my intitial reply was a little curt at all, I was trying to think of the best way to answer your questions, because right now, it's true that 1Password doesn't handle complex logins as well as it could.



    [quote]I tried that, but it does not work. It puts "first name" in "post code", and it is refused. There may be other errors with mothers name and password, but I cant see because it 1st fails on post code.[/quote]



    Yes, unfortunately I can confirm that, and sadly the changing the 'password' field doesn't work either. I guess, as a 'partial' solution, you could click the disclosure triangle next to the 'All Fields' section to hide these details so they're not on display for 'shoulder surfers'



    [quote]a) in the login section of a website: strictly speaking not all are login info, but it makes sense since that info is related to one website. It actually is possible to store extra info in notes, but they are never hidden. Having a check box to make it hidden would be a possibility. But still a plain to copy/paste an extra password. In this case, having extra user-defined fields (copy/pastable and hidden just like main password) would help a lot. None of these is very expensive, quite easy to implement actually <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />[/quote]



    You've hit the nail on the head here, we're looking into making it possible to customise items to a much greater degree in a future version of 1Password, and as part of this give you the option to conceal any field you'd like to,.



    [quote]<img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' /> In another section of the vault (wallet? or accounts?): works right now, but a bit more of a pain, info about a unique entity is split in 2 places. Does not sound clean.[/quote]



    Well, the Accounts section of 1Password is (at the moment) designed to store information about logins you'd have for things other than web sites, so I think we need to improve the Login item options so that you can use these to better handle complex logins and security questions.



    [quote]agreed, but you have to play by the rules (set by websites).[/quote]



    I'd argue that websites have to play be the rules of good password practices, after all they're the ones who are protecting your data. I'm not saying we won't add a numeric password generator, I'm just saying that I think websites who use this type of password need to rethink their solutions.



    [quote]Another question also: in the login section of my vaults, most of the icons are crap, ie a blue earth with the favicon on the bottom right, apart from 2,ebay and facebook, which are nice big icons. But in your docs, all the website seems to have big icons, and the websites are the same as mine. What gives?!

    [/quote]



    This is actually down to the websites themselves. Originally 1Password take a clipping of the top-left hand corner of a site, if it didn't have a nice Apple Touch icon (like Facebook and eBay do for example) but we quickly realised that in most cases this looked horrible, so we reverted to putting the Favicon at the bottom right of a globe icon.



    So, if a site has an Apple Touch icon, you'll see this full size in 1Password (and they often look really nice, especially if the web site spent some time on the design) but if not you'll see the Favicon.



    Hope that helps, please do keep asking questions <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
  • tamino
    tamino Member
    [quote name='stu' timestamp='1299631576' post='22106']

    The problem is that there isn't really a way for 1Password to handle these security questions, because there's no way for us to tell which question is being asked at a given time. You could try to save the form for each security question as a Login item, by using the 1P > Save Login button within the browser, but in general the question field probably won't be set as a password field in the code, so 1Password won't mask it as such.

    [/quote]

    Bank of America has the same sort of questions. I've saved a login entry for each answer (and put the question in entry's title) . Its true that the answer isn't masked when I enter it, but it isn't masked when I type it in either - I presume that's set by the bank. So the net gain is I don't have to remember the text I used. And, by the way, to improve security you should use some random text to answer the questions to make it harder for a hacker to guess - for example, if it asks for your mother's maiden name put in something like "adkjrgs" - you don't have to remember it - 1PW will remember it for you!
  • khad
    khad Social Choreographer
    An astute observation, tamino. A much easier vector of attack than your password is [url="http://www.itworld.com/tech-society/54193/beware-meta-password-reuse"]your security questions[/url]. They are often relatively easy to find out, and [b]do not change[/b] from site to site if you answer them honestly. That's not good when we are always hearing about how bad password reuse is. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_worried.png' class='bbc_emoticon' alt=':S' />



    You offer the prime solution: generate a password in response to your mother's maiden name, etc. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />