Forum Discussion
Do not offer to save Yubikey Generated OTP
When logging into Delinea Secret Server at work, I am presented with a two step process for logging in.
Step 1 is your normal username and password (plus AD domain since it is AD integrated). 1Password fills in username/password as expected (domain is already filled in). Submit.
Step 2 is a "RADIUS Password" prompt, which is expecting an OTP generated by my Yubikey. The field is tagged as a "new password", so 1Password "helpfully" suggests a newly generated but totally inappropriate password. I ignore that and push the button on my Yubikey to insert the OTP.
What gets really annoying though is 1Password then prompts me to save the "new password" I just used. It's a hardware generated OTP; I obviously don't want to save that.
Other observations:
- The login page is an ASPX and the URL doesn't change between step 1 and step 2.
- I can't use "Hide on this page" because then 1Password doesn't autofill username/password.
- I seem to remember that autocomplete="new-password" used to be a means to disable autofill before the days of suggesting new passwords and when password managers started to ignore autocomplete="off". This probably used to be an effective means to stop a password manager from getting in the way but not anymore.
How can I get 1Password to ignore this "RADIUS Password" and stop offering to save a new password without just disabling 1Password entirely? Obviously a purely 1PW solution is best, but I am not opposed to using using Userscripts or Usestyles to accomplish my goal (if that's even possible).
I was able to solve my immediate issue through the use of a Tampermonkey UserScript.
const textbox = document.querySelector("#LoginNewUiUserControl1_RadiusPasswordTextBox"); textbox.setAttribute("type" , "text"); textbox.removeAttribute("autocomplete");Since the OTP isn't really something that needs to be obscured, I changed the textbox from type=password to type=text and removed the autocomplete attribute entirely. Now 1Password ignores it, as desired.
2 Replies
I was able to solve my immediate issue through the use of a Tampermonkey UserScript.
const textbox = document.querySelector("#LoginNewUiUserControl1_RadiusPasswordTextBox"); textbox.setAttribute("type" , "text"); textbox.removeAttribute("autocomplete");Since the OTP isn't really something that needs to be obscured, I changed the textbox from type=password to type=text and removed the autocomplete attribute entirely. Now 1Password ignores it, as desired.
This discussion actually seems very relevant to my problem: Blacklist site for asking to save passwords? | 1Password Community
(It didn't exist when I started writing up my discussion topic yesterday.)
Being able to block an entire domain/subdomain from offering to save passwords would be very helpful when dealing with another web-based secrets manager.
