Password vaults are supposed to make things easier. What do you do when they don’t?
You don’t have to remember those passwords.
There’s one scenario that’s important to understand, as your password manager may be keeping you more secure by not auto-filling.
But it happens at other times as well. Fortunately, there are several workarounds that don’t require you to remember anything other than your password vault’s master password.
Become a Patron of Ask Leo! and go ad-free!
Password autofill won't work?
Website design occasionally prevents password vaults from automatically filling in information. More rarely, if your password manager won’t auto-fill, it may be a sign of a phishing attempt. In either scenario, workarounds allow you to initiate the auto-fill or copy/paste the information manually.
The problem
The idea with password vaults is that when you visit a website requiring a sign-in, the password vault software — usually a browser extension — notices, looks up that site in your password vault, and automatically fills in the information for you. All you have to do is notice the fields were magically filled in and click OK. Sometimes you don’t even need to do that; some vaults click OK for you.
Occasionally, however, you’ll land on a sign-in page and nothing will happen. What then?
Danger, danger!
Pay attention when nothing happens. Why? Because it can happen due to a phishing attack.
Say you happen to click on a phishing link that looks like it goes to PayPal but doesn’t. When you land on the site, you’ll see what looks like a PayPal login, but your vault won’t fill anything in.
Password vaults operate by matching the URL that your browser has gone to. The issue may be that the URL in the phishing link doesn’t match what your vault expects. Your vault probably expects something like “https://paypal.com”, but if the link is something like “https://paypal.com.somerandomservice.com”, it won’t match.
Hence, it won’t fill in.
The most important thing to do when your vault doesn’t fill in automatically, especially if it normally does, is to make sure you’re at the site and URL you think you are.
Other issues
The more common cause of this issue is that there’s no standard sign-in form. What looks to you and me as standard User Name and Password boxes you need to fill in can be designed by the web developer in a wide variety of ways under the hood. Your password vault needs to figure out all the under-the-hood stuff so it enters the right information in the right place.
Sometimes, it just can’t figure it out. That’s not the vault’s fault; it’s the fault of the website using convoluted, non-standard sign-in procedures.
Some websites even do it on purpose. In a misguided effort to be more secure, they attempt to prevent password vaults (or any automation) from being used at all.
Fortunately, where there’s a will, there’s almost always a workaround.
My examples
The examples I’ll use here are all from 1Password, but the concepts should apply to most password vaults that normally auto-fill for you. Different password managers may be stymied by different websites and expose the features I’m showing you in different ways, but the ideas should be the same.
I occasionally encounter this problem when signing in to Google/Gmail, so I’ll use that as my example. Again, the concepts should be similar to what you’d encounter on any website for which your password vault isn’t auto-filling.
Option 1: Use the 1Password icon in the entry form
When you have the 1Password extension enabled, you should see a small icon in the right-most spot on a username or password field. The icon is a tiny version of the 1Password icon.
You’ll note that 1Password has not automatically filled anything in.
Click on the icon.
1Password presents a drop-down list of the accounts it has that match this URL. In this case, there are several entries (note the scroll bar on the list). Clicking the entry in the dropdown list will usually automatically fill the field with the account credentials associated with that entry.
Option 2: Copy/paste from the 1Password icon in the toolbar
If clicking on the entry doesn’t work, there’s another step.
Click on the 1Password icon in your browser’s toolbar.
You may need to “manage extensions” in your browser to make the icon visible.
This will drop down a 1Password window with a number of options.
Clicking on any of the accounts listed on the left will update the information shown on the right. It will also display an “Autofill” button (upper right in the image above) that attempts to automatically fill the associated credentials on the currently displayed sign-in page.
More importantly, if you click on the username (“askleotest@gmail.com” above) or the password, that item will be copied into the clipboard. You can then click on the associated sign-in field and paste the information in. You might need to do this twice, once for the username and once for the password.
Note: several seconds after 1Password auto-fills something, it empties the clipboard to prevent passwords from being left in potentially visible places. If you try pasting something and nothing appears, try again with less delay.
Option 3: The 1Password app
You can use 1Password anywhere, in any browser, without installing extensions at all (though I do recommend the extension for convenience — you’ll find links to it at the 1Password website).
In the example above, I’ve searched for “google” and selected the “askleotest@gmail.com” entry. Much like the extension drop-down, the right pane contains information about that account’s credentials. Clicking on the username or the password copies either to the clipboard, which you can then paste into its respective field in your browser.
This is the approach I end up using most.
It turns out to be the only solution when I need to sign in to an application or program — such as when I configure an email account in a desktop email program.
As you can see above, the desktop app also has an “Edit” button. I find this the easiest place to make manual changes or to add secure notes to an entry.
A word about mobile
Everything I’ve described above works on mobile to some extent. Given the different levels of permissions required and the security that both iOS and Android systems are attempting to implement, the individual steps may seem somewhat more convoluted and subject to frequent change.
Most often I open my vault on my phone and copy/paste entries into whatever app or website I’m trying to sign in to. This is essentially the mobile version of option 3 above.
Do this
The most important thing to do here is not give up. If your password vault can’t, doesn’t, or won’t automatically fill in sign-in fields for you, look for and take advantage of the workarounds I’ve listed above or others. This allows you to continue to use your password vault and benefit from the improved security it enables.
While you’re at it, subscribe to Confident Computing, my weekly newsletter. Less frustration and more confidence, solutions, answers, tips — and workarounds — in your inbox every week.
Podcast audio
Footnotes & References
1: Some sign-in pages disable right-click, which is one way to access the paste command. If it doesn’t work, click in the field and see if typing CTRL+V or SHIFT+Insert will paste.
I have found you quite often have to use Ctrl+v rather than rely on the paste from the menu.
I hate it when websites disable “paste” in the password field. It doesn’t happen at login very often, but I still run into it occasionally during a new registration.
Good tips, because this does happen, and it is frustrating. However, I’ve read that one of the values of a password manager is that it doesn’t autofill on a phishing site because it doesn’t match the URL in your vault. Maybe you could revise the first step for what to do if your password manager doesn’t auto-fill. I’d start with: Back-track and check your risk for phishing potential in reviewing what brought you to the login site. Is it legit?
Yes, if your password manager doesn’t fill in the information, it might be a phishing site. Before trying the copy and paste methods described in ths article, make sure you are at the correct website and not a phishing page.
I’ve added that to the latest revision of this article. Thanks for the reminder.
When my password manager doesn’t automatically fill in the password, I carefully check the URL in the address bar. Leo mentions this in the article, but if you skimmed this article, you might have missed it.
Less than a month ago, my password manager wouldn’t sign me into my email when I got one of those “please sign in again” popup webpages as happens regularly. I was puzzled until I checked the popup’s url. I was being phished. I closed the page and ran a full system malware check. Nothing found.
I’ve learned mostly to live with the limitations of autofill, using the methods you’ve outlined here. But one of the more frustrating lapses is when I login to my bank’s website. There, 1Password fills in my password automatically, but refuses to autofill my username. So I always have to copy and paste the username. Any idea why it’s doing this “selective” autofilling?
Usually it’s just some non-standard nuance in the website itself. Sorry.
“non-standard nuance”??? I’d call it a design failure.
As a user I don’t disagree. But as a designer it’s often a (VERY MISGUIDED) attempt to be “more” secure by preventing any automation whatsoever.