Autofill of 1Password master password - not secure?!?
Am I missing something here - when I login to 1Password on my laptop, the master password autofills. Surely this is insecure, because if someone stole my laptop then they don't need to know my password to access every single password I have!!!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Autofill of 1Password login - not secure?
Comments
-
Hi Ben
I'm using Chrome on my PC. I successfully login to 1Password.com, and then log out. Even when logged out, if I go to, say, my bank's website then the browser extension still auto-fills the login details and I can successfully login to my bank even though I'm not currently logged in to 1Password. I hope I'm explaining myself clearly - apologies if not.
Cheers
Geoff0 -
This content has been removed.
-
Hi Naxterra
It is 1Password that's filling it. I don't use Chrome's password manager.
Cheers
Geoff0 -
In case it helps, if anyone thinks that their browser's own built-in password manager is still enabled, you can find our guide for turning it off in all our supported browsers here: https://support.1password.com/disable-browser-password-manager/
0 -
Hi folks,
1Password doesn't automatically fill. It always requires some sort of user action (clicking the extension icon, using the keyboard shortcut, or activating Go & Fill). If the field is being filled automatically, without any action on your part, it is something other than 1Password that is filling it. The likely culprit would be the browser's built-in password manager. As John alluded it would be worth double checking that is indeed turned off.
Ben
0 -
Thanks all
Ben, when I say "automatically fill", I do still need to click on the 1Password button, it's just that I thought if I was logged out of 1Password then the browser extension wouldn't still work. Do I just need to lock the browser extension? I'm probably just not understanding how the software is supposed to operate.
Cheers
Geoff0 -
You need to lock the extension if you want 1Password not to do anything. Logging in to 1Password.com (the website) has no connection to what the browser extension does: if you log out from the website but the extension is still unlocked, 1Password will continue to do its job.
Depending on what browser extension you are using, this could be happening automatically when you close the 1Password app. Can you please let us know what version of the browser extension you are currently using?
0 -
Hi - jumping in here as I think I have the same question. When using Chrome, I go to 1password.com and it automatically gives me my account to click to login. The 1password emblem comes up in the password box, and when I click it, it auto fills my master password. Is that because the 1Password extension (V 1.16.1) is running and "unlocked" in Chrome? If so, is there a way to ask for my master password to never be auto-filled? Just seems dangerous. I have my 1Password X setting to auto lock after 1 minute of "the system being idle." What does system being idle mean exactly; not mousing around in Chrome, not typing, etc.? Thank you!
0 -
Hey @jvictorv33...
Yes... if 1Password is filling in your browser it means that 1Password is unlocked and you are on a site for which you have a vault item.
You most likely have a vault item for 1password.com that contains your Master Password (as well as your Secret Key). This item was most likely generated when your account was originally created. If you'd like, you can simply delete this item... or remove the password part of it... or remove the website that it's associated with... to guarantee that your Master Password is never filled again.
One of the reasons why this item is generated is to provide access to your Master Password should you forget it before it gets fully committed to memory. This can easily happen when something like Touch ID or Face ID is setup immediately after an account is created. This vault item allows someone to "remember" their Master Password with only their face or fingerprint in those scenarios. But once you've got your Master Password committed to memory, this item is not really needed anymore. The Secret Key portion of the item can be easily recovered from any device where the account has previously been added to the 1Password app or the Emergency Kit downloaded at the time of account creation.
As for the auto-lock setting in 1Password X, that is based on computer activity... not just Chrome activity. The Chrome API defines it as "the user has not generated any input for a specified number of seconds".
Hope that helps!
0 -
Thank you, @brettbollman
Got it... moved the vault item to the trash and logged out. Logged back in and there was no option to auto-fill the master password after the Ctrl-Shift-X unlock of the extension. That did the trick - I've emptied the trash now too. Thank you as well on the "idle" definition.
All good - thanks again!
0 -
You bet! Thanks for the update.
0