Website and autofill

[Deleted User]
[Deleted User]
Community Member

Hi,

Tried to login by autofilling my credentials through 1password on my ipad.
I spent some time abroad and the webmail page where I normally login was not shown in the browser/not available.
I tried to find an alternative site and finally managed to log in there by altering the username and copy and pasting the password from the vault.
Autofilling did not work I wanted it to work ( cannot recall exactly)
While doing this a question popped up: imagine it was a malicious website…could this login website do any harm to the existing passwords/data in my vault? When initially trying to autofill my credentials to this website, I unlocked the vault with my fingerprint several times.
Finally I logged in manually as written before.
Just curious how 1password works ( in this case) and how it protects me from the internet.🤔
I hope you can explain or introduce me to some basic lessons.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    @F_9083x:

    Autofilling did not work I wanted it to work ( cannot recall exactly)
    Just curious how 1password works ( in this case) and how it protects me from the internet.

    In these cases, 1Password protects you by not offering you to fill your credentials on the website. If the website changes and it's not the one that you have stored inside 1Password in your login item, 1Password will not prompt you for your existing login, and it won't allow you to fill your username and password automatically (which sounds exactly like what happened in this case).

    While doing this a question popped up: imagine it was a malicious website…could this login website do any harm to the existing passwords/data in my vault? When initially trying to autofill my credentials to this website, I unlocked the vault with my fingerprint several times.

    Simply ulocking your vault won't be a problem. What matters is that you don't manually enter your credentials on that website if it's malicious (for example, by copy-pasting them from the 1Password app manually). If you do ever end up pasting your credentials into a malicious website, you should change that password on the real website for good measure.

  • [Deleted User]
    [Deleted User]
    Community Member

    Thank you @ag_ana,
    I understand the risk from that point of view.
    When the safe is unlocked ..could a malicious website get hold on the passwords stored in the vault. So not through the password I copied and pasted to that malicious website but (the other way around) =) access to the entire safe from that malicious website to my unlocked safe?

  • [Deleted User]
    [Deleted User]
    Community Member

    By the way I upgraded 1 password to 7.9.3 and I found out that IOS was not updated to 15.1. It now is. Can you tell me if that might be risk for the security of the 1PW vault? Thank you for answering!

  • ag_ana
    ag_ana
    1Password Alumni

    @F_9083x:

    When the safe is unlocked ..could a malicious website get hold on the passwords stored in the vault. So not through the password I copied and pasted to that malicious website but (the other way around) =) access to the entire safe from that malicious website to my unlocked safe?

    This would be very difficult, because the extension runs in a separate environment in your browser for security reasons:

    About the security of 1Password in your browser

    By the way I upgraded 1 password to 7.9.3 and I found out that IOS was not updated to 15.1. It now is. Can you tell me if that might be risk for the security of the 1PW vault? Thank you for answering!

    No risk at all :+1:

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi Ag_ana,
    Do we mean the same? You call it an extension and I mean the autofill. Since 15.0, I stopped using the extension becaus3 of several issues. Or is this autofill also an extension in seperate environment.

    Last question, sometime I get stuck on autofilling the password to the comunity site of 1 password. Credentials are filled but I get stuck on the website and cannot enter nor confirm.
    What is the best method? Clear the page including the prefilled credentials and history/ cookies and try again?

  • ag_ana
    ag_ana
    1Password Alumni

    @F_9083x:

    Do we mean the same? You call it an extension and I mean the autofill.

    Thank you for the clarification. We were indeed talking about two different things: the extension runs in the browser and it's a different method from autofill. Since you are referring to Autofill, the relevant security documentation is this one:

    About AutoFill security in 1Password for iOS

    Credentials are filled but I get stuck on the website and cannot enter nor confirm.

    What happens when you get to this point? Is the Sign In button not clickable at that point?

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi ag_ana,

    Thank you for the clarification too🙏

    Concerning autofill the following quotes from the article might guarantee that a malacious website can not enter the items stored in the vault:

    Please correct me if I am wrong or misunderstand:

    “As always, 1Password will only fill your credentials after you choose to fill them”

    “Only that metadata is saved to an encrypted Password AutoFill keychain, and other apps can’t access it.”

    #

    Concerning stuck on after autofill on the community of 1 password.
    It’s indeed after autofilling my credentials and at the point I want to sign in ( blocked)
    After deleting cache and cookies I can enter easily ( like now )

  • ag_ana
    ag_ana
    1Password Alumni

    That is correct @F_9083x :+1:

    With regards to the forum sign in, I have tested it but I could not reproduce this so far. If this happens again, can you please try just tapping on either the username or password field, and press enter on the keyboard? I wonder if this could be enough for the website to recognize that you have filled information in the form.

  • [Deleted User]
    [Deleted User]
    Community Member

    I cannot reproduce the exact issue. I experienced when I was connected abroad using vpn.
    I think the cause was a very instable connection and that there was no escape …only to clear the history.and cookies.
    I remember getting stuck in different situation where it was sufficient to refresh the webpage.
    When it occurs again I will try your solution first.

  • ag_ana
    ag_ana
    1Password Alumni

    Sounds good :+1:

This discussion has been closed.