Ctrl+Backspace while typing 1Password passphrase
This is a minor issue in a rare use case, but it is an issue nonetheless. 😊 While typing my password to sign into the 1Password for Android app on my Chromebook, something I don't often do, I noticed an issue that can leak information about the 1Password account password to anyone who can see the screen.
Pressing Ctrl + Backspace can have subtly different effects in different contexts. In a plain text environment, it most often deletes from the cursor to the start of the current word, or in some editors the start of the current line. In a masked password field, it most often deletes from the cursor to the start of the input field, regardless of the content of the input field.
My 1Password account password is a passphrase with several words. Having made a typo, I pressed Ctrl + Backspace, expecting the password field to be cleared ready for me to type again. Instead, I was surprised to see that it deleted to the start of the current word. With a little testing, this occured with both hyphens and spaces as separators, along with a handful of other punctuation symbols.
An observer could unexpectedly determine the presence and location of word boundaries in a password this way. In this and any other masked password fields, Ctrl + Backspace should always delete from the cursor to the start, to prevent this information leakage.
1Password Version: 8.10.12
Extension Version: 2.15.0
OS Version: Chrome OS 116.0.5845.120 (Official Build) (64-bit)
Browser: Chrome
Comments
-
Hi @jwfxpr, thanks for writing in and reporting this behavior.
I did some testing with my colleague and we were able to reproduce what you've described. An issue has been filed with the team so we can look into getting this resolved.
In the mean time,
Ctrl + Afollowed byBackspacecould be used as alternative to clear the entire password field.Let us know if you have any questions!
0
