autofill risks?
I have a friend who is using BitWarden, and I noticed it didn't autofill on websites by default. As I was researching why, I found this page: https://bitwarden.com/help/auto-fill-browser/#on-page-load which says this about "on page load autofill": "This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials." I tried to find additional information on this. Especially because 1Password does autofill by default, and I make use of this feature heavily. I certainly don't want credentials stolen, but it's unclear to me how this could take place. I was curious to know if anyone could explain this to me and what the 1Password view on this topic is. Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @pquimo, thanks for writing in. I do understand where you're coming from, as internet security is an important thing to be mindful of these days.
However, 1Password does not autofill in browsers by default and user input is required by either clicking on the inline menu suggestion, using a keyboard shortcut or by using 'Open and Fill'.
May I ask if you have the browser's built-in password manager enabled or any other extensions installed in your browser?
0 -
Thank you so much for the reply! I use the Open and Fill from the MacOS app a lot, so I was thinking of that as "on page load autofill", but I can see why that user action on my part may exclude it from the risks BitWarden is talking about. I am not using the built-in password manager, and I don't have any other relevant extensions - I just wasn't thinking quite right about what on page load autofill is.
It sounds like the view 1Password has on this is it's dangerous enough that they don't even have a checkbox that lets you do it like BitWarden does, which is fine for me. The way 1Password works is so smooth and efficient, that I'm not worried about missing that. When I am logging in from within the browser, rather than initiating from the app, I use the hotkey and that works great for me.
My question remains though, and as a software developer, I'd be happy with a deeply technical answer, as I expect this might need to be. Why is the on page load autofill a risk -- 1Password doesn't support it, and BitWarden warns against it, so I'm convinced, but I'm still curious to understand.
Thank you.
0 -
Thanks for the reply. Automatic filling of credentials, without any input from the user, could lead to a malicious page carrying out an attack where it collects usernames and passwords. 1Password does not offer automatic filling (without user action) in order to protect against this threat.
One of my colleagues wrote a more technical explanation all the way back in 2014: https://1password.community/discussion/comment/153916/#Comment_153916
Let me know if you have any questions. 🙂
-Dave
1 -
Ah perfect, that is exactly what I was looking for. So very much appreciated! And of course, props to 1Password for getting it right so early. Good stuff.
0
