Clipboard, browser extension, or universal autofill for macOS web pages - which is safest
There's a bit of a discussion about this over at MacRumors (a 5 gazillion page thread about 1Password). The current side topic asks what is the safest way to enter credentials into a web page. I promised to ask here and report back.
There seems to be three easy ways to do it:
- The clipboard, where the credentials are exposed for 90 seconds.
- The browser extension, which has some 1Password code running in a hostile environment
- Universal Autofill
I have to say, I've been careless over the years; I've done all three without thinking about it. But, the discussion in the thread has left me second guessing my behavior.
I'm happy to read any resources you might have which document recommendations. I did a search for "clipboard" in the white paper and didn't get a hit.
1Password Version: 8.10.34
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @burnwa, thank you for writing in. Here are a few articles regarding this information:
- About the security of 1Password in your browser
- About macOS Privacy & Security settings for Universal Autofill
- About the 1Password security model
I hope this helps.
-Evon
0 -
@EvonG1P , thanks for those links. The browser one added some useful information.
I want to know about the relative risks between the three approaches. Is there a link that discusses that?
I suppose that a very detailed security analysis of the three approaches would allow a professional to arrive at an opinion of the relative risks. But, even if I were to study the three approaches, I am not knowledgable enough to form that opinion myself. It seems well beyond anyone but a security researcher to do that.
As an example of my naivety, I suspect that using the clipboard is the worst choice. Leaving even a portion of my credentials on the clipboard for 90 seconds, exposes it to all potentially untrusted applications on my computer. But, I don't really understand that risk. For example, can a background process receive an event of something arriving on the clipboard and read it (something that is not triggered by user activity).
So, you can see, I'm not equipped to evaluate things. Knowing that the clipboard is cleared in 90 seconds adds almost nothing to my understanding.
0 -
Typically, when you copy to the clipboard, you run an increased chance that data might get intercepted because the clipboard is accessible to any app on your device and if that data gets pasted into the wrong areas.
That's one reason why 1Password offers different filling options on various platforms (including the 1Password browser extension, and Universal Autofill on the Mac) to help you fill in rather than having to copy and paste the credentials. This is why autofill is 1Password's default option.
If you are concerned about disreputable processes on your computer and how those can impact 1Password, I recommend checking out this blog from our Security team: How 1Password Protects Information on your Devices.
-Evon
0 -
Thanks for the link Evon. Let me be concrete.
I'm staring at a web page. I'm running macOS. I have three choices to enter my credentials: use the clipboard, install and use the browser extension, or use Universal Autofill. One of your security researches is sitting next to me. Assume they know nothing about my computer hygiene practices or the safety of the websites I visit. What choice would they make for me? They have 5 seconds to answer before I explode in frustration.
And, suppose their first choice fails. For example, suppose the browser extension (if that was their first choice) doesn't correctly fill in the fields. Let's assume I haven't exploded yet, but it's very, very close to happening. What would they tell me to try next?
Feels like an action movie.
0 -
Thanks for the reply. Making recommendations on how best to protect yourself against a threat is difficult without understanding your threat model and the specific threat that you're trying to protect against. The articles that my colleague shared earlier outline the technologies and architectures that 1Password has implemented to protect you and your data from a wide variety of threats.
To answer your specific question: copying a password to the clipboard would arguably be the least secure option since, as my colleague stated earlier, it makes your password available to other apps on your Mac through the macOS system clipboard. If you're careful to only install apps that you trust then this might not be a concern to you. When you copy a password (or other concealed field) from the desktop app, 1Password will mark that password using the
org.nspasteboard.ConcealedTypeflag (a macOS API) to indicate to legitimate apps that respect that flag (such as Alfred's clipboard manager) that they shouldn't store that password since it is sensitive information.I would recommend using either 1Password in the browser (the browser extension) or Universal Autofill since they both have safeguards in place to protect against exfiltration of data and filling of login information into the wrong website/app. This helps protect you against phishing attacks where a malicious actor might masquerade as the website/app that you're trying to access. Universal AutoFill, since it operates outside of the browser, will also make sure that your browser is legitimate and intact by checking the browser's code signature before filling and asking you to double-check that you'd like to fill your login credential if it can't make that determination itself.
And, suppose their first choice fails. For example, suppose the browser extension (if that was their first choice) doesn't correctly fill in the fields.
If filling with 1Password in the browser and Universal Autofill both fail then you can drag and drop your login credentials from the 1Password pop-up window (or the desktop app) to the login form as long as you're sure that the website or app is legitimate: Use drag and drop to fill in apps
Is there a specific threat that you're trying to protect against that I can provide more clarity on? Security is the team's primary priority at 1Password. In addition to the amazing work that our developers and security team have done to make sure that 1Password protects your data in various environments and scenerios, 1Password also undertakes multiple independent security audits from external venders, which you can read about here: https://support.1password.com/security-assessments/
-Dave
0 -
Thanks so much for your detailed answer. It's very helpful. I hadn't even realized that drag and drop was a possibility.
My question was a general one, motivated by a discussion over at MacRumors. I was trying to get an answer that I could relay as a general recommendation to all readers of the thread. Many people comment that they fear browser extensions in general, so much so that they use copy and paste as a workaround. You've confirmed my intuition; that approach is the exactly wrong one. A 90 second delay in clearing the clipboard cannot protect against apps or websites listening for clipboard events and capturing the data as soon as it's placed there. I've seen that happen with GPG Keychain (even when running in the background) and I'm pretty sure any website I'm visiting could do the same. (I just have to work up the motivation to code a test case.)
One common refrain on that thread is the user's trust in the intentions of the browser extension. I think that's a concern for extensions in general, but doesn't apply to yours. Some extensions are from companies that deserve our trust, in the same way we trust our browsers.
At this point I'm left choosing between Universal Autofill and the browser extension. My concern about the browser extension is driven by Tavis Ormandy's criticism of extrinsic browser password managers. I read quotes of that here - https://grc.com/sn/sn-822.htm. Even though it's an old conversation from 2021, I still tend to lean more towards autofill because of it.
Would you say that it's a fair comment that autofill is running in a less hostile environment than the browser extension and that would give a slight edge to the safety of autofill? I am careful about which applications are installed on my computer. I'm less careful about which websites I visit; there are just too many for me to vet each one. I did appreciate @EvonG1P's link to "About the security of 1Password in your browser". The comment "1Password runs in a sandboxed background page provided by the WebExtensions API, not in the untrusted web environment" (and others) does help balance the scales a bit, but not completely.
0 -
Thanks for the reply. I think that it's great that you're digging deep to make sure that 1Password protects you against the threats that you're concerned about.
One common refrain on that thread is the user's trust in the intentions of the browser extension. I think that's a concern for extensions in general, but doesn't apply to yours. Some extensions are from companies that deserve our trust, in the same way we trust our browsers.
That's a fair point. With 1Password, it's important to always remember that your data is end-to-end encrypted before ever leaving your device. That's true whether you're using the desktop app or the browser extension. 1Password is also very careful to make sure that your data never leaves your device unencrypted and that extends to turning features off by default that might pose even small privacy concerns like checking for vulnerable passwords: About Watchtower privacy in 1Password
At this point I'm left choosing between Universal Autofill and the browser extension. My concern about the browser extension is driven by Tavis Ormandy's criticism of extrinsic browser password managers. I read quotes of that here - https://grc.com/sn/sn-822.htm. Even though it's an old conversation from 2021, I still tend to lean more towards autofill because of it.
If you haven't seen it already then there are a few great posts from our security team on the subject when it was discussed back in 2021:
- https://www.reddit.com/r/1Password/comments/ntbf2m/comment/h0sqhku/
- https://1password.community/discussion/comment/602337/#Comment_602337
I particularly like the following line: "If we were aware of something which a malicious website could to 1Password we would have already designed around that."
We not only have a development team constantly improving how 1Password in the browser works, but we also have a separate and dedicated security team making sure that 1Password keeps your data safe and staying on top of vulnerabilities discovered in the wild. If 1Password in the browser wasn't safe to use then 1Password wouldn't make it available to users.
Would you say that it's a fair comment that autofill is running in a less hostile environment than the browser extension and that would give a slight edge to the safety of autofill? I am careful about which applications are installed on my computer. I'm less careful about which websites I visit; there are just too many for me to vet each one.
It's important that you use a safe and secure web browser and that you only install extensions from legitimate web stores that are trustworthy. I'm not aware of any known vulnerabilities that could affect 1Password in the browser just by navigating to a certain webpage.
You can feel confident about using 1Password, whether your choose to use 1Password in the browser or Universal Autofill. I wouldn't say that one is "more secure" over the other unless we're talking about a specific threat and so I won't be able to rank one as being better than the other in a general sense. And if you're aware of a specific threat that can successfully target and compromise 1Password in the browser then I encourage you to report that threat through our bug bounty program and claim a reward: Strengthening our investment in customer security with a $1 million bug bounty
-Dave
0 -
Let me know if you have any other questions after taking a look. 🙂
-Dave
0
