Submitting a feature enhancement
How does one submit a feature enhancement request?
I find an annoying problem with 1Password that by default it auto-fills and auto-submits logins. This is fine for the majority of sites that I store, but several of them it causes real problems, like I might have more than one account, or there is a "remember me" checkbox that I can't click because the auto-fill and submit flies right by it.
Yes you can change this behavior in the extension settings, but clearing browser cache, which I do regularly, resets this back to the default behavior.
I'd like to see auto-submit OFF by default, I also think this is the more secure option, as well as being less annoying.
Thanks!
PS: I love this product and would like to see it get better.
1Password Version: 8.10
Extension Version: Not Provided
OS Version: all
Browser: all
Comments
-
Hello @clarkrw! 👋
I'm sorry that autosubmit is getting in the way on certain webpages. A few updates ago we introduced a way to turn off autosubmit for specific websites:
- Open your browser.
- Click on the 1Password icon in your browser's toolbar.
- Click on a login where you'd like to turn off autosubmit.
- Click on the three dots in the upper right corner and then click Don't sign in automatically.
This selection will sync to your account and will still be applied even if you clear your browser's history/cache.
Let me know if that helps.
-Dave
0 -
Thanks - this is helpful. I do think however there should be a global default that syncs to turn on/off auto-submit. I think that auto-submit off is also the most secure option and should be the global default option. Man-In-The-Browser and other desktop vulnerabilities could take advantage of the auto-fill and submit to access protected sites. Thanks!
0 -
1Password will only ever fill and submit your login if you tell 1Password to do so with a direct action like clicking on that login in the suggestion menu. Logins are never filled and submitted without explicit consent and action from the user in order to avoid the vulnerabilities that you're referring to.
Can you clarify if you're referring to a different security concern with autosubmit specifically?
I do think however there should be a global default that syncs to turn on/off auto-submit.
Thank you for the feedback! While I can't make any promises, I've filed a feature request on your behalf with the product team.
You mentioned that you regularly clear browser cache, are you using Safari? While Safari will clear extension data when you clear history, other browsers like Chrome do not. I just wanted to mention that in case it helps. 🙂
-Dave
ref: PB-41813101
0 -
Correct, I primarily use Safari when on my Apple devices. However, being a retired IT security guy, and geek, I have a number of both Apple and Windows devices and I play around with a number of browsers, including Brave, Vivaldi, and Chrome with privacy extensions and the unwanted behavior happens on a few of these, though as you mention Chrome is immune as it is more liberal on what is actually cleared with cache.
Though 1P doesn't automatically fill and submit without any user intervention, one could theoretically script using injected keyboard controls, such as down-arrow to a 1P login, tabbing to edit boxes, and injecting other keystrokes such as Enter.
I spoke with one of the Google Engineers that was part of the Chrome project back in 2005(ish) and I was complaining about the problem with browser based password managers. His response was a little eyebrow-rising, "If your browser is compromised all bets are off". Microsoft security engineering for Edge in 2020 was disappointed that I didn't direct my company towards Edge password manager and instead went to a dedicated password manager as having better security and functionality. But I digress.
Good password managers are pretty bullet proof. It is the browser extensions for them that you have to worry about.
Thanks for listening.
0 -
As far as I'm aware, only Safari clears the extension data store when clearing history. Brave, Vivaldi, and Chrome are all based on Chromium and should work in a similar way in that regard (although I haven't tested Vivaldi myself). If I clear the history/cache in Brave, 1Password in the browser's settings remain as I've set them.
Though 1P doesn't automatically fill and submit without any user intervention, one could theoretically script using injected keyboard controls, surch as down-arrow to a 1P login, tabbing to edit boxes, and injecting other keystrokes such as Enter.
That could happen even without autosubmit since someone could just input keystrokes to open and fill using 1Password and then more keystrokes to submit the login. Once someone has enough control over your device that they're able to input keystrokes, it's difficult to defend again that sort of attack. We have a relevant blog article here:
Let me know if you have any questions. 🙂
-Dave
0 -
Hi Dave - thank you for the time in thinking and responding to my comments and questions. Best Regards - Clark
0 -
Thanks again for the feedback so that the team can make 1Password even better. Let us know if you have any other questions or issues in the future!
-Dave
0
