Could keystroke-logging websites grab my 1P master password?

nev
nev
Community Member
in Mac

Recently I began wondering about the ability of javascript code to log your keystrokes as you use a website. The I stumbled upon these articles:

https://nakedsecurity.sophos.com/2013/12/17/are-the-websites-youre-using-tracking-what-you-type/

http://stackoverflow.com/questions/8071415/how-to-efficiently-record-user-typing-using-javascript

These seem to confirm that a website can, given the will and resources, record everything you type while you're on a page.

That being so, I wondered about the security of the 1Password web browser extension. Would it be possible for a website to record my 1Password master password as I type it in when I invoke 1Password via command-\ in a web browser on my Mac? Or is there some sort of in-built block in the extension that prevents this?

Comments

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @nev,

    Great questions! The short answer is that when 1Password asks for your master password, it uses a Secure Input field. That should prevent any keylogging software (or websites) from seeing what you type.

    For more information about that, please take a look at this article on our security knowledgebase: Watch what you type: 1Password’s defenses against keystroke loggers

    If you have more questions, please let us know. :)

  • nev
    nev
    Community Member

    Secure input - brilliant. Thanks for putting my mind at rest over that !

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Thank you for letting us know @Drew_AG could ease your worries :smile:

This discussion has been closed.