The 1Password Community forums are in read-only mode from Jan 28th - Feb 4th, 2025. Find out more.

Password fields in 1Password app & 1Password mini do not enable Secure Event Input

greg_scown
greg_scown
Community Member
in Mac

To reproduce:

  1. Download and install TextExpander 5:
    http://smilesoftware.com/TextExpander/download.html

(If you already have TextExpander installed, please ensure that in the Suggestions preferences, "Suggest snippets based on my typing habits" is checked and on TextExpander 5.1 that "Notify me about snippet suggestions is also checked.)

  1. Bring up the 1Password mini
  2. Show an entry and click Edit
  3. Type a new password, and press Return
  4. Erase the password, and repeat the previous step 3 times

Expected:
Expected not to receive any notification from TextExpander about what was typed in the password field.

Actual:
Received notification that: "You've used 'XXXXXXXX' several times", where XXXXXXXX is whatever you typed repeatedly in steps 4 and 5 above.

Video:
https://v.usetapes.com/2E6IQk9VQ1

Regression:
The same is true for the 1Password application as for 1Password mini.

Notes:
I would expect that 1Password would call EnableSecureEventInput() upon entry to the password field and DisableSecureEventInput() upon exit from the password field to prevent authorized key loggers, such as TextExpander, from being able to observe user input into the password field.

The same is true of any application with user-granted Accessibility permission, not just TextExpander. The only way to prevent such apps from observing user input to the password fields is to use Secure Event Input as Apple intended.

1Password Version: 5.3
Extension Version: 4.4.0.b8
OS Version: 10.10.4
Sync Type: Dropbox

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @greg_scown,

    You're quite right and we had a similar issue in iOS where we were concerned that iOS might 'learn' the password. What I suspect is still the case is that if we enable SecureEventInput it does make the field less friendly in terms of editing. That isn't to say I disagree with you at all, it's just a pity that I don't know if there is a workaround so that it's more secure but still relatively amenable to editing. For an example of this look at the window for connecting to a Wi-Fi access point that requires a password. Text Expander is disabled while the password is obscured but not when the password is revealed.

    I'll report this and leave the devs to mull over the implications and best way forward.

    ref: OPM-3210

This discussion has been closed.