Best practices for WEBSITE - with protocol or without?
I'm simply curious what the community thinks the best practices are for the website field. Which is best with 1Password and why? I used to manually ensure I had the SSL version, but I got annoyed that occasionally browsing to a plain HTTP version of a site means 1P won't autofill (at least that's my observation). So I'm thinking of switching to option 3. Thoughts?
- http://foo.com/bar
- https://foo.com/bar
- foo.com/bar
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @bruinbits,
I'm guessing you normally create your Login items from within the main 1Password window, would that be accurate? If you create them from within the browser e.g. using our How to manually save a Login guide, you would find 1Password fills in the website field with the URL from the actual page.
Personally I would be incredibly suspicious of any site that allows you to either log in via a plain HTTP connection or where the submit button uses HTTPS but the actual login page is loaded via HTTP. For more on why that's not good I would refer you to Troy Hunt and his article, Your login form posts to HTTPS, but you blew it when you loaded it over HTTP.
I've actually disabled my account on at least one site after realising they weren't using HTTPS. We need sites to start taking this seriously. Of course this is just my opinion.
0 -
I understand and appreciate your security conscious viewpoint. My theoretical question still stands: I'm trying to prefect the UX inside 1Password. Yes, I enter my data manually almost every single time (the programmatic way 1P enters it automatically is terrible when I go to search/reference and it records all kinds of stuff "wrong" for the way I want it organized, so I always just do it by hand). I'd like 1Password to recognize known sites regardless of the main URL in my Address Bar, regardless of the exact URL I used to register and/or if this is HTTP or SSL (I use a combination of plugins and careful scrutiny to ensure I don't submit sensitive info over insecure lines).
0 -
Hi @bruinbits,
In 1Password 5 for Mac at least, the only scenario that will interrupt the normal flow is if the URL stipulates HTTPS but you're trying to fill on an insecure page. If you attempt to fill a Login item that specifies HTTP on a secure page it won't comment. So with that in mind option 1. and 3. are the same and I would expect the browser to react to both in the same manner.
I'm curious as to why how 1Password creates a Login item is terrible. Just as a quick heads up though, it might be worth knowing that any site that steps outside of the traditional username and password e.g. three or more fields, will require using the extension to create the Login item - it's currently the only way to work with those sites.
0