Option key shouldn't reveal password when used as part of a combined keyboard shortcut
While editing the name of an item, I frequently use Option+Shift
and Option+Shift+Left/Right Arrow
for highlighting text to change/remove, etc.
I've found that while using the text selection keyboard combination, the Reveal Password function of the Option key is invoked. Additionally, the text selection is slightly delayed while the password reveal occurs, as you can see in this gif (note that I'm pressing Shift and Option at the same time):
(Looks like the attached GIF doesn't autoplay in the post - try opening it in a new tab.)
It's also a bit distracting to see a field that I'm not interacting with change state.
I recommend suppressing the password reveal when Option is pressed as part of a keyboard combination. Alternatively, perhaps the password reveal can be disabled while editing a different field.
Steps to reproduce:
1. Edit an item
2. In the Title field, use Option+Shift+Left/Right Arrow to select text (Press Shift first to make sure a key combination is invoked)
3. Observe password is revealed
Thanks
1Password Version: Version 6.5.5 (655000)
Extension Version: Not Provided
OS Version: 10.12.3
Sync Type: Not Provided
Comments
-
Hi @jackbrewster,
Thank you so much for taking the time to contact us about this, and thanks for your detailed description and gif! That was very helpful. :)
We occasionally hear similar comments from other customers, and although I can't say for sure if/when it will be addressed, I'll gladly add your feedback to our internal tracker to let our developers know.
Thanks again, we really appreciate it! Please let us know if you need anything else. Cheers! :)
ref: OPM-1506
0 -
It's much worse than that: ⌥← and ⌥→ are fundamental keyboard shortcuts for navigating around text as they let you jump to the previous/next word, equivalent to Ctrl ← and Ctrl → in Windows.
Consequently, whenever I edit text in 1Password, all my passwords, PINs, secret keys are constantly flashing on and off. That's crazy, especially if you're using a laptop in a public place.
Adding in the ⇧ (Shift) key in order to select words as @jackbrewster says is less common - but still very annoying.
0 -
Thank you for your feedback! I'm also a heavy user of those keyboard shortcuts, although it sounds like you spend a lot more time editing items in 1Password than I do. I can understand how that would be troublesome for you! I'll forward your comments to our developers to let them know. :)
ref: OPM-1506
0 -
Well, that's probably because I use Notes fields to log all kinds of events such as:
6 Jan 2013 - Enabled 2-step verification.
As a result, most of my items have long Notes fields with a full history of all my communications, updates, events etc associated with an item.
Anyway, thanks for passing on.
0 -
You're very welcome! :)
0 -
Any update on this?
It's good to have a keyboard shortcut to show passwords, but please don't make it ⌥ (or anything else used as a routine part of text editing).
0 -
@semblance: I'm not sure what you mean by "update". Given that it's a long-standing shortcut that many, many people are used to it isn't something we're going to do lightly. There simply haven't been a lot of people asking for this, but it's something we'll continue to consider for future versions.
0 -
Thanks for your reply @brenty .
I meant "update" as in, have you discussed or considered it and come to any conclusions, rather than one person responding individually.
If it's a long-standing shortcut that many people are used to, the behaviour could be made optional (if you'll excuse the pun!). A different keybaord shortcut (one that's not used in routine text editing) could be one if the options.
Bear in mind, it must already be the case that when anyone uses standard Mac shortcuts to edit text in an item, all the passwords, PINs and secret keys in that item will be constantly flashing on and off - including when they are using a laptop in a public place - whether they complained to AgileBits about it or not.
In this age of ubiquitous high resolution cameras called "phones", I don't think this is acceptable; 1Password's primary function is to protect passwords, and this should come first.
0 -
@semblance: I'm not sure I understand. If I'm in a public place, potentially with people looking over my shoulder, I don't think viewing sensitive data in 1Password is a good idea at all. Revealing a password is the least of my concerns in that case. Anyone using "ubiquitous high resolution cameras" could just as easily record me entering my Master Password, or anything else on my screen completely separate from 1Password, so, frankly, I'm not going to use 1Password at all in that environment. Am I misunderstanding? We can certainly consider your request, but I think you're fixating on a particular threat and ignoring others.
0 -
Hi @brenty
First, much of the data usually stored in 1Password is "peripheral" data such as custom fields, notes and attachments - which is typically much less sensitive than passwords and other secrets. Presumably this is why the "conceal passwords" option exists - so that users can choose to use 1Password in a public or otherwise compromised place, without displaying their passwords.
I frequently use 1Password in a public place to view, copy or edit my less-sensitive "peripheral" data, or even to copy-paste passwords to log in - e.g. I might log in to a website, and then add an entry to the Notes field describing my most recent interaction with an organization.
None of this activity requires passwords or other secrets to be displayed on the screen, hence "conceal passwords". And yet that feature is effectively being undermined by the use of an override keyboard shortcut which clashes with many pre-existing Mac shortcuts used to edit text.
In the end, what you're saying would imply that the "conceal passwords" feature is unnecessary, because if anyone is looking over your shoulder, then you shouldn't be using 1Password "at all in that environment". But real life isn't as simple or black-and-white as that - the "conceal passwords" feature is there, and it's there for a reason.
0 -
Regarding entering the Master Password - I use TouchID to unlock 1Password, even on my laptop now. Biometric authentication has its issues, but one of its strengths is that it's pretty much immune to shoulder-surfing. But even if I have to enter my Master Password in a public place, this is not really an issue because:
1. Entering your Master Password a one-off event and you know when it's going to happen, so you can take precautions and be discreet
2. The Master Password is not displayed on the screen when you enter it
3. Your hands physically obscure what you're typingThese factors would make it quite difficult to use a phone camera to capture someone's Master Password - and anyway, the problem doesn't arise if you're using biometric authentication, as is increasingly the case.
0 -
@semblance - I don't want to speak for @brenty, but I know that he's off right now and I don't want to leave you hanging in terms of a response.
I think brenty was just trying to get a better idea of what you were looking for, specifically, and what your reasoning for it was. If you've been around this community for a while, you'll already be aware that many of the features you see in 1Password today came at least in part from the user community. That's why we tend to probe a bit more into requests -- to make sure we understand them. Obviously, we don't pursue every avenue nor grant every feature request we get, because that would be impossible (some requests are diametrically opposed!) and would cause 1Password to suffer from feature bloat. But we do take the time to learn what people are looking for, why, and how many users are interested in any given request/change.
Thank you for taking the time to make us aware of not only what you want, but why you think it's important; we are truly grateful for every suggestion we receive, even knowing we won't pursue every one of them. A feature like this would be available in beta channels first, so if you're not averse to running beta software, that would be the quickest way to get your hands on it. Thanks again for caring enough about the direction of 1Password to make your wishes known -- and have a great week. :)
0 -
Thanks for that @Lars,
For the record, I don't think @jackbrewster 's original suggestion that the "Option key shouldn't reveal passwords when used as part of a combined keyboard shortcut" would work, for the simple reason that when a user presses Option, you don't know (without having a crystal ball) whether they're going to make a combined keyboard shortcut with it.
A simpler solution would perhaps be a Preferences setting to either keep the existing keyboard shortcut to reveal passwords (Option key), or use a different one which doesn't clash with other activities including text editing.
0 -
Reminder that the scope of my suggestion is only while actively editing a field. I think it's at least moderately safe to assume that Option isn't being used to toggle password reveal state in this particular case.
0 -
Oh I didn't realize that @jackbrewster
However I would still rather have a different shortcut that works all the time, or the option to have that, because modal behaviour is generally confusing.
0 -
Thanks for the additional information, semblance and jackbrewster.
Rick
0 -
+1 to having an option (no pun intended) to turn the option-key-to-reveal off in at least the web app, although I'd like the feature to take effect whether I'm editing or not.
The issue for me is that when I'm using 1Password in my browser on a computer where I don't have the desktop app installed, I'll copy a password to my clipboard and then press ⌘⌥→ which is the default shortcut for switching tabs in Chrome (to switch to the tab where I'm going to paste). My passwords are briefly revealed as I switch tabs.
This may not actually be a big security issue because of the reasons @brenty mentioned, but in general I don't feel like I'm in control of when my passwords are visible because switching tabs with this keyboard shortcut is a very common thing for me to do. I'd love to feel like I have explicit control over when my passwords are visible and the option to turn this feature off.
0 -
Btw, when i replied to @brenty my post vanished, so the next day i rewrote it from memory, in a calmer frame of mind.
Then my updated post vanished again! But I had a copy in my clipboard, so I edited and re-posted again - this time in two separate parts.
Now it seems that my posts that vanished have mysteriously re-appeared - so it looks like I'm repeating myself with differently-worded versions of the same post, which is rather embarassing... sorry about that :-/
Perhaps an admin could delete my Oct 1 post and my first Oct 2 post, as they duplicate the later two Oct 2 posts?
0 -
@semblance: No worries. Done and done. Probably just got stuck in the spam filter initially. Sorry for the confusion that caused. :)
0 -
@josherick: I hear you. Thank you for your feedback on this as well. It definitely helps to know the sorts of scenarios folks are encountering where it might be a benefit. :)
0 -
I just want to add that while renaming a Smart Folder I used
⌥←
and was quite thrown to see the password revealed for whichever item was selected in a different pane.0