Please reconsider your design decision on "secure input mode" – I really like Keyboard Maestro too!
It seems that you have made a design decision to treat virtually all fields in your app as password fields (1). Given the side effects of this choice, I think that it should be changed. I have a suggestion.
Don't get me wrong...you have made a defensible choice from a security perspective (pun?). Keeping keyloggers and other rogue processes away from the keyboard is a good thing. But usability is also a good thing. I have many keyboard macros and I use them often. I feel hamstrung when I can't have them! Heck, I tried to use a macro in a Secure Note today.
Judging by these forums, I'm not alone. This issue seems to come up fairly often.
Perhaps a good compromise would be to have a Preference to limit secure mode to username/password/CCnums only?
I'm sure you know how other software companies handle this issue, and I won't go into that here.
Thanks for your consideration.
(1) Easily testable by running ioreg -l -w 0 | grep SecureInput in Terminal.
1Password Version: 6.6.2
Extension Version: Not Provided
OS Version: 10.12.3
Sync Type: iCloud
Comments
-
Hi @tangentred,
Thank you for taking the time to let us know you'd like to be able to use Keyboard Maestro when editing items in 1Password!
It seems that you have made a design decision to treat virtually all fields in your app as password fields
Well, not exactly (although I see what you're saying). Just to be clear, starting in version 6, editing an item in 1Password for Mac will enable secure text input in order to prevent keyloggers from knowing what you type in 1Password. That doesn't mean all fields in an item are considered password fields, it just means secure input is enabled regardless of what type of field you want to edit. Traditionally, secure text input is something often associated with password fields, although not exclusively.
I understand your point though - this prevents you from using an app such as Keyboard Maestro when editing an item in 1Password, even if you don't personally mind apps like that being able to listen to your keystrokes for certain fields. Unfortunately, enabling secure input prevents all apps from monitoring what you type - not just "bad" apps, but also handy tools like Keyboard Maestro and TextExpander. I suppose it comes down to finding the right balance between security and convenience, and that can be a matter of personal preference. For example, I personally wouldn't want a keylogger to be able to read anything I type in 1Password, regardless of what field I'm editing. I'm fine with the tradeoff, but not everyone is.
Like you said, adding a setting for this in 1Password might be a good compromise. I don't believe this is something currently being worked on, and I can't promise if or when a setting for that might be added, but it's certainly an idea worth considering. So we truly appreciate your input on that!
Thanks again, and please let us know if you need anything else. Cheers! :)
0 -
Thanks for your thorough and well-considered reply, Drew.
0 -
You're very welcome! We're here for you if you need anything else. Enjoy the rest of your week! :)
0 -
Is the user in any way notified of this behavior? Not that I spent significant time researching why textexpander and keychain text snippets did not work in OS X version of 1Password, but yes, I did. I have noted that keychain text snippets work when editing logins in the iOS 1password app, so the behavior isn't consist, leading to more confusion.
Perhaps a one-time banner explaining the behavior that the user must acknowledge would be a compromise. At least they won't waste time trying to get text expansion to work. I think that would improve the customer experience.
0 -
Is the user in any way notified of this behavior? Not that I spent significant time researching why textexpander and keychain text snippets did not work in OS X version of 1Password, but yes, I did. I have noted that keychain text snippets work when editing logins in the iOS 1password app, so the behavior isn't consist, leading to more confusion.
@komrad: Indeed, since iCloud Keychain "snippets" are built into the OS, they don't have all of the restrictions that 3rd party apps do. I'm not sure that it's possible to block that from accessing it as well, and while I agree that would be more consistent, it's important to note that we have to trust the OS anyway.
Perhaps a one-time banner explaining the behavior that the user must acknowledge would be a compromise. At least they won't waste time trying to get text expansion to work. I think that would improve the customer experience.
Since this change was introduced over a year ago with 1Password 6, I don't think it makes sense to do that now. It would arguably help the few people noticing this, but even then it hasn't come up much since then and would only confuse the vast majority of users who simply expect 1Password to protect the data in their vaults from other apps accessing it.
0
