Open and Fill security questions
Hi, all. I'm a new a happy customer of 1Password. I have a security question about how "open and fill" works. In moving to 1Password from another password manager, I exported from the old program and imported into 1Password. I have been using password managers for years and many of my web entries are saved as http:// as they were created long before many sites moved to https://.
If I click "open and fill" on an http:// entry, does that not transmit my password in clear text? I've inadvertently done it several times now given the "open and fill" rather than "copy" being the default. I'm updating my links, but I have over 300 entries, so that's going to take some time. :)
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi, @Signetur. Thanks for your post, and welcome to the forums! Good watching out on the scheme used to access your sites. This is indeed very important. The most important thing is the scheme of the page where you actually end up. So, if you visit http://example.com/login and they redirect you to https://example.com/login, then your connection is safe. If you're interested in a more nuanced discussion of how this stuff works, you might find this Troy Hunt article interesting.
In the desktop browser extension, we take some pains to ensure that you're not filling a Login that you originally saved with https:// on an http:// site and show an alert if we detect this scenario. But notifying a user each time they fill a HTTP Login when the URL saved is also HTTP would be overkill.
One way you could search for items that need updating is to do an expanded search for items with fields with http:// prefixes. Here's what that looks like in 1Password for Mac:
(The instinct would be as mine was to search for URL starts with http:// but the URL searching appears not to include the scheme…) This should give you a solid list of Logins to work through to update the URLs as necessary.
I hope that helps!
--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas0 -
Thanks Jamie, that was helpful. I've tried the "open and fill" feature on a few websites, and can't get it to work, e.g. on at least one of my banking/financial sites, the login ID is on one page and only after you enter the ID does another page load with a password prompt. Other sites I have want a member ID, followed then by a username and password on a separate page. There seem to be so many variations of how sites want you to login that I don't have a lot of faith in of "open and fill" as a feature that'll work correctly and consistently. I use Apple Keychain to save some web site passwords, and I trust it (sort of), potentially making "open and fill" even less useful for me. It'd be nice to add a setting to make "open and fill" not be the default choice.
Having said that, I am new to 1Password (and the Mac for that matter), so maybe after spending some more time with "open and fill" I'll find it more helpful.
I haven't tried the 1Password browser plugin yet, as I'm instinctively skeptical of browser plugins of any kind from a security perspective, even with one that 1Password has developed (and I impressed with everything you guys do). I might give it a spin at some point.
Thanks again!
0 -
Thanks for writing back, @Signetur. I think I'm a bit confused about this then. Open and fill is only useful if you're using our browser extensions. I'm curious what your expectation was for using open and fill without the browser extension? (I lead our browser extensions and form filling team, so I'd love if you gave it a try and let us know if you have any feedback or concerns.)
I will say that open and fill works best for URLs that point to sign in pages rather than generically to a site's homepage or something like that. For instance, if you were storing a URL for these forums, open and fill will work much better for you if you set the URL to
https://discussions.agilebits.com/entry/signin?Target=
rather than justhttps://discussions.agilebits.com/
where there is no sign in form to be found on page load. Does that make sense?--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas0 -
Ah, there you have it. I didn't realize the plugin was needed, but I guess that makes sense that it would be!
0 -
Glad to clear that up! Let us know how you get on. Really, the browser extension itself is more of a hook for 1Password to do things inside web pages. It doesn't have any of your 1Password data itself and any process or script that can see your details being placed into the field in a page would be able to glean that data via other means anyway, so overall, we think the browser extension is a pretty low-risk bit of the 1Password equation that adds a ton of convenience. :)
0 -
Yeah, I will do some more reading up on it. One thing that convinced me to go with 1Password in the first place is that every obscure thread I found on the Internet discussing potential vulnerabilities with your software, someone from 1Password showed up in the thread to acknowledge and clarify, and then fix (quickly) if needed. I don't know how you guys find all of those threads - I guess the same way I do. :)
I see your point. If your browser becomes compromised, then your browser is compromised, and manually typing or cutting/pasting passwords into the browser is not necessarily any more safe.
0 -
Cheers! Glad our efforts to support 1Password users wherever they are gets noticed. :)
0