Hitting the ALT key exposes my password!??
Hi all, this seems to be a feature that affects multiple OSs, so I'm posting here, please correct me if I'm wrong.
Here's a scenario that happened.
I was in a boardroom with people in the room that included both employees and vendors, with my display on a projector. I opened 1Password web (we're not allowed to use browser extensions due to security), did Alt-Tab to grab the url I needed the password for, and to my shock realized that my vault password was exposed for everyone to see.
You see, 1Password Account (Family) is first in the list in my vault, beginning with number 1 and all. I didn't create this entry btw, it came with 1Password.
This being a password that I actually have to remember and regularly type, it consists of multiple dictionary words that could be read and remembered easily, but since I never expected it to be exposed anywhere I didn't think this was an issue.
I have tested this both on Win10 and Linux and it happens in both OSs, and on different browsers(Chrome, Vivaldi, Firefox).
Alt, as I see it, is used way too often to be assigned to such an impactful function. Is there a way to disable this feature? Why not assign it to a key combination like Alt+Something?
Further, I don't remember this happening in the past. Is it a new addition?
Thanks
1Password Version: Web
Extension Version: none
OS Version: Win10, Ubuntu 17.10
Sync Type: Not Provided
Comments
-
@Vlad_TO: Thanks for reaching out. I’m sorry to hear that! This is definitely not a new addition. 1Password has, for as long as I can remember, perhaps all the way back to version one over a decade ago, allowed you to show/hide password fields using the Alt/Option key.
Fortunately, there are a few things you can do that will help:
- Use 1Password to generate your passwords. That way, even if someone sees them at a glance, they'll be too long/complex for them to read and memorize quickly.
- Don't unlock your 1Password vault to display in front of people whom you don't want to see your stuff — they may see something other than a password which you don't want them to, like which websites you have logins for. Also, you can always either use 1Password to fill directly, or copy and paste, so that you don't have to display anything to make use of your data.
- And if you believe that a password has been compromised — either for your 1Password.com account or another login — you can always change it.
That said, you're right that this can be problematic on some machines, depending on how you use it...which is why the versions of 1Password which are designed for and supported on Windows and Linux don't use that same shortcut. Is there a particular reason you're using the website instead of one of those?
0 -
Hi Brent, Thanks for your response.
1. As I mentioned, first password in the list was 1Password vault entry (which was created automatically I believe) so this password I need to remember and type on a regular basis to unlock my vault. I guess I can create a dummy entry to go before it. Besides, 1Password has an option to generate dictionary word passwords which results in a password similar to mine.
2. I don't really care if they see that I have an amazon account. I just care that they don't see the passwords. When I need a vendor to sit with me through some configs so they can help us troubleshoot a problem - sometimes I need to type complex passwords. I guess I can disconnect a projector every time I need to grab a password, but then I might as well use a text file. Convenience of 1Password was that I can grab a password without it ever showing up on the screen, or so I thought"Also, you can always either use 1Password to fill directly, or copy and paste"
I don't think I explained myself clearly. I wasn't trying to display the password. I was planning to copy/paste the password without displaying anything. But when Alt-Tabbing between windows the password was displayed for a significant amount of time (the window was still visible because the other window didn't overlay it completely, and I needed to switch back and hit ALT again to hide the password). Alt-Tab is a very common shortcut.
As for the versions. My work has very strict security policies. Without getting into details, let's just say that web version is the only one I have access to.Either way, I guess I will need to re-think how I use 1password when I have eyes on my screen.
I realize that like 100-yr old people pre-Y2K scare, I'm a bit of an edge case.Thanks
0 -
Hi Brent, Thanks for your response.
@Vlad_TO: Sure thing. I'm really glad you brought this up!
- As I mentioned, first password in the list was 1Password vault entry (which was created automatically I believe) so this password I need to remember and type on a regular basis to unlock my vault. I guess I can create a dummy entry to go before it. Besides, 1Password has an option to generate dictionary word passwords which results in a password similar to mine.
I noticed you said that, but just now it really "clicked": the "1" in "1Password" puts it at the top of the list, of course. :sweat:
- I don't really care if they see that I have an amazon account. I just care that they don't see the passwords. When I need a vendor to sit with me through some configs so they can help us troubleshoot a problem - sometimes I need to type complex passwords. I guess I can disconnect a projector every time I need to grab a password, but then I might as well use a text file. Convenience of 1Password was that I can grab a password without it ever showing up on the screen, or so I thought
Yeah, that's definitely a tough one. I appreciate you explaining the scenario.
"Also, you can always either use 1Password to fill directly, or copy and paste"
I don't think I explained myself clearly. I wasn't trying to display the password. I was planning to copy/paste the password without displaying anything.It's not you, it's me. I misunderstood what you were trying to do. Sorry about that! :blush:
But when Alt-Tabbing between windows the password was displayed for a significant amount of time (the window was still visible because the other window didn't overlay it completely, and I needed to switch back and hit ALT again to hide the password). Alt-Tab is a very common shortcut.
You're totally right, and that's why our Windows apps have slightly different keyboard shortcuts.
As for the versions. My work has very strict security policies. Without getting into details, let's just say that web version is the only one I have access to.
While it sounds like that isn't of much help to you, that's really helpful to know. I think we need to consider that others might be in a similar situation. Can I ask though, are you also unable to install the 1Password X extension in Chrome? A big part of the reason we've developed this is for restrictive corporate environments, and we've heard from a lot of folks who this has helped. I'm interested to hear more about your situation if you're willing/able to share, either here or at support@1password.com (just post the Support ID you receive here so I can find it in that case).
Either way, I guess I will need to re-think how I use 1password when I have eyes on my screen. I realize that like 100-yr old people pre-Y2K scare, I'm a bit of an edge case.
Definitely a niche, but we should evaluate if there are reasonable things we can do to help in that environment:
- Have 1Password not display item details immediately when unlocked.
- Change keyboard shortcuts and/or allow customization — perhaps even disabling.
- Probably other much better ideas that just aren't coming to me at the moment.
The hard part is balancing different people's needs. For example, at the same time there are people asking us for more keyboard shortcuts and more consistency between apps/platforms. I don't think we'll be able to please everyone, but we'd like to try, and go as far as we can, so real-world stories like yours are a big help as we try to triangulate and hone in on what else we need to do. Thank you! :)
0 -
Can you just give us a button for disabling this feature? I think this option would help many people, and I for sure don't think that this will be hard to implement.
For my case, I am having troubles with this feature because I'm on Linux, and as it happens, you switch workspaces here with Ctrl+Alt+Up/ Down Key. So every time I quickly change workspaces to get a password, I'm basically exposing it when changing back. This is just very bothersome for me.0 -
@jakister - it's something we can consider. But we place a very high bar for adding yet another button/toggle/preference to 1Password because part of what makes 1Password useful is keeping the additional UI elements to only what's most useful by the largest number of people. I definitely sympathize with your position and people like you who have little or no choice in using that key-combo, and this is something we need to think about more, in order to figure out the best approach to it. I don't know that we'll be just adding a button anytime soon, however, if at all. But I'll add your thoughts to those wanting a solution for this, and thanks for taking the time to share them. :)
0