Excluded Vaults not-so-excluded by iOS12 Autofill

udontknowme
udontknowme
Community Member

I have a family account, and I'm the admin. I have a separate vault personal things. In the desktop app (7.2.1 on OSX 10.14), I have that vault flagged as 'Exclude from All Vaults'. And that pretty much behaves as I'd expect: searching the app doesn't find something in that vault unless I first choose that vault.

Upgraded my phone to iOS12, and did Passwords, Autofill, 1Password. No problem. But, here's where things go weird.

1) Opened Safari on the iPhone. new tab, private mode, went to a site that is only defined by the excluded vault. I am instantly offered an autofill password from that excluded vault. Now, this was unexpected since the desktop app doesn't work that way: I have to drill down and choose the hidden vault to get it to fill. That feels like a bug, but I could see it being an arguable design point.

2) I then said, well, the password is there, I'll just use it. That turned out to be a mistake, because the iOS app now has that hidden vault's password promoted up to a front page favorite(!) which is expressly not what I would ever want. That very much feels like a bug.

I hope you'll consider this story for future revisions.
Thanks for reading.
A. Nony. Mouse.


1Password Version: 7.2
Extension Version: Not Provided
OS Version: ios12
Sync Type: Not Provided

Comments

  • Hi @udontknowme

    We’re aware of issue #1 and are considering taking the All Vaults excluded vaults selection into account here. ref: apple-2166

    I’m not able to reproduce issue #2. Are you able to make this happen again? I.e. if you fill a different item that is in your excluded vault does it get marked as a favorite in 1Password?

    Ben

  • udontknowme
    udontknowme
    Community Member

    Yes, I was able to reproduce bug 2. It's not a checked/starred favorite, but it's one of the auto-populated ones (Settings > General > Recently Used Items raised to 5).

  • Ah, gotcha. Yes, since it was filled it will show up there. You can set Recently Used Items to 0, if desired. I’ll talk to development and see if we might consider excluding items in vaults that are excluded from All Vaults from showing as recently used items but I’d say at this point that is working as intended.

    Ben

  • udontknowme
    udontknowme
    Community Member

    I could see that position. Respectfully, I disagree with it: an intentionally excluded vault (at least in my situation) is me indicating that I want that vault's passwords to be difficult to access. I grant that is my personal use case and may not be the intended plan.

    Given that the definition is 'Recently Used' and I can detune it back to 0, I don't have a huge argument if you stick to your guns here. It just means it's a setting I can never utilize, which is unfortunate.

    Thanks for the responses.

  • Do other people have access to your 1Password installation? The ability to remove vaults from All Vaults was not designed as a privacy feature. It isn’t intended to totally prevent items in vaults hidden from showing up anywhere in the UI... only from the All Vaults listing.

    I suppose one other thing you could do that we haven’t yet discussed is access X number of login items where X is what you have the recently used option set to, so that the item no longer shows.

    Ben

  • udontknowme
    udontknowme
    Community Member

    While perhaps not intended, vault-exclude effectively -is- preventing items from appearing in the UI without a two-step process (pick vault, search-or-pick login) or a deliberately bad setup (my default vault is an excluded one). The iOS app changes this to zero steps (it's on the front page).

    Consider it 'casual look prevention': the vault in question is not shared with others on the family plan. However, while my family wouldn't have access to my userid/1Password master password on a laptop, they DO have thumbprints on my phone. Obviously, if they snag my phone and go spelunking, they can then find whatever they want, and that's on me. And if I had that kind of issue, then there's no defense except "pull their access." But that's not my goal.

    My point is, by auto-populating the first screen in iOS, logins that were 2-steps-away on desktop are now not just findable, they're put on display. There's a large difference between your family saying, "I raided your phone and I can't believe what I found!" and "You were using your own phone and I looked over for a half-second glance and the front page tattled on you."

  • @udontknowme

    Understood. Thanks for sharing your perspective on this. :+1: Considering that, I think I’d recommend setting the recently used items to 0, at least for now.

    Ben

  • camner
    camner
    Community Member

    I just ran into this situation (difference in behavior when a vault is excluded from "All Vaults" in the Mac vs iOS version), and I have to say I'm puzzled as to why the two platforms would be designed to handle this situation differently.

    The iOS behavior makes the idea of an "archive" vault less valuable. Perhaps more to the point, if (as is the case with me) there are "his/hers" vaults, it is much more useful to be able to exclude the other vault from presenting credentials unless one has consciously chosen to include that other vault.

    What am I missing here in terms of why credentials from all the vaults in an account are presented?

  • We have some ideas about how to make Password AutoFill more respectful of the All Vaults setting. Unfortunately I don't have more than that to share at the moment but we do hope to have some improvement in this regard in the future.

    Ben

  • snarkle
    snarkle
    Community Member

    Hi @Ben. Did the fix for only showing autofill suggestions from the the All Vaults selection make it into the production release of the iOS app? I believe it was . "ref: apple-2166". i have a number of archive vaults for work/personal and it would be good to not see these irrelevant suggestions.

    Cheers.

  • Hi @snarkle,

    It hasn't made it out yet, but it's on the list. We have several usability issues we need to resolve before we begin limiting the results to All Vaults. That said, we hope to address this issue soon.

  • snarkle
    snarkle
    Community Member

    Thanks for your reply @ag_andrew. Looking forward to the fix.

  • :+1: :)

    Ben

This discussion has been closed.