Feature Request: Conceal Passwords in Chrome extension

was: How to mask passwords on Login Details page?
I noticed passwords are not masked on the Password Details page...
I'm a bit shocked, because this makes it actually even easier to discover all my individual passwords. Does this go in-line with the whole concept behind 1password?

How can I mask these passwords?

Comments

  • khadkhad Social Choreographer

    Team Member
    edited February 2011
    Welcome to the forums, Ron!

    If 1Password is unlocked, your data is available. To prevent this, please make sure to lock 1Password when you are not using your computer. Even if the passwords were masked someone who had access to your machine could easily copy and paste them into a plain text file. :S

    Consider the following settings found on the Security pane of 1Password's preferences to lock 1Password when you are not using it.

    If "Disable automatic unlock for 1Password" is checked you will always be prompted to enter your master password when opening 1Password. This includes quitting the app and relaunching it.

    Likewise, if "Disable automatic unlock for all applications" is checked you will always be prompted to enter your master password when using one of the browser extensions after a fresh launch of your browser(s).

    So any easy way to keep prying eyes at bay is to leave both of the above settings enabled and quit 1Password and your browsers when you are done using them. Your data will be locked.

    Otherwise, you are relying on the auto-lock settings to secure your data which will either lock your data after X minutes of inactivity, when your Mac begins to sleep, or when the screen saver is activated whichever of the selected options comes first.

    The auto-lock timeout is measured by computer activity and not 1Password activity. In order for 1Password to automatically lock after X minutes, there must be no mouse or keyboard activity for the entire duration.

    To speed up the auto-lock process you might consider the following.

    1. Set an Active Screen Corner for you screen saver and activate the screen saver when stepping away from your Mac (System Preferences > Exposé and Spaces > Exposé > Active Screen Corners).

    2. Close the lid of your Mac laptop to put your Mac to sleep.

    3. Activate the login window when stepping away from your Mac (System Preferences > Accounts > Login Options > "Show fast user switching menu as…")

    The above three options will also secure your entire OS X login if you have enabled "Require password … after sleep or screen saver begins" (System Preferences > Security > General).

    Of course, you can always lock 1Password manually from the Chrome extension or with a handy Automator workflow.

    I hope that helps. Please let me know.

    Thanks!
  • I'm terribly sorry, but that is not really an answer, Khad.
    Ron has a specific security issue, which I happen to share. I would love to get me a license key for 1password while I'm trying out this great app, but I do find it rather insecure that my password is fully visible when I'm using the chrome extension and want to login somewhere. We have to be aware of prying eyes, more than anything. Cold hacking / physical security is how most breaches occur. Isn't it possible to either mask the password or enable users to login without showing the login details in the 1Password menu in Chrome?
  • khadkhad Social Choreographer

    Team Member
    Welcome to the forums, StereoDax!

    Thanks for continuing this discussion. We are certainly looking to add the ability to mask passwords in the login details view in a future update to our Chrome extension, but I just wanted to be clear about what sort of protection that will and will not provide.

    Your password is never visible under normal use. Simply press ⌘\ on your keyboard and then select the login to fill and press Return. To view the password, you must either (1) press the right arrow key on your keyboard or (2) click the right-pointing arrow for the login item in the list. Again, it is not possible to view the passwords unless 1Password is unlocked in Chrome, but we are still looking into adding the ability to conceal them as we do in the main 1Password application.

    Please let me know if you have any additional questions or concerns!
  • Hi

    Does the 1Password on Chrome have any setting to mask the password. thanks

    Regards,
    Walter
  • khadkhad Social Choreographer

    Team Member
    Welcome to the forums, Walter!

    I have moved your post to the appropriate thread. Please see above and let me know if you have any additional questions! :-)
  • I had gifted 1password to a friend of mine and was showing him the right way to use the s/w. This bug made quite an embarrassing situation when I accidentally saw the password. My intent was to merely show him how to use it (on his own laptop). I never use Chrome. I use Firefox. Had I known this chrome bug, I would have stayed out of clicking on the right arrow next to the entry. If you really cannot mask, at least reduce the font size.
  • khadkhad Social Choreographer

    Team Member
    Hi Harry,

    While we never advise allowing others to use your computer while 1Password is unlocked — for reasons you and I both outline above — as I also mentioned above, we are looking to add this functionality in a future update. Thanks for letting us know you would appreciate it as well!
  • Hi all,

    I must add my voice to the others here. I'm a bit surprised that the passwords are not masked by default in the Chrome plugin (which works beautifully otherwise - great job!)
    Within the 1Password application window, all passwords are masked by default, and only shown if you explicitly click on them. I am surprised that this was not the default policy for
    the chrome extension also. I really think it should be.

    I think we all understand the hazards of allowing another person to use our accounts, particularly if 1Password is unlocked. The concern here is from casual
    glances at the screen from people around us. I use 1Password on my laptop at work and in random places (coffee shops, airports, etc.) There are many
    opportunities for someone to see a password by glancing at my screen if they are not masked.

    I never, never want my passwords to be displayed on screen unless I explicitly choose to do so myself. Clicking the arrows to
    view login details does not, in my mind, constitute such an act. There are many reasons I might want to browse the account details,
    but this does not mean I want to have the password displayed. I also feel like the random password generation screen should also
    be masked by default. I don't need to see what my random password is - I just need to know that 1Password is creating one and storing
    it for me.

    Otherwise, so far the chrome extension is great, I'm really enjoying using it.
  • khadkhad Social Choreographer

    Team Member
    Thanks for the vote, anemo42! I have also replied to your post about the Strong Password Generator in its own thread.
  • grib78grib78 Junior Member
    Hello,

    I don't know (did not find) if this behavior has already been discussed, but in the Chrome extension of 1password (mac version), it is possible to see username and passwords in clear in the login details window (see picture with fake username ???? and pasword !!!! ).
    Of course, the vault mut be unlocked as it is when you use the extension but the following situation hapened to me :
    - in meeting last week
    - I had to connect a site where the identification is in a pop-up that was not recognized
    - as right-click on 1 password/Chrome does not work, I went to the extension to copy/paste my password: I choose the site I wanted to login and clicked on the arrow at the right to access the login details window => username and password in clear !!
    - everybody has seen my password (of course it is now different :-) )
    - it should be nice to see stars or other symbols instead of the username and passwords.

    Is it a work in progress ? Is it possible in Chrome ?

    Thanks.
  • khadkhad Social Choreographer

    Team Member
    Welcome to the forums, grib78. I'm sorry that you had that problem.

    This is actually resolved in the code and will be available in a future update. I don't have a time frame, but it is on the way! :-)

    I hope that helps. Cheers!
  • grib78grib78 Junior Member
    khad wrote:

    Welcome to the forums, grib78. I'm sorry that you had that problem.

    This is actually resolved in the code and will be available in a future update. I don't have a time frame, but it is on the way! :-)

    I hope that helps. Cheers!



    Than you Khad for the answer. I am happy to see that a solution is on the way :-)
  • khadkhad Social Choreographer

    Team Member
    I am happy to see that a solution is on the way

    Me too! :-D

    Cheers,
  • Masking the password and only displaying it if clicked isn't the thing which I think should be implemented.

    If I use Safari and vist a website and let 1password fill out the login name + password my Password is never displayed this is the workflow I like. (And I don't know any way in Safari to show the password within Safari)
    So even if i unintentionally leave my computer with the plugin unlocked (and the main app locked) no one can see my passwords just log in with my credentials. So he can fool around for the moment but he couldn't get my passwords what is much more important, i think.

    Just my 2 cents.
  • khadkhad Social Choreographer

    Team Member
    edited April 2011
    Welcome to the forums, hashier! Thanks for continuing this discussion.

    Please be aware that even if 1Password is only unlocked within Safari, your passwords can be viewed by holding down the Shift key and clicking a login in the 1P toolbar button menu to edit it. The only way to truly secure your data is to lock 1Password. Hence my initial post in this thread with helpful tips to manage the locking of 1Password.

    I hope that helps clarify the situation and keep you more secure. If you have further questions or concerns, please let me know.

    Thanks!
  • MikeTMikeT Agile Samurai

    Team Member
    Hi Guys,

    Good news, we now released the update that includes the concealment by default and you can press "Reveal/Conceal" buttons at any point. For more information, please read our blog post about this: http://blog.agile.ws/1password-mac-new-chrome-extension-beta/

    Have fun!
  • dtearedteare Agile Founder

    Team Member
    edited April 2011
    The newly released Chrome extension (3.6.0, build #30930) conceals passwords in the Logins details and allows you to reveal them when hovering over the "masked bullets". Please update (here's how to force the update to happen immediately) and let us know what you think. I hope you like it as much as we do :)

    Edit: I see Mike was as excited as I was and posted this too. Oh well, better two than none :)
  • edited June 2011
    dteare wrote:

    The newly released Chrome extension (3.6.0, build #30930) conceals passwords in the Logins details and allows you to reveal them when hovering over the "masked bullets". Please update (here's how to force the update to happen immediately) and let us know what you think. I hope you like it as much as we do :)

    Edit: I see Mike was as excited as I was and posted this too. Oh well, better two than none :)


    Hi there!

    I just installed 1password for the first time today, and really dig it! However, I'm having some problems with the Chrome extension. First, even though you're saying the most recent version of the extension should conceal passwords, all of mine are visible, and this is in Version: 3.6.3.30953. While I agree that it isn't a huge security concern since you still need the master password, it is embarrassing if you have other people by your computer and they really should be hidden from view.

    Is there any way to fix this?

    EDIT: Since the "save new login" button hasn't been working for me, I've been forced to input a lot of sites manually. The exposed password bug only seems to be affecting these sites, not the one 1password automatically wants to save. So for instance, when I logged into Amazon.com 1password asked if it wanted to save my password. That one is hidden within the extension. However, I received no such popup from the extension for this forum site, so my password for this forum is exposed. Hope that helps!

    --jeremy

    thanks!

    FYI, im running chrome ver 12.0.742.100 on osx 10.6.7

    --jeremy
  • khadkhad Social Choreographer

    Team Member
    edited June 2011
    Hey Jeremy,

    Please make sure that your password is marked as such in 1Password.

    20110619-pc21j54cmfm17rw45rkiww5f68.jpg

    Ideally you should be saving Logins in the browser, though (where you say the problem doesn't exist), so rather than fuss too much with that let's try to make sure that "Save new Login" is working for you in the browser.

    First, please install the latest 1Password Chrome extension beta. Next, be sure that there is not already a login in 1Password for the site where you are saving it which uses the same password. The login will not be saved if you already have a login for that domain with the same password.

    Please let me know how it turns out.

    Thanks!
  • khad wrote:

    Hey Jeremy,

    Please make sure that your password is marked as such in 1Password.

    20110619-pc21j54cmfm17rw45rkiww5f68.jpg

    Ideally you should be saving Logins in the browser, though (where you say the problem doesn't exist), so rather than fuss too much with that let's try to make sure that "Save new Login" is working for you in the browser.

    First, please install the latest 1Password Chrome extension beta. Next, be sure that there is not already a login in 1Password for the site where you are saving it which uses the same password. The login will not be saved if you already have a login for that domain with the same password.

    Please let me know how it turns out.

    Thanks!


    Thanks for the reply! So I installed the beta extension, restarted, and the problems still seem to be here. The problem with the exposed passwords is really in the "all fields" display of the extension. The passwords appear as bullets under the username/password , but then underneath that section there's an "all fields" section which displays the password, or at least the first handful of characters of it. However, this only happens for the sites where I created a login manually in the 1password app. The sites which 1password automatically saved have the password hidden in both sections. Does that make sense?

    Thanks again for the help!
    --jeremy
  • khadkhad Social Choreographer

    Team Member
    Jeremy. I see exactly what you mean now. Thanks for your persistence and clear explanation. This is a login I created in 1Password.app:

    20110620-jc7nhht4ubtk2dx369a5thd8dx.jpg

    And this is a login created in the browser:

    20110620-g15dnuqm9ibd4147qekjdp5uu3.jpg

    I have passed this along to the developers for resolution in a future update. :-)
  • edited June 2011
    Thanks for taking care of this! Glad I could help.
  • khadkhad Social Choreographer

    Team Member
    Thank you! If we can be of further assistance, please let us know.

    We are always here to help!
  • When using the 1Password Extension for Chrome some of my passwords are displayed in clear text in the extension, with no option to "reveal" and "conceal."

    The password is displayed in clear text when I do the following:

    1 Click on the 1Password Extension icon in Chrome
    2 Select "Logins for this site" or "All logins"
    3 Select an account to to see the "Login Details"
    4 Under the "All Fields" section I see the username and password, but the password is displayed in clear text.


    I am using the following:

    Chrome 12.0.742.112
    1Password Extension for Chrome 3.6.3.30953
    MAC OS X 10.6.8

    Anyone else seeing this?
  • khadkhad Social Choreographer

    Team Member
    edited July 2011
    Welcome to the forums, twister! I merged your post with the appropriate thread and removed the duplicate.

    At the moment this appears to only apply to Logins created in the 1Password application (as opposed to within the browser). We are working to resolve this, but we do also recommend always saving logins from within the browser for best results.

    Please see the posts directly above and let me know if you have any additional questions or concerns. We are working to resolve this in a future update. Thanks!
  • I second this (or third, or whatever). This makes the chrome browser extension completely unusable. I cannot risk having passwords in plain text for someone to see. Unfortunately, I created all of my passwords in the application, not the browser plugin. I unfortunately don't have time to recreate all of the logins.

    Since this was last touched in July... bump. I'd really like to see this resolved. Thanks!
This discussion has been closed.