Treating localhost as safe url destination

this idea is regarding feature Unsecured Websites. Currently, all passwords that are stored for http sites are marked as insecure. I presume this is for cases that somebody will listen on a network and steal those passwords.
This, however should not be a case when passwords are only sent to local computer, as no (real) network is involved. Wouldn't it make sense to treat it also as a secure destination? This is what all major browsers do.

The only vector I can think of is that the traffic could be listened to if computer is already compromised (malware is present). I do not know if 1P considers such computers as still secure/to be protected or as already compromised/out of scope.

The usecase here is that as a developer, I use 1P to store all my development accounts here when I create software on localhost. This unfortunately means i have something like 15 acounts marked as unsecure without a real option to do something about it.

What are you thoughts about this?

Best regards, B.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • I have something like 15 acounts marked as unsecure without a real option to do something about it.

    I think you can add the tag http to prevent them from showing up in Watchtower again.

  • brentybrenty 1Password Alumni

    @buri: It's an interesting point. Unfortunately if the "site" is not using TLS (e.g. https://) it is not secure, even on "localhost", as anything on your system would be able to intercept the communications and do whatever with it. So I'm not sure we want 1Password to stop caring about this. But as XIII mentioned, you can explicitly exclude it if you want to. We just don't want people to do what they do with Windows UAC prompts and thoughtlessly dismiss them -- which is not something you can really blame people for doing.

    Anyway, why not use TLS? Browsers have been steering us this way for a while already, and I wouldn't be surprised if they just drop support for unsecured connections ultimately.

  • Mostly beacuse some languages have terrible support for self-signed certificates and it's real hassle to work with them while developing. I didn't know about the tag. That's good enough for me. Thanks!

  • BenBen AWS Team

    Team Member

    Thanks for the update @buri. Glad to hear the tag will work for now. :)


This discussion has been closed.