prompting of master password for specific sites vs "form filling"

Andre123456
Andre123456
Community Member
edited April 2021 in 1Password in the Browser

Hi folks.

I believe the argument is framed all wrong and hope to help.

I am one of the billion people coming over from a competitor's site and evaluating 1Password. I've seen discussions on a requirement of reentry of the master password for specific sites. That is not precisely the pain point, and I would like to illustrate where the software fails to meet users' expectations.

There are three things customers are looking for in Pass/Form filling software:
Create and store complicated and unique (more secure) passwords
Fill forms with redundant information (first name, last name, email, address, etc.) at appropriate security levels.
Have this functionality available across devices and platforms
I believe the disconnect is the argument on what is a login/password vs. what is form. For example, let's take the 1Password Support Community site. I need to ask the community a question, but I have to fill out a form to do so. I don't need a login and pass; I need to ask a question. To ask the question, I fill out the form. However, by design, the form looks a lot like a login/pass. I don't need to protect anything. To ask a question, the forum administrator makes me fill their form every time I input information into the community, whether it is a new login/pass or an existing one. I'm not protecting anything.

Users have dozens of these instances. I want my Password/Form application to manage that form for me across devices and prefer not to retype my extremely complicated master password to respond to the team answer (clarifying the developers do not need to look at this for future consideration; the CFO and investors do).

The bank account login/pass is there to protect my information. The 1Password community forum has a form (that requires login and pass fields) to enter information. The application I need has to handle each differently. The arguments in the 1Password community treat all these events as "protecting passwords." That is not the case. Some are passwords. Others are functionality requirements imposed on the user in the shape of log/pass.

I would pay double for this functionality, but until then, I'm afraid, free or paid, the application does not meet my requirements. My wallet is open. Take the money.

To prove my point, here's my "login and pass," so when I get an email that someone responded to me, I don't have to type in my master password to say thanks for responding!

information cencored by admin


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:prompting of master password for specific sites vs "form filling"

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited April 2021

    Hey @Andre123456 ,
    Thanks for taking the time to write this feedback.

    Firstly, I censored out your username and password from this post. It doesn't matter if you don't feel like this is an important website or just another place you need temporarily - never share your credentials with anyone, because you do not know what other information someone can extract from it.

    If I understand correctly, the main issue that you have is that you want to decide what is an important/valuable information that needs to be protected with your Master Password and what is not important information (which will allow you to autofill it even if 1Password is locked). If that is not the point, then please correct me.

    If that is indeed the point, then that is exactly why password managers were invented (especially 1Password) - so that you will never have to go through the trouble of having to remember or handle keeping up with all the different usernames and passwords across all these random websites, whether you only used them once or if you use them daily. You only ever need to remember a single password - your Master Password. That is why we are called 1Password :)

    When a website requires you to log in with a username and password, it means you need to create an account in order to participate in whatever the website is offering. In our case, this community forum requires members to sign up so that you can have your own private profile and that no one will be able to impressonate you or reply on your behalf with an identical name. Granted, it may seem overly unnecessary for you as a user and that things can be done without signing up, but you're talking to other people here who store their whole lives in a security oriented app and if someone impresonates another user they can definitely cause some serious damage.

    As for the credentials you posted here, like I said - never post your credentials. You think this is harmless because you don't have anything important here, but attackers can utilize it to find other information about you, such as your email address, and from there it is a shorter road to being compromised.

    Staying safe and secure online is no easy task, and you should take advantage of any and all security measures that you are offered, even if it is just a one-off website that you will never use again. Store it in your 1Password, and once every few years you can clean up your 1Password list and delete logins you haven't used at all.

    From a technical standpoint, allowing 1Password to autofill anything while it is locked is a big no-no. It means that we keep some of the information you store in it in plain text (non-encrypted), which means this information is available for anyone and everyone who get their hands on your 1Password database, whether remotely or by physically accessing your device. You may feel like this information is useless but as I mentioned, attackers are quite savvy and can take advantage of every little piece of information they can get to target someone.

    I hope that clarifies the situation a bit better. Let me know if you're having difficulties with specific workflows or things you'd like to do better/faster and I'll provide you with relevant tips and tricks if I can :)

  • Andre123456
    Andre123456
    Community Member

    Ok - I apologize for the stunt. You guys are there to take passwords seriously, and I appreciate that. Thanks!

    As a user, there are many times a day I am asked to put in my master password. Each time I do (and the password is long and complicated), I ask myself, "on a scale of 1-10, is that a feature I would pay for?". Financial information access should be as strict as possible. Other sites, not so much. But as a 1Password user, I'm forced to treat them as equals. And because of that, sometimes I find myself wrestling with the idea of increasing the time-out period beyond 10 minutes or creating a more accessible password to type. That, to me, sets off an internal alarm that I am weighing a convenience for an all-or-none solution. I want to turn the dial to 11 on some sites, financial, for example, and maybe turn down the dial, just a tad, for others. I also feel uncomfortable entering my master password 1-2 dozen times a day. I worry that I may have a security mishap or be phished somehow because after the 8th time I type it in, I'm on autopilot. When I make financial transactions, I want to be sharp and focused and would welcome more additional scrutiny/pain from the application.

    I like your product and I would pay for certain passwords to have "zero-minute timeouts" and others to have "X-minute timeouts".

    Thanks for your time and have a good one - a

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you again for the feedback @Andre123456, we appreciate you taking the time to share your thoughts with us, you never know what can happen in the future :+1:

    ref: dev/projects/customer-feature-requests#230

This discussion has been closed.