1P 8's uncontrollable auto-fill just gave away my private data

Of course, I meant uncontrollable auto-submit, not auto-fill.

regarding our previous thoughts on auto-fill, I wrote about that a bit here. The auto-fill feature today is implemented differently than the one we previously had, and the old one was removed for reasons of usability, not security.

I appreciate that you guys are leaning toward adding the option back in, but I'm still puzzled at how you apparently can't see that things fundamentally haven't changed from when you removed the feature in 7.2, or how you don't seem to want to acknowledge that this feature presents security risks.

From the post you linked to, there were three primary reasons for the removal in 7.2:

1. One of them was related to a new macOS security limitation.
   This one may or may not be relevant still, but either way, it's not directly a usability concern. That said, this point arguably supports the feature being security-related since Apple yanked functionality used by 1P precisely because of security concerns.

2. One of them was pointing out a UX detail (leaving focus on the password field after autofilling).
   This point was included in the original article as support for pulling the autosubmit feature - leaving the focus on the form means the form can usually be submitted manually by just pressing return. This point is as true now as it was then, and is still just as much an argument for not using autosubmit.

3. The last point was about the negative UX consequences when the feature doesn't work properly.
   Presumably, this is the one of most concern, since UX is what you are now calling out as the biggest concern of the old feature and this is the only direct UX problem that was given at the time. Let's look at the full text:

Sometimes a website doesn’t behave as 1Password might expect, resulting in passwords being filled sub-optimally, or fields being left blank. If 1Password were to automatically submit forms in these cases, users are left with an experience that we don’t feel reflects how we want 1Password to work and can lead to confusion.

I think we can say that this part clearly hasn't changed. Not only have people posted lots of examples in these forums of cases where the feature behaves in an unpredictable or undesirable fashion, but many releases you guys put out fix bugs with how 1P interacts with various sites. From the extension's recent 2.3.5 release notes:

• Logins are now correctly suggested, saved, and filled on walmart.com, web.telegram.org, churchgiving.com, fialda.com, inovarmais.com, and register.it.
• Logins are now suggested on boxcryptor.com, and one-time passwords now fill in Italian.
• One-time passwords now fill on Twitter in Norwegian.
• Suggested passwords now fill in both password fields on the vanguard.com recovery page.
• Logins now save and fill correctly on c1c.hu and the change-password page on tickets.theegg.org.
• Logins now save and fill on myntra.com.
• Logins are now properly suggested on auth.services.adobe.com, id.condenast.com, and cockroachlabs.cloud.
• Logins are now suggested on accounts.firefox.com, radio.southcraven.org, ing.com.au, and bank.co-operativebank.co.uk.
• Credit cards are now properly suggested on capitalmedicalclinic.myezyaccess.com.
• Usernames now fill correctly on the French version of app.journalapetitspas.ca.
• Identity items now fill properly on x-kom.pl.
• Credit card numbers are no longer filled into the CVV field on amazon.in.

Some of these are not cases where autosubmit applies, but many of them are, including on some notable sites. And all of them relate to 1P's parsing, understanding, and interacting with a web page, which is precisely the part that happens right before autosubmit and thus sets up autosubmit to fail or succeed (the old GIGO principle). Taken altogether, it means autosubmit is frequently going to commit the user to sending bad data or incorrect data. Further, given how web pages are constructed, I don't see this changing anytime soon. 1P will always be chasing web site anomalies, just as it has been doing for years now.

All of which takes us back to the core point from the blog entry about 1P 7.2: "Sometimes a website doesn’t behave as 1Password might expect, [which can] can lead to confusion."

The underlying technical implementation may be totally different, but that core UX challenge is exactly the same. So, it seems the only thing of relevance that's changed are quality standards, particularly in terms of how much potential confusion is allowed in an experience.

As to security, while autosubmit itself isn't a known security problem, the fact that it's basic usage includes very common machine and human errors that frequently lead to security- and privacy-centric problems — leaking personal data, enabling sites to better track users by linking accounts, errantly adding people to mailing lists, etc., etc. — means that autosubmit is a security problem by proximity. Again, it's a lot like 1P's anti-phishing feature. Filling credentials onto any random site when the user has requested it is not itself a security fault, but it's clearly security-related because you know users will do dumb things like click a phishing link and then tell 1P to fill in a cred on the rogue site. The user is entirely responsible, but do you really want 1P facilitating that by turning a blind eye and just doing it, or do you want it protecting users from themselves? We all know where you stand on this one.

Also, as someone else pointed out, you guys placed the autosubmit removal defense under the security heading of the blog post. This strongly suggests that it was regarded as a security-centric concern internally, or at least security-adjacent. The fact that you're now basically trying to retcon it into a mere UX concern, that you won't warn users about it or even acknowledge possible security ramifications, gives me pause about other security-related decisions the team is making. 1P is all about security, so if your security posture is starting to weaken in favor of saving face or is becoming less transparent, that speaks to a far bigger problem than this one misguided feature. Bugs happen, bad decisions happen, etc. I get these things. But the basic posture is what I focus on. And I gotta say, this is the first time I've been concerned about 1P. Mind you, I've been a user of 1P since its "1Passwd" days, I'm directly responsible for multiple family and business accounts, and I can't even count how many individuals I've referred your way. It's been a long, occasionally bumpy road, but I've stuck by you guys because I believed in your competency around the core mission of security with some great features layered on top. Now, I'm not so sure.