Feature Request? Auto fill automatically?
Hello everyone,
I'm a new user coming from Dashlane after 6 years of using it, and I can say 1Password is amazing and always gets updated and gets all the new features, The only thing I miss is the auto-fill without doing anything I open the website and magic happen automatically.
this feature is secure because 1PW can check the domain before doing anything like Dashlane and Roboform. also, we can turn these features on or off depending on the users.
Password Manager is made for that feature specifically for old age people and others who want to work faster, I hope to get it sooner.
About Signing in automatically after autofill finally came to the beta version I tried it and it's working well but needs more polish.
Thanks
1Password Version: 8.10.27
Extension Version: 2.22.0
OS Version: macOS 14.4
Browser: Edge
Comments
-
It was explained that autofill without interaction is indeed NOT secure, because you can be victim of injected malware javascript on a hacked website. The domain doesn't matter in this case.
The problem is not that passwords get submitted to a malware domain by submitting the login form. The problem is that injected code has the ability to read input fields while you type or while something is autofilling a field. Submitting isn't required. Autofill a field without submitting is enough. Once the code has read the data, it can submit it to anywhere in an invisible background request.
You see regular use of this field peeking feature with controlled input where a certain format is enforced or certain characters filtered while you type.To require a manual action from the user avoids the problem that some malicious website redirects to an infected regular website and your credentials being automatically autofilled and abducted. This could work without any manual interaction without a chance to intercept by the user, if autofill is completely automatic.
The new auto submit after manually confirming autofill is probably all we can get from a security point of view.
0 -
Hello @Welaxxx, thank you for writing in! Welcome to 1Password, I really appreciate the kind words!
@Tertius3, thank you so much for providing an answer before I could jump in.
A lot of folks have been asking for this feature request and the team has discussed this internally in great detail to see if it can be implemented in a safe way. Due to security concerns, the team has decided against adding a feature that would automatically fill login credentials into a webpage without a user’s direct interaction and consent.
Automatically filling a web form with no user interaction other than visiting the page can lead to an attack where your usernames and passwords are submitted to a malicious website in a way that is silent and not clearly visible to a user. Attacks against password managers that automatically fill logins without user interaction have been documented by security researchers and 1Password has a responsibility to protect all users from these attacks.
I hope that explanation helps! Let me know if you have any further questions.
-Evon
0
