I just installed 1password X on a Chromebook. On the login in form, I clicked on the secret-key field and was presented with the option to auto-fill that field with my secret key. Now, I am trying to understand how the web browser was able to offer to auto-fill my secret key. The web browser must have stored my secret key somewhere. This seems to be a serious security flaw. The secret key field should be treated like a password field so that web browser auto-fill capabilities do not remember that information.
Now my secret key is available if someone manages to hack into my account on this chromebook. They will be able to discover my secret-key stored in the web browsers (unencrypted) auto-fill storage - providing them with a large portion of the secret information required to access my 1password vault.
Can someone explain to me what is going on here? I have been using 1password for years. I just recently installed 1password X on this chromebook and this auto-fill behavior surprised me. It doesn't seem like a security best practice to enable auto-fill for the secret key form field. It seems like it should instead be coded to be a password field.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided