Feature Request: Bypass disabled pasting in a password field

Some incredibly moronic and incompetent sites disallow pasting a password into a password field, thinking that's a security feature. When this happens, 1Password is not able to paste (auto-fill) a password and it instead needs to be manually typed in, which is a HUGE issue when your password is a 32-character randomly-generated password.

It would be REALLY helpful if the 1Password Chrome extension (well, all extension actually) could bypass that stupidity by ignoring the disabled pasting. I don't deal with a lot of frontend so don't know if this is even really feasible, but it would be nice.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @Mark Badolato ,
    I too dislike such websites very much, and often find workarounds by right clicking the password field, selecting "inspect" to view its source code and alter it there to enable pasting. However, it doesn't always work and depends on how far the designers went in order to prevent it.

    We cannot automate this process since it might have a lot of unwanted side effects, in which 1Password will fill in very unrelated places on random pages or cause unwanted behavior. What we usually recommend is to send our open letter to the banks template to such websites and let them know their login page is ridiculous.

    If you'd like, feel free to share the URLs of such websites here and I'll gladly take a look at them, in hopes I will be able to find a workaround.

  • Mark Badolato
    Mark Badolato
    Community Member

    Yeah I do the Inspect trick too but it's annoying. Wasn't figuring there was an easy way around, but figured it couldn't hurt to raise the flag :)

  • ag_yaron
    ag_yaron
    1Password Alumni

    @Mark Badolato , there are more advanced tricks, like using 3rd party extensions such as "tamper monkey" which would allow you to automate the process (after some tinkering), but that is not in the scope of our support or even something we officially recommend :)

  • jgoguen
    jgoguen
    Community Member

    @Yaron if 1Password can already detect the field to fill, why couldn't it simply send key events? Something along the lines of:

    for (var idx = 0; idx < pw.length; idx++) {
        var keyEvt = KeyboardEvent("keydown", {"keyCode": pw.codePointAt(idx), "which": pw.codePointAt(idx), "key": pw.charAt(idx)});
        pwField.dispatchEvent(keyEvt);
    }
    

    That way, AIUI, the field gets key press events and the site can disable pasting all they want.

  • ag_yaron
    ag_yaron
    1Password Alumni

    @jgoguen That's a nice suggestion, but it will compromise your security since keyloggers would be able to capture your password that way.
    One of 1Password's strong points is when it autofills - no one can capture your password in the process. It does not copy and paste the password and it does not inject keyboard presses.

    Thanks for the effort though :)

  • jgoguen
    jgoguen
    Community Member

    I'm a little confused then about how pages can block 1Password. If it's not pasting then the the JS events for keyboard events shouldn't trigger? What is it they're doing? All the ones I've run into so far have blocked paste but as long as a keypress event is triggered other methods of setting the field value have worked. Maybe I've just been relatively lucky?

  • ag_yaron
    ag_yaron
    1Password Alumni

    @jgoguen It really depends on how the login form was designed. Some forms have their fields disabled until a keypress is made, at which point autofilling will suddenly work with 1Password, and some websites only allow for keyboard input, in which autofilling with 1Password will not work at all.

This discussion has been closed.