1Password Paste master password

I just updated my 1password app, and while the old app allowed me to long-press on the master password field and paste a password, the new (to me) app vibrates on a long-press, but the option to 'paste' never comes up.

Please assist. My master password is too long to type in full on my phone. I am trying to use NFC to pass part of the password (via the clipboard.)

Thanks

«1

Comments

  • saadsaad

    Team Member
    edited January 2015

    Hey @yurd. The option to paste in your master password does not exists in 1Password 4 for Android. We don't recommend using the Android clipboard for storing your master password. For additional information about the Android clipboard (and an upcoming feature), please have a look through this blog post. Let me know if you have any questions.

  • I understand that using the clipboard isn't recommended. However, the 'paste' function isn't actually the security risk, the way I understand it. At that point data is already in the clipboard.

    Do you have any solutions to using 1password on android w/ a yubikey & yubiclip?

  • @yurd you've missed the point. You shouldn't allow your master password to enter the clipboard at all.

  • Respectfully, I disagree.

    I'm not allowing my whole master password to enter the clipboard, just the part of it that I don't know. Again, though, allowing the COPY function FROM 1password is the security risk issue -- as opposed to allowing the PASTE function TO 1password.

  • periperi

    Team Member

    Thanks, @yurd‌. We appreciate your feedback. I've forwarded your suggestion to allow pasting in the Master Password field to our developers. This is an option in other platforms, so we'll take a look into it to see if we can achieve some cross-platform uniformity in this regard. Cheers!

  • I'm not allowing my whole master password to enter the clipboard, just the part of it that I don't know.

    ok, so you're putting 50% of your master password at risk making a cracking attempt much more feasible.

    Again, though, allowing the COPY function FROM 1password is the security risk issue -- as opposed to allowing the PASTE function TO 1password.

    I don't disagree that copying out from 1Password is a risk. That is why I don't use 1Password on Android for high value logins, and I won't until I get Lollipop and can use the direct fill capabilities.
    None of that has any bearing on the security of pasting in your master password. They are both insecure.

  • periperi

    Team Member

    This is something we're going to have to consider on our end, because it is possible to paste into the Master Password fields on other platforms. As I understand it, if portions of the password are pasted into the field out of order, it can lessen the chance of being intercepted by a keylogger. However, the danger with Android is that the clipboard is no man's land.

    Generally, we avoid the clipboard at all costs, and steer clear of encouraging 1Password users to store anything in the clipboard. This is the main reason behind why we're only allowing in-app filling on Lollipop, which doesn't require use of the clipboard.

    That said, I've discussed the subject with our developers, and they're going to look into it. Whether we'll allow the pasting function isn't clear, but it's under consideration.

  • With Lollipop I'd imagine that the same yubiclip app could be re-written to utilize the in-app filling as well.

  • periperi

    Team Member

    Hey @yurd. Our developers are currently considering implementing TOTP in a future update, though we would most likely avoid automating any use of the clipboard.

    That said, I'll add your vote for TOTP support. :)

  • Isn't that more of an authentication mechanism than decryption, though?

  • Isn't that more of an authentication mechanism than decryption, though?

    Yes. It's support for generating TOTP for authenticating to third-party websites.
    Personally I've never seen the point. The whole point of 2FA is that the two factors are not stored together.

  • I would say that the whole point of multi factor auth is that the factors are from different bands/mechanisms/whatever-the-word-is. Something you know, something you have, something you are. (the last one being very scary). I don't see how storage is related.

  • because if someone cracks you vault (using a key logger to grab your master password for example) then they instantly have access to both factors for all of your logins.

  • periperi

    Team Member

    I think I may have misunderstood the original question. I'm not very familiar with Yubikey or Yubiclip, but my understanding of the two apps is that Yubikey allows you to store 2FA credentials, while Yubiclip automates copying those credentials to the clipboard.

    While we are hoping to add 2FA at some point, I'm not sure how relevant Yubiclip would be since we don't automate use of the clipboard. Any pasting we allow in the Master Password field (if we decide to allow pasting there) would not be automated, and would require the user manually copying to the clipboard.

    Likewise, if we do implement TOTP, we will not automatically add those to the clipboard either. We prefer to leave any use of the clipboard up to the user.

    If I've misunderstood the question, please let me know. Thanks!

  • Ahh, sorry for the confusion.

    Yubikeys allow for static passwords to be stored and retrieved (as well as a handful of 2fa style options). My master password is a combination of an extremely long string of characters from the yubikey coupled with a passphrase that only I know.

    The yubiclip app just takes the input from the yubikey via NFC and sticks it in the clipboard.

  • periperi

    Team Member

    With Lollipop I'd imagine that the same yubiclip app could be re-written to utilize the in-app filling as well.

    So, if I understand correctly, you're wondering if Yubiclip could be altered to use the same type of filling that we use, instead of clipboard automation?

    If that's the case, then I suppose it's possible. I recommend contacting their customer support to let them know that there's a more secure alternative to copying to the clipboard. :)

  • I don't have Lollipop (yet?) so currently I'd still really appreciate being able to paste the clipboard into the master password field.

    However, yes, in the future, I was saying that I expect that the app could be altered to just use the app filling ('intent'?). I know that neither Agilebits, nor Yubico, would likely create this specific of an app, however Yubico's stuff is usually open source for developers, so I can always hope that someone will see a need and take the reigns.

    Accessing my 1P database on my phone isn't the most important thing in the world, but it would be very nice at times.

  • periperi

    Team Member

    I see. Thanks for the feedback! Currently there's no way to paste into the master password field, even with Lollipop. I apologize for the inconvenience there.

    In the meantime, I recommend setting up a PIN code to make logging in painless.

    Furthermore, we've added in-app filling in our latest beta version, which I believe will make it far easier for you to use 1Password on your Android. :)

  • I saw a TOTP announcement today that may give me what I need. I haven't looked into it yet.

    I was unaware of the PIN capability, but it still doesn't get me into the database the first time.

    Thanks for all the attention you've given this thread.

  • periperi

    Team Member

    No problem, @yurd! I'm happy to help. :)

    Enabling a PIN code won't prevent you from ever entering your Master Password, but it will at least make it easier.

    Please let us know if you have further questions. Thanks!

  • I have a physical password management device that works over NFC, and it stores my 1Password Master Password. I can use this device on 1Password Mac and Windows without problem, but the Android app appears to block me from pasting a master password.

    Since apps that prevent pasting a password are a frustration for 1Password users as well, I'm surprised that you seem to have decided that pasting into your master password field couldn't possibly be valuable to anyone.

    As it sits, the $10 I spent on the Android app is pointless because of this "feature". Is there any way to disable this?

  • periperi

    Team Member
    edited February 2015

    Hi @darrenpmeyer. Thanks for contacting us with your feedback! I went ahead and merged your thread with this one of the same topic.

    Currently, 1Password 4 for Android does not allow pasting into the master password field. This decision was previously made due to our security concerns regarding the clipboard on Android. We strongly recommend against copying your master password to the clipboard, or storing it in a third-party app.

    That said, I've forwarded this request to our developers for their consideration. They're currently looking the possibility of pasting into the master password field, to be consistent with 1Password on other platforms.

    Please let us know if you have any other feedback.:)

  • I've got a long password which is carried by a yubikey and a short one which is memorized. Together they form my master password. This is working fine on my mac and windows computer. On Android, the password from the yubikey is transferred via nfc to the phones clipboard. My problem is, that i can't paste the password from the clipboard into 1password. It's working fine, when i'm using another passowrd manager like OneSafe.

    Inside the app it's possible to paste from clipboard. But it's not possible to paste the master password from the clipboard. Is it a bug or a missing feature?

  • periperi

    Team Member

    Hey @Jakob241352. Thanks for getting in touch with us! I've merged your thread with this thread on the same subject. :)

    There is currently no option to paste into the master password field in 1Password 4 for Android. This is due, in part, to the security risk that the clipboard poses, and our desire to prevent master passwords from ever being stored on the clipboard.

    However, we do understand that some users would like the option to paste in their master passwords piecemeal, and I have forwarded this request to our developers for their consideration. There are security implications to allowing pasting into the master password field on Android that will need to be assessed.

    Thanks for the feedback, and let us know if you have any other questions!

  • @peri here's an idea. You allow pasting but put in a custom validater that will only accept the password if at least some of it was typed. When a paste occurs, store the pasted text and on submit, if the MP is equal to the stored paste text then disallow.

  • periperi

    Team Member

    That's a great idea, Richard! I've just forwarded this to our dev team. :) Thanks!

  • IMO, the validator suggestion above isn't a great idea. It just adds to the issue at hand.

    1Password and agilebits cannot stop me from putting whatever text I want into my clipboard -- it can only stop the 1Password app from utilizing the clipboard. I understand the security concerns of disallowing copying from the 1Password app. I do not understand any valid reason for disallowing the paste function though.

  • but why would you put your master password in the clipboard if you can't use it?

  • periperi

    Team Member

    Indeed, 1Password can't stop customers from using the clipboard. However, to prevent people from copying their master passwords to the clipboard, the decision was made to disallow pasting into that field.

    If pasting into the master password field were possible, then there would be the risk of sniffers obtaining peoples' master passwords from the clipboard, which we definitely wouldn't want, and why this is still something we'll need to assess thoroughly.

  • I think I'm missing something. What currently stops a 'sniffer' from pulling master passwords from the clipboard?

This discussion has been closed.