1Password Paste master password

2»

Comments

  • RichardPayne
    RichardPayne
    Community Member

    Nothing, other than you have no reason to place your master password on the clipboard.

  • We can't stop malicious apps from sniffing the clipboard, which is why we don't automate its use. However, since pasting into the master password field isn't currently possible, that creates a deterrent to people storing their master passwords on the clipboard in the first place.

    Our goal has long been to minimize clipboard use whenever possible. Ideally, people wouldn't store any sensitive information on the clipboard. Thanks to the new filling implementation, clipboard usage is less of a necessary evil than it has been.

    I understand wanting to store bits of a master password on the clipboard to be pasted into the master password field, and have forwarded the suggestion to the team. However, I would strongly advise against anyone ever storing their entire master password on the clipboard.

  • yurd
    yurd
    Community Member

    I'd strongly advise against it as well. However, the rest of the 'policy' of sorts, seems to be relying on users' behavior and nothing more. Deterrents don't actually do anything that counts, or at least they certainly don't make anything safer.

    Anyway, I've made my vote known. I have lots of NFC yubis that aren't being used as intended after the app's update.

  • I definitely agree that there's nothing we can do to control user behavior, and that as long as people store items on the clipboard, their data is not fully secure. This is something we have to contend with at the moment.

    That said, I appreciate your feedback and interest in this feature. :) I'll let you know if we decide to allow pasting into the master password field. I also enjoy the opportunity to discuss rather than troubleshoot once in a while. Thanks!

  • duaneb
    duaneb
    Community Member

    In my opinion, the password stops being secure once I know it. And unless you can enable yubikey integration (copy off of NFC), the lack of a paste means 1password is unsecured. It's not your place to restrict my activity, it's your job to ensure I can use the security workflow I need. So, until then, I will have to know 2 master passwords: one insecure one I can remember and type, and another I couldn't reveal with the best wrench attack.

    This is a major factor in potentially switching to lastpass.

  • yurd
    yurd
    Community Member

    ^^ What he said.

    I won't switch to Lastpass over this, but my 150 or so users won't be switching away from it either.

    As an alternative if the NFC U2F in the new yubis (I believe they just announced those) could be used in some way, I'd be fine with that. I know the agilebits developers' take on multi-factor auth -- being that it doesn't apply to 1Password -- and I totally agree, but I'd be surprised if it couldn't be implemented in some way to grant access to the android app. As it is right now I find it really frustrating that I can't use 1pass on my phone on the rare occasion that I need it.

  • We appreciate the feedback. Yubikey integration is a request we see in our forums. While we don’t have any immediate plans for Yubikey integration, I can certainly add your vote in our internal issue tracker for the team to review.

    I hope from this discussion, you understand why we have pasting restrictions in the master password field and why we are trying our best to avoid Android's system clipboard. I will be passing on your feedback explaining your workflow that combines multiple values for the master password on Android. This will help when the team revisits this feature request in the future. Thanks!

  • flipnizzle
    flipnizzle
    Community Member

    I have the same situation as the other posters where my yubikey contains a partial master pass that would be inconvenient to key in by hand. However, it appears that the 1password unlock screen simply disables the android long touch dialogue but still allows input from 3rd party apps/keyboards.

    Therefore, I setup a Keepass2Android Offline database containing my yubikey partial and use K2A's keyboard to paste it into 1password's unlock screen. This works for now, but be sure to count my vote for adding yubikey support to 1password's android app.

  • Thanks for the :+1: @flipnizzle. I'll be sure to mention your use case to the team.

This discussion has been closed.