Basic Authentication / HTAccess / HTTP Auth [will work using Open and Fill in 1Password X]
Comments
-
Like so many others, I registered just to pile on to the +1s here.
However, I wanted to clear a bit of the FUD I'm seeing around the security of http basic auth. The reason major websites don't use it--and I bet most do, just not to customer-facing pages--isn't because it's insecure. It's because it provides a horrible UX to people...a super glaring and ugly popup that you can't style. But secure? It's as secure as the connection to the server -- if you're using TLS with a semi-modern computer and browser your connection is plenty secure.
0 -
Excellent points, though I will say that while HTTP Auth isn't inherently insecure, every site I've personally seen that uses it is doing so using an outdated SSL protocol — or HTTP. You're totally right about usability, and it really seems like most sites are happy to take advantage of more modern authentication methods when they're using other current web technologies. Support for HTTP Auth isn't something we're working on now, but it definitely helps to get feedback like this and a sense of who's using it. Cheers! :)
0 -
They're not inherently more modern, submitting a login form and returning cookies is pretty old-school too :P
OAuth & friends are nice because you don't have to carry passwords around, but again it comes down to connection security. If you're not providing a secure connection then your tokens can be stolen just as easily. Anyway, this is getting off-topic. Just glad to know it's (somewhere) on the todo list :)
0 -
Haha indeed. You can bring a horse to transport security but you can't make them drink. Or something. :lol:
0 -
I was seriously surprised to notice that 1password does not support basic auth. Coming from Lastpass I took it as a given that it just works and at first thought I stumbled over a bug until I found this thread. I am trying 1password right now to decide if I should switch to it but as I have to use basic auth a lot in my work environments I am pondering staying with Lastpass even though I dislike some other things about it. So please take my +1 on this and consider implementing it. Right now this might be a dealbreaker for me.
0 -
We use a suite of monitoring tools behind our VPN using basic auth. When a production issue hits, the last thing you want to be doing is performing copy/paste operations on various monitoring sites with your password manager. :)
The product is great, but this does feel like a useful feature and not sure what technical problems might exist in implementing this cross browser... I imagine it might not be trivial.
In any event, +1.
0 -
Hi,
I'm considering moving from LastPass to 1Password. I installed the Firefox plugin and had a quick test with some of the my common sites. It looks like you still don't support filling passwords to HTTP authentication-style popup dialogs. And as the dialog is modal I can't pop up the 1P GUI with Ctrl-Alt-\
Is this still the case (I've seen forum posts from 2015/2016 asking about the same issue, but I assume you haven't fixed this yet)? If so then this is a complete non-starter for me, as a large number of the sites I use daily use popup password dialogs. It strikes me a very odd that a tool designed to manage passwords can't manage passwords in my browser. Without this I won't be moving to 1Password....
Thanks,
Neil
1Password Version: 6.7.457
Extension Version: 4.6.11.91
OS Version: Windows 7
Sync Type: Not Provided0 -
Hi, @symbiota. Thanks for your post. I've merged it with the long-running thread about HTTP authentication. I'm sorry to be the bearer of bad news but this is still not supported and not planned for the near future. As important as I understand this feature is to you, our resources are focused on other areas right now. We have to be judicious about how we spend our development time. Right now (and for the last while), that is going to other concerns such as shoring up the connection from the extension to 1Password and improving our form filling logic.
I'm sorry I don't have better news for you. We do hope to look into this in the future, but I can't say when that might happen.
--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas0 -
@syntax53: It comes up occasionally, but as mentioned above our focus is on login filling that benefits all 1Password users. If HTTP Auth is a critical feature for you, then 1Password may not be a good fit, but it's something we'll continue to consider for the future.
0 -
+1
(please don't feel obliged to reply. I already know this is not on the upcoming features list, but I'm adding my +1 anyway as a vote of protest :| )
0 -
@gsaslis: I reply not out of obligation, but because I legitimately care. It actually means a lot to us to hear from you in the first place, and you sharing your request is the only way we're going to know that you care about this feature. Not much has changed on this front, as supporting this is different in each browser — and impossible in some cases. We also continue to focus our efforts on filling HTML forms since that's where most people are logging in...but HTAccess is definitely something that's on our minds still. Hopefully we'll have something to share in the future. :)
0 -
I use 1Password personally and we have a business account and I am also very surprised that it isn’t supported. I wouldn’t mind it so much but if I allow chrome to manage passwords as well it breaks your chrome extension. Can you either fix that bug or implement this? A lot of our server tools use basic auth and it’s a pain in the ass to have manually copy and paste the credentials.
0 -
I use 1Password personally and we have a business account and I am also very surprised that it isn’t supported. I wouldn’t mind it so much but if I allow chrome to manage passwords as well it breaks your chrome extension.
@chadwilken: Say what? Certainly it can be confusing having passwords saved in multiple places, and potentially trying to fill using both at the same time. But while we recommend against using browser autofill for a number of reasons, many people do anyway without trouble.
Can you either fix that bug or implement this?
Can you tell me what bug you're talking about?
A lot of our server tools use basic auth and it’s a pain in the ass to have manually copy and paste the credentials.
You may want to check out the beta of the new ChromeOS- and Linux-compatible extension we're developing. We're experimenting with some interesting things there. ;)
0 -
@brenty here was my other issue I filed https://discussions.agilebits.com/discussion/comment/397584#Comment_397584. I’ll try the chrome beta plugin.
0 -
Yeah, we definitely can effect change in Chrome. Definitely give the beta a try and let us know what you think. :)
0 -
If HTTPauth is the sole deciding factor for you, that makes sense as it isn't something that is possible in the stable 1Password browser extensions that work with our native apps currently. Take care.
0 -
Now that Dashlane has implemented HTTP Authentication, it is not time for you to also implement this?
ps. I created this account just for this post. ds.
0 -
Certainly there is no perfect solution. HTTP Auth isn't something we can bring to to 1Password desktop apps currently, but we're working on other ways of improving things that will help more people in the long run. You may want to check out the private beta for our new Chrome extension though, as we're trying some new things there. Cheers! ;)
0 -
I'm looking forward to a solution that also works with synced local vaults.
0 -
@walle: We don't currently have plans to make that new extension work with local vaults, as it needs to get the data from somewhere. So what it's doing is getting data directly from 1Password.com, which obviously won't work with local vaults. We also do not have native apps (and cannot, in some cases) on the platforms we're targeting with that.
0 -
I'm already aware of the new Chrome extension is could only. All I ask for is a solution that works with synced local vaults. If you want to do it by updating the current extensions for the client app or develop new extensions or whatever is up to you. Adding support at least some browsers (eg. Firefox & chrome) is better than nothing. If your competitors can do it, so can you. I believe in you guys! ;)
0 -
Right, but what I'm saying is that there's a reason it only works with 1Password.com: there's nowhere for the extension to get the data from otherwise. The competition is also using this approach, so I'm not sure what point you're trying to make.
0 -
+1 and proxy for +6 votes for HTTPS Basic Authentication support in the native apps and browser extensions.
Just got a roomful of devs to pay for 1Password Teams and they are not happy learning that 1Password has no plans to free them from manually copy-pasting into so many of their test realms.
1Password 7
Version 7.2.4 (70204001)
Google Chrome extension Version 4.7.3.900 -
@ingulsrud: Given the last post on this topic was in 2017 -- well over a year ago -- I don't think I could really make a case for us going back to try to implement this across a bunch of different browsers, many of which don't even have APIs to facilitate the feature. Sorry. :blush:
However, it may interest you to know that there is basic (pun intended) support for this in 1Password X: if you do Open and Fill from the 1Password X browser toolbar button, it will submit the login credentials via HTTPauth when loading the page. Cheers! :)
0
