Copy & Paste vs. Browser Extension

Which is the safer of the two and why?

Right now I copy from the Mac app and paste password into webpage. I do this because I feel it's safer than browser integration. From my research some say that copy to clipboard is more vulnerable.

I'd love to get a quick education on this.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • bundtkatebundtkate

    Team Member

    Hey, @ohreally! I must give credit where it's due as much of this was adapted from a wonderful comment from our very own Jamie Phelps on a recent blog he authored about the 1Password extension.

    There's a lot going on behind the scenes with the 1Password extension to ensure it's safe to use. Let's say you're filling your forum login. The extension will read the webpage and see that you're on the sign-in page for the forum and that it needs a username and password to fill. It doesn't store any of your 1Password data and doesn't know what to fill yet, so it will send a message to the 1Password app letting the main app know what page you're on and what fields need to be filled. 1Password will check with our form filling brain to find the proper credentials (you can learn more about Brain here, if you're interested). The app will then send the proper credentials along to the extension, which then fills them in the right spot.

    The extension also encrypts this data while it's in transit between the app and the extension to combat snooping and spying. The first time 1Password connects to the extension, you'll see an authorization window pop up with a code in it, as well as a code in your browser. You will then confirm that both codes match before 1Password will talk to the extension at all. This tells 1Password that it is actually communicating with the extension and not a third-party process intercepting their communications. At this time, 1Password and the extension also exchange a secret. On subsequent connections, they both verify that the other has that same original secret and use it to construct an encryption key. That key is then used to encrypt each message between the extension and 1Password. This makes it really hard to spy on your data, whereas a malicious process on your computer can easily read the plain text on your clipboard.

    The extension also has some additional security features baked in, which is what I think really makes it win out over copy and paste. It checks the code signature of your browser to make sure it matches the code signature reported by the browser's developer. This confirms that the browser is what it claims to be instead of relying on us humans to detect potentially malicious imposters. Similarly, the extension checks to make sure the URL of the webpage you're asking it to fill on matches the URL associated with your login item. This is to combat phishing websites. Phishing websites can look exactly like the websites you log in to every day and some will even display a proper URL in your browser, but the extension can see through their façade and will refuse to fill, hopefully giving you pause and leading you to reconsider entering your login credentials. Even the most careful among us can still be fooled, so I like having the 1Password extension to watch my back.

    Of course, you've probably noticed that many extensions are able to read the webpages you access, which would allow them to read both what the 1Password extension fills and what you pasted into your browser. Of course, Chrome and other browsers will tell you what permissions an extension needs before you install it allowing you to choose whether you trust any given extension with the information it will be able to access. This is one instance in which we must still rely wholly on our own judgment, so whether you give the extension a try or stick with copy and paste, make sure that you stay safe and only install software you trust.

    I hope this effort at (somewhat) quick education was helpful and informative, but if you have additional questions about the extension and security, let us know. If I don't have an answer, I'm sure others would be happy to discuss further. :chuffed:

  • @bundtkate I think I love you. Thank you for this in-depth answer. Above and beyond - thank you so much. This definitely eases my concerns.

    Have a good day!


  • Greetings @ohreally,

    We're happy to hear @bundtkate was helpful :smile: If you have any other questions please don't hesitate to ask.

  • Hi BundtKate-

    Thank you for this explanation. It's very reassuring. You wrote:

    "...the extension checks to make sure the URL of the webpage you're asking it to fill on matches the URL associated with your login item. This is to combat phishing websites."


    Would there be any benefit to also checking the certificate for the website? To ensure it's legit, matches, isn't revoked?

    I ask because I just clicked on a link within an email. Which we're not supposed to do. (Enter it manually, right?) Then I used 1Password to fill in the login form details.

    So... I was wondering if there's any way for a phishing site to fool me, even if it's using HTTPS (TLS). Like MITM or DNS poisoning or any of the other security warnings that I don't really understand.

    Thank you, Jason

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    @jasonosgood Generally, the browser should be responsible for enforcing and certifying the validity of the HTTPS connection. Doing this in the browser extension would be extremely slow and extremely easy to get very wrong.

    If you're concerned about MITM or other such considerations, I would recommend using a VPN or other extra safety measure on the networks you don't trust. If you are dealing with a compromised CA such as what happened with Diginotar or the Superfish adware debacle, then no amount of validation is going to help because your system has been instructed to trust the guy that you shouldn't be trusting, so by all appearances everything is A-OK.

    It's not exactly relevant to the browser extensions, but this is one of the design features of the service, i.e. we designed the service to only rely on the integrity of the HTTPS connection the first time you talk to the server. On subsequent uses, 1Password uses secure remote password to mutually validate the identity of the remote server and encrypt each request in a way that does not rely on the integrity of SSL/HTTPS/TLS.

    All of this talk about the browser extension and how it improves over copy and paste is making me think it would make for a great blog post standing on its own. Thanks for the nudge! :chuffed:

    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • thank you for this @jxpx777 :)

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    My pleasure! :chuffed:

This discussion has been closed.