Prevent saving passwords in browser
Hello,
We're currently using 1Password Business.
We want some users to only "use" the provided information, so they should not be able to see the passwords in that Vault.
After changing the permission to only "Show Vault" the users cannot see the password in the Vault.
But after installing the Chrome browser extension the users still get a prompt to save the passwords in Chrome.
We know that we can force this through a GPO because we're using a Microsoft Windows network.
But, are there any plans to remove/disable the browser option to save passwords while 1Password is installed?
There are also other ways to recover the password, but it'll become a lot harder if this option can be turned off through 1Password itself.
Thanks in advance.
Greetings,
Serhat
1Password Version: 6.8.534
Extension Version: 4.7.1.90
OS Version: Windows 10 1709
Sync Type: Not Provided
Comments
-
Hi, Serhat. Thanks for your post. Chrome does have an API for disabling the password saving features of the browser, but right now 1Password does not utilize it. I looked at it just now and for starters, it would require us to request a new category of permissions in the Chrome extension, and this results in disruption and confusion for users because when new privileges are requested, the extension is disabled for the user so they have a chance to review.
We haven't seen a great many requests for this yet, so for now, we're reluctant to add new permissions and go through this pain again unless this becomes a widely requested feature. My guess is that the organizations that need this feature will also have other group policy in effect and can configure things from that angle, but I'm willing to be wrong about that. :)
Even if we do go the route of asking for the new permissions, there would be user experience concerns to address and balance against what the account owner might desire. So, for instance, if I am a user in your Business account that requires the Chrome password manager be disabled but I am storing my personal passwords there, then that could become a problem. If 1Password disables the password manager in Chrome, should the user be able to reenable it or should 1Password continually disable it? (It's true that we recommend disabling the browser's password manager, but we don't require it at this time.) What happens for a user that has multiple 1Password accounts? If the user is using 1Password X, then we can at least understand the situation, but the desktop app's extension does not have this information. Would 1Password or Chrome even be able to inform the user of why the password manager was disabled or give a good experience when the user visits the password saving preferences in Chrome? What happens if the user has another extension that looks to re-enable the password manager in case it gets disabled? Who gets to resolve that conflict? (I don't know of one, but I can see the possibility that one could exist.) These are just a few thoughts off the top of my head about how we would need to balance such an experience to give the right mix between what account owners might want and what users expect in their browser.
That's a long-winded answer, but I wanted to show that we have really given this some thought and outline a few of the questions that would need to be answered before we went down the road of disabling the password manager in Chrome programmatically. For now, we prefer to defer to users on this question. For users, this means deciding whether to allowing the browser to save some of their passwords. At the account owner level, this means either educating your users on the desired practice or enforcing it through group policy.
I hope this helps. Please let us know if we can help further.
--
Jamie Phelps
Code Wrangler @ 1Password
Fort Worth, Texas0
