Feature Request - Disable URL extension ?onepasswdfill=...&onepasswdvault=...
As a developer with a 40+ year career and extensive computer security background, I want to retain control of when and where login IDs and passwords are filled in. I do not want 1Password automatically filling these fields in, I'll copy and paste them myself. DNS hijacking and cache poisoning are rare but a real threat, and if my DNS were compromised it could result in 1Password giving away my login and password.
Therefore I want an option to disable 1Password's behavior of extending URLs with the parameters to the browser plugin. I don't have the plugins installed. Many websites just ignore the parameters, but there are some that attempt to interpret them and return error messages, hence a need for the option to disable this behavior.
1Password Version: 7.2.581
Extension Version: n/a
OS Version: Windows 10
Sync Type: n/a
Comments
-
Hi @jimgarrison,
Thanks for writing in.
We're working on getting rid of that soon, we have it internally working but there are a few things we need to fix for people who do use the 1Password extension.
If my DNS were compromised it could result in 1Password giving away my login and password.
That's not technically possible since none of that data is included in the URL parameters and as long as you don't have 1Password extension installed, it won't be filling anything in.
The IDs you see are item IDs, they do not carry any information encoded. It is only unique to your vault and 1Password extension uses the ID to communicate to the 1Password program to find that item and fill it in.
0 -
That's not technically possible
I realize that without the extension installed nothing will happen.
I brought that up as an explanation of why I consider automatic filling dangerous, and don't WANT to use the extension, ever.
My desire for an option to turn the URL editing off is because it interferes with some websites.
For a real-world example today see this story about a misconfigured Microsoft subdomain.
0 -
I understand but I have to clarify in case other folks read it and thinks the URL is including their data.
For a real-world example today see this story about a misconfigured Microsoft subdomain.
How would you know before you paste the data in manually? That has nothing to do with automatic filling, copying/pasting is the same risk.
1Password extension has many defenses against phishing built in; it does not fill on insecure site, it does not fill on different TLDs if the user has entered the wrong spelling, and more.
0 -
Also, 1Password doesn't do automatic filling with the extension. If you use 1Password extension instead of the desktop program, you have to invoke the extension to fill. Opening a website's login page doesn't get anything filled, you must click 1Password or use shortcut to fill anything. (Go and Fill from the main desktop program does do this but only with the saved URL).
We've been advocating against automatic filling from day one and we were one of the few password manager extensions that were not exposed to the automatic fill security exploits researched a few years ago because our extension does not fill without the user intervention.
In addition, 1Password does not automatically fill if the site itself was compromised and switched to hosting iframes that is serving from other domains, that's part of our anti-phishing defenses.
0
