1Password Paste master password

yurd
yurd
Community Member

I just updated my 1password app, and while the old app allowed me to long-press on the master password field and paste a password, the new (to me) app vibrates on a long-press, but the option to 'paste' never comes up.

Please assist. My master password is too long to type in full on my phone. I am trying to use NFC to pass part of the password (via the clipboard.)

Thanks

«1

Comments

  • saad
    edited January 2015

    Hey @yurd. The option to paste in your master password does not exists in 1Password 4 for Android. We don't recommend using the Android clipboard for storing your master password. For additional information about the Android clipboard (and an upcoming feature), please have a look through this blog post. Let me know if you have any questions.

  • yurd
    yurd
    Community Member

    I understand that using the clipboard isn't recommended. However, the 'paste' function isn't actually the security risk, the way I understand it. At that point data is already in the clipboard.

    Do you have any solutions to using 1password on android w/ a yubikey & yubiclip?

  • RichardPayne
    RichardPayne
    Community Member

    @yurd you've missed the point. You shouldn't allow your master password to enter the clipboard at all.

  • yurd
    yurd
    Community Member

    Respectfully, I disagree.

    I'm not allowing my whole master password to enter the clipboard, just the part of it that I don't know. Again, though, allowing the COPY function FROM 1password is the security risk issue -- as opposed to allowing the PASTE function TO 1password.

  • Thanks, @yurd‌. We appreciate your feedback. I've forwarded your suggestion to allow pasting in the Master Password field to our developers. This is an option in other platforms, so we'll take a look into it to see if we can achieve some cross-platform uniformity in this regard. Cheers!

  • RichardPayne
    RichardPayne
    Community Member

    I'm not allowing my whole master password to enter the clipboard, just the part of it that I don't know.

    ok, so you're putting 50% of your master password at risk making a cracking attempt much more feasible.

    Again, though, allowing the COPY function FROM 1password is the security risk issue -- as opposed to allowing the PASTE function TO 1password.

    I don't disagree that copying out from 1Password is a risk. That is why I don't use 1Password on Android for high value logins, and I won't until I get Lollipop and can use the direct fill capabilities.
    None of that has any bearing on the security of pasting in your master password. They are both insecure.

  • This is something we're going to have to consider on our end, because it is possible to paste into the Master Password fields on other platforms. As I understand it, if portions of the password are pasted into the field out of order, it can lessen the chance of being intercepted by a keylogger. However, the danger with Android is that the clipboard is no man's land.

    Generally, we avoid the clipboard at all costs, and steer clear of encouraging 1Password users to store anything in the clipboard. This is the main reason behind why we're only allowing in-app filling on Lollipop, which doesn't require use of the clipboard.

    That said, I've discussed the subject with our developers, and they're going to look into it. Whether we'll allow the pasting function isn't clear, but it's under consideration.

  • yurd
    yurd
    Community Member

    With Lollipop I'd imagine that the same yubiclip app could be re-written to utilize the in-app filling as well.

  • Hey @yurd. Our developers are currently considering implementing TOTP in a future update, though we would most likely avoid automating any use of the clipboard.

    That said, I'll add your vote for TOTP support. :)

  • yurd
    yurd
    Community Member

    Isn't that more of an authentication mechanism than decryption, though?

  • RichardPayne
    RichardPayne
    Community Member

    Isn't that more of an authentication mechanism than decryption, though?

    Yes. It's support for generating TOTP for authenticating to third-party websites.
    Personally I've never seen the point. The whole point of 2FA is that the two factors are not stored together.

  • yurd
    yurd
    Community Member

    I would say that the whole point of multi factor auth is that the factors are from different bands/mechanisms/whatever-the-word-is. Something you know, something you have, something you are. (the last one being very scary). I don't see how storage is related.

  • RichardPayne
    RichardPayne
    Community Member

    because if someone cracks you vault (using a key logger to grab your master password for example) then they instantly have access to both factors for all of your logins.

  • I think I may have misunderstood the original question. I'm not very familiar with Yubikey or Yubiclip, but my understanding of the two apps is that Yubikey allows you to store 2FA credentials, while Yubiclip automates copying those credentials to the clipboard.

    While we are hoping to add 2FA at some point, I'm not sure how relevant Yubiclip would be since we don't automate use of the clipboard. Any pasting we allow in the Master Password field (if we decide to allow pasting there) would not be automated, and would require the user manually copying to the clipboard.

    Likewise, if we do implement TOTP, we will not automatically add those to the clipboard either. We prefer to leave any use of the clipboard up to the user.

    If I've misunderstood the question, please let me know. Thanks!

  • yurd
    yurd
    Community Member

    Ahh, sorry for the confusion.

    Yubikeys allow for static passwords to be stored and retrieved (as well as a handful of 2fa style options). My master password is a combination of an extremely long string of characters from the yubikey coupled with a passphrase that only I know.

    The yubiclip app just takes the input from the yubikey via NFC and sticks it in the clipboard.

  • With Lollipop I'd imagine that the same yubiclip app could be re-written to utilize the in-app filling as well.

    So, if I understand correctly, you're wondering if Yubiclip could be altered to use the same type of filling that we use, instead of clipboard automation?

    If that's the case, then I suppose it's possible. I recommend contacting their customer support to let them know that there's a more secure alternative to copying to the clipboard. :)

  • yurd
    yurd
    Community Member

    I don't have Lollipop (yet?) so currently I'd still really appreciate being able to paste the clipboard into the master password field.

    However, yes, in the future, I was saying that I expect that the app could be altered to just use the app filling ('intent'?). I know that neither Agilebits, nor Yubico, would likely create this specific of an app, however Yubico's stuff is usually open source for developers, so I can always hope that someone will see a need and take the reigns.

    Accessing my 1P database on my phone isn't the most important thing in the world, but it would be very nice at times.

  • I see. Thanks for the feedback! Currently there's no way to paste into the master password field, even with Lollipop. I apologize for the inconvenience there.

    In the meantime, I recommend setting up a PIN code to make logging in painless.

    Furthermore, we've added in-app filling in our latest beta version, which I believe will make it far easier for you to use 1Password on your Android. :)

  • yurd
    yurd
    Community Member

    I saw a TOTP announcement today that may give me what I need. I haven't looked into it yet.

    I was unaware of the PIN capability, but it still doesn't get me into the database the first time.

    Thanks for all the attention you've given this thread.

  • No problem, @yurd! I'm happy to help. :)

    Enabling a PIN code won't prevent you from ever entering your Master Password, but it will at least make it easier.

    Please let us know if you have further questions. Thanks!

  • darrenpmeyer
    darrenpmeyer
    Community Member

    I have a physical password management device that works over NFC, and it stores my 1Password Master Password. I can use this device on 1Password Mac and Windows without problem, but the Android app appears to block me from pasting a master password.

    Since apps that prevent pasting a password are a frustration for 1Password users as well, I'm surprised that you seem to have decided that pasting into your master password field couldn't possibly be valuable to anyone.

    As it sits, the $10 I spent on the Android app is pointless because of this "feature". Is there any way to disable this?

  • peri
    edited February 2015

    Hi @darrenpmeyer. Thanks for contacting us with your feedback! I went ahead and merged your thread with this one of the same topic.

    Currently, 1Password 4 for Android does not allow pasting into the master password field. This decision was previously made due to our security concerns regarding the clipboard on Android. We strongly recommend against copying your master password to the clipboard, or storing it in a third-party app.

    That said, I've forwarded this request to our developers for their consideration. They're currently looking the possibility of pasting into the master password field, to be consistent with 1Password on other platforms.

    Please let us know if you have any other feedback.:)

  • Jakob241352
    Jakob241352
    Community Member

    I've got a long password which is carried by a yubikey and a short one which is memorized. Together they form my master password. This is working fine on my mac and windows computer. On Android, the password from the yubikey is transferred via nfc to the phones clipboard. My problem is, that i can't paste the password from the clipboard into 1password. It's working fine, when i'm using another passowrd manager like OneSafe.

    Inside the app it's possible to paste from clipboard. But it's not possible to paste the master password from the clipboard. Is it a bug or a missing feature?

  • Hey @Jakob241352. Thanks for getting in touch with us! I've merged your thread with this thread on the same subject. :)

    There is currently no option to paste into the master password field in 1Password 4 for Android. This is due, in part, to the security risk that the clipboard poses, and our desire to prevent master passwords from ever being stored on the clipboard.

    However, we do understand that some users would like the option to paste in their master passwords piecemeal, and I have forwarded this request to our developers for their consideration. There are security implications to allowing pasting into the master password field on Android that will need to be assessed.

    Thanks for the feedback, and let us know if you have any other questions!

  • RichardPayne
    RichardPayne
    Community Member

    @peri here's an idea. You allow pasting but put in a custom validater that will only accept the password if at least some of it was typed. When a paste occurs, store the pasted text and on submit, if the MP is equal to the stored paste text then disallow.

  • That's a great idea, Richard! I've just forwarded this to our dev team. :) Thanks!

  • yurd
    yurd
    Community Member

    IMO, the validator suggestion above isn't a great idea. It just adds to the issue at hand.

    1Password and agilebits cannot stop me from putting whatever text I want into my clipboard -- it can only stop the 1Password app from utilizing the clipboard. I understand the security concerns of disallowing copying from the 1Password app. I do not understand any valid reason for disallowing the paste function though.

  • RichardPayne
    RichardPayne
    Community Member

    but why would you put your master password in the clipboard if you can't use it?

  • Indeed, 1Password can't stop customers from using the clipboard. However, to prevent people from copying their master passwords to the clipboard, the decision was made to disallow pasting into that field.

    If pasting into the master password field were possible, then there would be the risk of sniffers obtaining peoples' master passwords from the clipboard, which we definitely wouldn't want, and why this is still something we'll need to assess thoroughly.

  • yurd
    yurd
    Community Member

    I think I'm missing something. What currently stops a 'sniffer' from pulling master passwords from the clipboard?

This discussion has been closed.