How to auto-login in Safari??

Hi @The_Prodigy,

Thanks for contacting us about this!

1Password doesn't have an auto-fill feature - it will only fill your data when you explicitly tell it to do so (for example, by opening a Login item from the main 1Password app, by selecting the Login item from the 1Password browser extension, or by using the ⌘\ keyboard shortcut in the browser). Because sensitive data is involved, we never assume the user just wants us to do something automatically, so we leave the control in the user's hands. We have more information about that here: Why doesn’t 1Password automatically fill forms when the page loads?

You can find more details about the different ways to have 1Password fill your login credentials in this page of the user guide.

I hope that helps, but if you have more questions, please let us know! :)

Thank you for your feedback about that, @The_Prodigy! :) I can't promise if we'll ever add an option for that, but I'd be glad to let our developers know you'd like to have an optional auto-fill feature.

For now, my best suggestion would be to open Login items from the 1Password app (double-click them in the item list or click on the URL in the item details), as that should open the website and fill your username & password (this should usually work as long as the sign-in form is on the web page that opens, instead of in some sort of pop-up window). Alternately, if you open a website first, simply use the ⌘\ keyboard shortcut to have the 1Password extension fill the sign-in form.

If you have more questions or need anything else, be sure to let us know - we're always happy to help. :)

I wasn't only speaking for myself here, I'm pretty sure many many people would like to have the option of auto-fill.

You're probably right, and if those people contact us, we'll be happy to forward their requests too! :) In fact, we do occasionally hear similar requests from other customers. We're always happy to forward feedback & feature requests to our developers - that doesn't guarantee the feature will be added, though. We do receive many, many different feature requests from our customers and unfortunately we just can't add them all. When a new feature or setting is added, the decision to do so is based partly on which ones are requested the most, although there are certainly other factors as well.

We truly do appreciate that you took the time to share your thoughts with us about that! It's how we know what features our customers are interested in, so if you have more feedback, just let us know. Thanks!

Can't add authentication factor to zero authentication

As for two-factor authentication (2FA), 1Password works through encryption, not through authentication. It can be a subtle distinction outside of cryptography, but it is critical to understanding why 2FA is not something that applies to 1Password. 1Password does not even do one-factor authentication. It does no authentication at all.

Not all security is created equal

There are many different ways to secure data, and we have chosen a very specific design for 1Password. This was incredibly intentional and means 1Password is very different from websites and services.

• 1Password is not a service that you connect to or log in to. Instead it works by keeping your data encrypted and stored on your devices. We have none of your data. This has two big benefits:

  1. Because we have none of your data we can't lose, use, or abuse it, even if we were (compelled to be) evil.
  2. This security architecture means that we don't have an authentication system to defend. Your data is protected through an encryption-only system, without any of the threats that authentication-based systems face.

• 1Password protects your data using a publicly documented format. It's completely buzzword compliant—authenticated encryption: AES-256-CBC and HMAC-SHA256; key derivation: PBKDF2-HMAC-SHA512—but, more importantly, the format used by 1Password is available for scrutiny by you and the security community at large. You have secrets; we don't. That's why our data format is public. Of course, I can't think of many better ways to show how well 1Password protects your data than by pitting it against the pre-eminent password cracking tool hashcat: Crackers report great news for 1Password 4.

• 1Password provides end-to-end encryption. Your 1Password data is encrypted on your device and remains encrypted when syncing, so you are not relying on the security of any other service to keep your data safe. 1Password provides its own protection.
• 1Password provides an option to use your own, private Wi-Fi network to sync. You can sync without using a cloud service like Dropbox or iCloud. No data leaves your own local network. You're in control of your own data.

But before this turns into nothing more than a sales pitch, let me share some tips for evaluating the security design of an app. This has ramifications for hosted services as well, but it should highlight some of the differences between them.

You can verify the security of an app by studying the data that it is (1) reading/writing and (2) sending/receiving. First, let's take a look at the latter.

One cannot accidentally share what one doesn't have

The data that any application sends and receives is pretty easy to monitor. Some applications even provide a guide outlining all of the network activity you can expect from the application. For an app which doesn't require you to sign in to an online service, network activity can be completely optional.

In that case, an app that doesn't require a network connection can work entirely by keeping your data encrypted and stored on your devices. If the company making the app has none of your data in any form, you get the two big benefits I mentioned above:

1. If they have none of your data they can't lose, use, or abuse it, even if they were (compelled to be) evil.
2. Such a security architecture can mean that they don't have an authentication system to defend. Your data can be protected through an encryption-only system, without any of the threats that authentication-based systems face.

Does the product, service, or app you are evaluating have a copy of your sensitive data? Do you need to authenticate to a service in order to access your data? These are some good questions to ask.

Now you don't have to actually be concerned about anyone “turning evil” for such a distinction to matter. If someone has the capacity to do damage, they can do it by accident. If someone does not have the capacity to do damage, then they couldn't do it even by accident.

No secrets but your own

“A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” — Kerckhoffs’ principle

The data an application reads and writes is critical to its function. Is its data format publicly documented? Has it been published to benefit from public expert scrutiny? While an individual may not have the necessary knowledge to parse such a tome, it is important that is available to the security experts who do.

If you have access to the design of the data format, you can verify that the app uses well-trusted, standard library implementations of cryptographic functions. Cryptographic experts agree: there is no need to roll our own crypto.

What measures does the app take to slow down cracking attempts? Does the developer have a good relationship with the security community? For that matter, how does the cracking community view the app?

These are just a few of the sorts of questions you can begin by asking about any security design.

Authentication vs. Encryption

I linked to our Authentication vs. Encryption security document earlier in my reply, but I think it bears quoting here, as it is the crux of the difference between 1Password and many other security architectures.

Encryption-based means that we do not face the kinds of threats that an authentication-based system faces. Most of the following are a consequence of the fact that nothing can decrypt your encrypted data without your Master Password or keys derived from it.

1. We, AgileBits, are not involved in your use of your data. This makes it far easier for 1Password to ensure Privacy by Design. We not only don’t have access to your data in any form, but we (largely) lack the capability to collect it or your Master Password and encryption keys.
2. Because 1Password’s security doesn’t depend on gatekeepers, it faces no threat based on subverting those (non-existent) gatekeepers.
3. Because 1Password’s security doesn’t depend on gates or walls protecting unencrypted data, there is no threat based on removing those (non-existent) walls.
4. Because 1Password’s security doesn’t depend on authentication, there is no need to strengthen those non-existent authentication processes. In particular, there is neither the need nor possibility for two factor authentication.
5. If AgileBits were to get abducted by aliens tomorrow, you would still have access to your data since we never store it on our servers.

Our choice does mean that we have to work harder to enable you to use your data on all of your computers and devices. It also means that there is no password reset mechanism, and that we have to work even harder to bring you more flexible data sharing. We think these tradeoffs are worth it for the security and peace of mind that they provide.

I hope that helps you make an educated decision about whatever password manager you end up using. It is great that you are thinking about these things. Please do let us know if you have any other questions or concerns. We love discussing this stuff. :)