Feature Request: Mask Any Field

I just noticed (in dealing with a webapp that appears not to handle accidental SQL-injection attacks in passwords gracefully) that 1Password reveals my old password in clear text. See below:

5762700407_6c01384e8a_z.jpg

I see that when a field matches the current password, it is masked with bullets. However, if a field matches a previous password, as is the case with user_pass_confirm, it does not. Seems like including prior passwords in the list of values to mask would be a good idea. Clearly (as I'm posting it here), I don't consider my old password a big liability. But it's the principle of the matter.

Comments

  • khad
    khad
    1Password Alumni
    edited May 2011
    Hey battis,

    Thanks for asking about this. I can certainly understand why this would appear like a security problem or bug, but please keep in mind that no one has access to your 1Password data without your master password. Sometimes we can forget that no one else has the master password to our data since it "flows" so quickly from our fingertips. :-)

    I renamed the thread to reflect what I believe to be the actual issue. The data itself is securely encrypted, but not all fields are masked in 1Password's interface once it is unlocked. You can toggle the display of the fields which are specially marked as "passwords" (View > Conceal Passwords), and 1Password makes every attempt to mark the correct fields as such. However, sometimes you will need to mark the field manually. You can do this by editing the item and placing a checkmark in the password column for the proper field.

    20110527-q1j7di2f3b88257iaqgkjy2cp5.png

    At this time, 1Password only allows a single field per Login to be designated as the password field, so I would encourage you to save the actual login form rather than a sign up form (which will often include a second "password" field to confirm the entry of the first).

    I hope that helps explain the situation, and the suggestion to allow the masking of arbitrary fields (in addition to the encryption already in place for them) is one we are looking into for a future update. Please let me know if you have any additional questions or concerns.

    Cheers,
  • battis
    battis
    Community Member
    khad wrote:

    At this time, 1Password only allows a single field per Login to be designated as the password field, so I would encourage you to save the
    actual login form rather than a sign up form (which will often include a second "password" field to confirm the entry of the first).


    Khad, thanks for the tip -- I agree that your renaming of the thread better matches the problem. But I would go a step further: automatically mask any field that contains an item in that Login's password history. Since 1Password automatically saves signup forms -- and since it's smart enough to apply that data to login forms accurately -- I'm not terribly inclined to go back through all my logins and update them one at a time.
  • khad
    khad
    1Password Alumni
    I'll pass this along to the developers to see what we can do in the future! Thanks for the additional feedback. :-)
This discussion has been closed.