Basic Authentication / HTAccess / HTTP Auth [will work using Open and Fill in 1Password X]

1234579

Comments

  • fnl
    fnl
    Community Member
    edited February 2017

    There seem to be quite a few threads on the web about this missing 1PW feature (HTTP basic authentication fill-in support, in my case for Firefox on OSX).

    Luckily, the other password managers around are much unsafer (looking at you, Firefox' own password manager, wrt. public WiFi safety...). So a pure convenience feature certainly isn't a deal-breaker, and the anchor function makes copy-pasting the username and then the password a bit less of a PITA.

    But I'd want to add to the voices that this is the #1 missing "convenience feature" in 1Password for me, while I certainly like 1Password for being a browser-independent solution.

  • fnl
    fnl
    Community Member
    edited February 2017

    @jpgoldberg How safe is the solution you suggest (using the browser's built-in PW manager)? Is it 100% safe to store HTTP basic auth username and password pairs in my browser's PW manager with respect to the dreaded sweep attack (as browser PW managers are not safe against that attack, as your tech team itself advertises [1])? Or could the usual login window be "emulated" as a web-form with Javascript? Because if so, using that solution would actually defeat the first reason for me to pay you guys for a better/safer PW manager...

    [1] https://www.quora.com/Does-1Password-automatically-insert-passwords-like-a-browser-does-or-do-I-have-to-click-on-the-extension-every-time

  • AGAlumB
    AGAlumB
    1Password Alumni

    @fnl: I wanted to jump in here to say a couple things. First, thanks for letting us know where you're coming from with regard to your interest in 1Password adding basic auth support. I can't make any promises about that, but it does help us to gauge interest and also to get a sense for different use cases.

    Also, I wanted to share my interpretation of jpgoldberg 's comments above. I'll let him jump in and correct me if I misunderstood, but I took it to mean that he's storing primarily passwords for his home network gear in the browser. As he suggested, it's really a matter of personal discretion.

    I think some of your comments get us a bit off topic, so I encourage you to join an existing discussion on filling risks or start a new one on another topic. But suffice to say that one of the reasons that we don't have basic auth support is that these "forms" belong to the browser itself and, in many cases, it isn't even possible for 1Password (or other extensions, web pages, and other scripts) to access them. So the very thing that makes it difficult for 1Password to integrate in the way you're asking also protects you from some classes of filling exploits. I find that fascinating. :)

  • posttoast
    posttoast
    Community Member

    I made an account on this forum just to say that I would very much appreciate this function as well. I understand that this is not on AB's priority list. But I hope that if enough people keep asking for it, it will be.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @fnl, I'm sorry for the confusion, I seemed to have sparked with my "confession". And sorry @brenty for leaving you to clean up after the mess I made.

    The circumstances under which I will use my browser's built-in password manager are exceedingly limited. In addition to it just being for HTTP Basic auth sites, all of these apply:

    1. The "sites" are on a private network and so are not exposed to the Internet at large. You would have to break into my network before you could even try to use one of these passwords.
    2. I do not synchronize such data other than with 1Password. I have very high standards for the security of the synching of password data.
    3. These are relatively low security entities to begin with. (The one exception has since been replaced with something that doesn't require HTTP basic auth).

    So, no, I am not recommending that as general practice.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jpgoldberg: Haha no worries. Just don't expect me to clean up after your dogs. :tongue:

  • fnl
    fnl
    Community Member

    Thanks, both of you - I expected as much, but thought its worth asking! Well, I fully understand that security goes before comfort, so if HTTP basic auth "one-click-logins" cannot be done securely, so be it. Let's blame the browser manufacturers :-).

  • codeclown
    codeclown
    Community Member
    edited February 2017

    I am with posttoast here, made an account just to post this comment. As cybersmog said, for developers this is a big issue, even if not on your popular sites list. Basic Auth is not used on major websites for obvious reasons (it's not secure). But it is often used in many developer environments. Huge workflow breaker.

    Your lack of interest in this issue is seriously baffling, seeing how many people have posted about it. The amount of people posting is just a marginal amount of people who are affected by it. Not everyone creates an account for this reason (even though with 1Password it's low barrier ;).

    I am sorry for being harsh but your attitude really surprised me, seeing how 1Password in other aspects has been the best password manager I ever tried. Been a happy customer for years. I really hope you reconsider your stance.

  • matthew_ag
    matthew_ag
    1Password Alumni

    Thanks for understanding @fnl, hopefully in the future we will become less and less reliant on this old system of authentication.

    Best regards,
    Matthew

  • joelgibby
    joelgibby
    Community Member

    +1 only created my agilebits discussions account for this very feature .. http auth / basic .. can't tell you how much time I'd save ... 30 mins a day adds up

  • [Deleted User]
    [Deleted User]
    Community Member

    +1. Another one just creating an account to vote for this. ^^

  • khendricks
    khendricks
    Community Member

    Just signed up for the family plan. Was a little bummed out when I realized there was no support for HTTP Basic Auth.

    I do find it very hard to believe implementing this feature wouldn't have a reasonable sized impact on your user base.

    Between the number of your users that are developers and that use legacy web applications...I think this would be a smart move.

  • gdubicki
    gdubicki
    Community Member

    +1

  • danemacmillan
    danemacmillan
    Community Member

    +1

    @jxpx777 That's a fairly bogus claim, considering that nearly all wireless routers use HTTP authentication. I'm talking 2017 here. I have only experienced a single wireless router that does not, and it was by TP-Link. Every other that I connect to uses HTTP authentication.

  • fealXX
    fealXX
    Community Member

    Wow, 3 Years of +1 - wow.

    ...

    +1 ;)

  • arghhhhhhhh
    arghhhhhhhh
    Community Member

    +1 ... seriously, how many votes will it take? It was already "one of your most requested features" in 2014!!

  • linus9000
    linus9000
    Community Member

    Also +1, as a developer that uses tools relying on Basic Auth (while, admittedly, not that often) I can feel the pain..

  • resnick
    resnick
    Community Member
    edited March 2017

    @jxpx777 - I am not asking for this as a developer. My company (a large 30,000 employee corporation) uses HTTP AUTH to get into all of our internal corporate websites. As an earlier example showed, ADP also uses HTTP AUTH to access their payroll website. Please stop imagining that this is just for developers. Corporate IT in many companies use this all of the time. It is not seen on commercial externally facing sites like Amazon or Google because they want to control the user experience, but I can assure you that this is widespread.

    I am also not asking for this for Chrome. I use Safari.

    Please add this soon. It is phenomenally frustrating (and a security hole) to have to copy and paste.

  • rr4242
    rr4242
    Community Member

    I have a page which uses basic authentication which has a standard popup for username and password. I can't seem to get 1P to fill in or save passwords for this. If the username/password is not provided in the URL the page shows a standard popup.

    basic authentication = accepts "username:password@hostname" as an URL, but I don't want to use that for obvious reasons.

    How can I make 1P work on this page? Sorry, can't provide the URL - but it is as described above (which is an standard, but old login, used on internet)


    1Password Version: beta latest
    Extension Version: chrome beta latest
    OS Version: Windows 10
    Sync Type: 1P family

  • jxpx777
    jxpx777
    1Password Alumni

    Hi, @rr4242. I've merged your thread into another long-running thread about HTTP authentication. I'm sorry to be the bearer of bad news, but this is not something we support at this time. My previous reply is still the most accurate detail of the status of this feature request. Right now, we are focused on a few different things that are more pressing for our small team of Extensions developers. Perhaps some day we will be able to take a look at this, but for now, it's not something we're looking at.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • Amarand
    Amarand
    Community Member

    I realize that this has been discussed before, but the posts that I saw are all very old, so I'd like to get a "fresh" answer from the development team, if I could.

    I use PC (Windows 10 latest build) and Mac (10.12.4 latest), and use Firefox on PC primarily, and Safari on the Mac. Everything's updated, including 1Password app and the 1Password helper. It works fairly well, except for a few quirks.

    One of the quirks I'm posting about today, is 1Password's inability to auto-fill standard HTTP Basic Authentication prompts. Is there a reason why this hasn't been implemented to this point? I realize that there's a chance that the authentication window is stealing focus, and that 1Password can't work around that. (Is that the case?)

    I've seen a few workarounds, and I may end up trying those. Sounds like you can add the username and password into the URL? The connections I use that have this old-school method are all local, so I don't mind sending them in the clear.

    Thanks!


    1Password Version: 6.5.401d
    Extension Version: 4.6.4.b4
    OS Version: Windows 10 v 1607
    Sync Type: Family Account/AgileBits Server

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Amarand: I hope you don't mind, but I've merged your post with the existing discussion on this feature request. I don't have anything to add over what Jamie has already said on this topic.

    I will say though that adding the username and password to the URL is incredibly insecure, as that will be transmitted in the clear. So generally it's better to simply open 1Password mini (Ctrl Alt \, ⌘ ⌥ \) and copy it from there. That way at least it can be sent encrypted over SSL/TLS when you login. But you're right if you're doing this on your local network that poses less of a risk. Cheers!

  • Amarand
    Amarand
    Community Member

    I think I'll just need to figure out a way to have them use actual authentication rather than the "basic authentication" that's tripping 1Password up. The former is actually a form with a submit button, whereas the latter is configured with .htaccess/.htpassword and ends up being placed directly into the URL/GET?

  • shinaio
    shinaio
    Community Member

    +1

    Being a web developer as well I still have to work with basic auth on a daily base in a lot of projects. I'd be really delighted to see that feature added for Mac/Chrome since this is the main reason why I can't fully convince my co-workers to use 1Password instead of storing all their pwds in their browsers. (Not using basic auth anymore is currently not up for discussion for various reasons.)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think I'll just need to figure out a way to have them use actual authentication rather than the "basic authentication" that's tripping 1Password up. The former is actually a form with a submit button, whereas the latter is configured with .htaccess/.htpassword and ends up being placed directly into the URL/GET?

    @Amarand: I may be forgetting one, but I believe that all of the browsers still have a relatively obtrusive modal dialog for basic auth logins. Safari seems to have changed the visual style of this in the latest macOS update, but it still behaves the same. But the basic auth itself is built into the website itself, so it really isn't something that can be worked around apart from copying and pasting from 1Password mini. For example, while websites with problem standard HTML login forms sometimes have others that can be used which just work better with 1Password, I've never actually encountered a website using basic auth that had a separate HTML login form as well.

  • AGAlumB
    AGAlumB
    1Password Alumni

    +1
    Being a web developer as well I still have to work with basic auth on a daily base in a lot of projects. I'd be really delighted to see that feature added for Mac/Chrome since this is the main reason why I can't fully convince my co-workers to use 1Password instead of storing all their pwds in their browsers. (Not using basic auth anymore is currently not up for discussion for various reasons.)

    @shinaio: I don't think it has to be all-or-nothing. Storing some passwords in the browser is certainly better than all. But yeah I hear ya. I've got some of these too (though probably less than you), and it's a hassle. It just isn't something we can justify working on right now when there are improvements we can still make that will help everyone else out there who's never even heard of basic auth. But it's good to know specifically that you're using Chrome, as if and when we do tackle this, we'll need to start somewhere. Cheers! :)

  • lstrojny
    lstrojny
    Community Member

    @brenty @jxpx777 as a relatively new user of 1Password I immediately found the lack of support for HTTP auth confusing in so far as I was first convinced I would deal with a misconfiguration or a bug. Then I found this thread and the official responses puzzled. HTTP auth is not going away, quite the opposite, it's likely growing given the wide proliferation as an API authentication method.
    For 1Password's positioning the lack of such a basal feature contrasts the overall maturity quite sincerely. Escpecially sind it is functionality that is likely mostly requested by quite technical users who arguably need the protection of a password manager the most.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lstrojny: I disagree that technical users need security any more than anyone else does in this day and age, but I suspect you just meant that they are perhaps more likely to care about security in the first place. I agree that support for legacy HTTP authentication would be useful, but as mentioned previously our priority really has to be things that improve saving and filling for the majority of users. It's something we'll continue to consider, but it absolutely isn't something we can work on right now given the need to keep 1Password working with browsers in general. If we don't put that first, basic auth won't work either.

  • 0x89
    0x89
    Community Member

    Version 6.8 release notes state that

    The browser extension in Chrome is now using native messaging. Will this increase the possibility to get 1password support for basic auth?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @0x89: Ah, that's a good question, but no. Native Messaging is just a new means for the browser extension to communicate with 1Password. WebSockets is what we've been using there for years (and still are for other browsers for the time being), and this doesn't impact any of 1Password's capabilities in the browser. Apart from future-proofing the 1Password extension, the only difference users should notice today is less (potentially zero) interference from 3rd party software (such as antivirus/proxy/firewall).

This discussion has been closed.