[Feature Request] Ability to fill website login using login info of different website

netname
netname
Community Member
edited March 2018 in 1Password in the Browser

Problem: Currently, the only time that we have the ability to fill is if domain matches the domain meant for that particular login info.

Like this (example):

However, when I search for another login (used for another site) to use for this domain, we are only prompted with the "Go" button. "Fill" button is missing!

Like this (example):

Request: Allow us to "fill" the login information for the current website that we are on, with login information of another website that we manually search for.

Why?:

  • LastPass has this ability
  • I do realize that we have the ability to add multiple domains/websites into one login, but sometimes we need to use a cross-login one-off
  • Easy to use for unified login systems (Okta, OAuth, Google Login, Facebook Login, etc)
  • Organizations with hundreds of internal/intra web addresses with different domains
  • Logging into websites that do not have a domain, but users access using direct IP
  • Copy and Pasting is not convenient

1Password Version: Latest
Extension Version: X
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Welcome back @netname, and thank you for your suggestion.

    I know you won't be surprised to hear our reason why 1Password doesn't fill across domains: it's a security risk. It's our responsibility to help you detect and avoid phishing sites, and not let you fill them accidentally. And even if you don't need our help, we also don't want to write code paths which a rogue site could activate to force-fill your passwords. These problems aren't hypothetical; both have affected other password managers before, and we've prevented them by being too careful by default.

    At the same time, I get the pain points, and you've articulated them well: sometimes you know better than 1Password and you just need to fill a password. And some unified login systems are impossible to use without cross-domain filling. We do our best to support the most common ones, and if you find a site where you aren't able to fill your SSO credentials, please let me know so we can look into a fix.

    For my part, I don't believe this feature is impossible to implement safely, and I'd like to have it for the same reasons as you. But it will take more thought and work than just adding a "fill" button to each item.

    As always you make a thorough and hard-hitting argument for why 1Password should have this feature. I really appreciate the effort and detail you put into your feedback, and I hope we can ship some releases which will really impress you. :)

    Mitch

  • netname
    netname
    Community Member

    The reasoning makes sense. It's good to hear that security is always a priority (even as a trade off for convenient features).

    Thanks

  • matty666
    matty666
    Community Member

    I too would love this feature, it's one that I miss having migrated from other password managers. I fully understand about the security implications and support your wishes to prevent people falling for phishing attacks. However, as has been mentioned, sometimes there are legitimate reasons. Wouldn't an 'are you sure you want to do this, the password isn't for this site?' type of message to confirm the action be valid here to support this? You could always make the cross-domain password filling an opt-in feature so most users wouldn't even see anything different, but those of us that want it could enable it?

  • AGAlumB
    AGAlumB
    1Password Alumni

    The reasoning makes sense. It's good to hear that security is always a priority (even as a trade off for convenient features).

    @netname: Thanks for understanding. And also keep in mind that you can manually add multiple URLs to login items if you're sure you want to have 1Password fill there. Cheers! :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2018

    I too would love this feature, it's one that I miss having migrated from other password managers. I fully understand about the security implications and support your wishes to prevent people falling for phishing attacks. However, as has been mentioned, sometimes there are legitimate reasons. Wouldn't an 'are you sure you want to do this, the password isn't for this site?' type of message to confirm the action be valid here to support this?

    @matty666: I appreciate you asking, and that's a reasonable question. And, in a perfect world, would be a reasonable solution. But the answer is that's a terrible idea because of human nature. This is like how we all click through EULAs and privacy agreements (also Windows UAC...) without reading them: when you're trying to do something and you're presented with a "cancel" or "okay", this is just getting in your way and you're likely to just click okay to get rid of it. Even if you click "cancel" the first time, we'd essentially be training you to just click "okay" every time after that, since nothing will happen otherwise, and "okay" gets you the result you were aiming for in the first place. So it's riskier than it seems.

    You could always make the cross-domain password filling an opt-in feature so most users wouldn't even see anything different, but those of us that want it could enable it?

    Yep! And that's already supported. If you take the time to explicitly add multiple URLs to a login item (which is quick and a good investment anyway if you're often going to be using those login credentials there), 1Password will allow you to fill on those as well. I hope this helps. Be sure to let me know if you have any other questions! :)

  • matty666
    matty666
    Community Member

    @brenty: yeah I agree that you do get trained to hit ok and carry on without reading the messages, its unfortunate. What I meant by the opt-in part was an advanced settings switch to enable cross domain password filling for advanced users, which would then enable the fill button and are you sure prompt.

    But as you point out, I should probably be less lazy and add the urls to the login... :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty: yeah I agree that you do get trained to hit ok and carry on without reading the messages, its unfortunate. What I meant by the opt-in part was an advanced settings switch to enable cross domain password filling for advanced users, which would then enable the fill button and are you sure prompt.

    @matty666: Yeah, I really don't think we're ever going to do something like that. Thanks for understanding.

    But as you point out, I should probably be less lazy and add the urls to the login... :)

    Hey, I can be lazy with the best of them! The way I look at it though, the pinnacle of laziness is for me to add the URL once so I can just hit the button for the rest of eternity. Much less work for me. :lol:

This discussion has been closed.