1Password 7.2 Beta Feedback

Dean Lubaki
Dean Lubaki
Community Member

Hello!

I just wanted to submit my feedback for 1Password 7.2 and the AutoFill integration. It's truly amazing because it integrates everywhere with a password field!

One thing I would like to see, is the ability to search credentials. See, the 1Password overlay from the keyboard "Passwords" button will only see credentials that have a URL matching whatever the app developer decided to have, but sometimes there's a mismatch and being able to search credentials within the 1Password pop-up would be amazing and would make this feature perfect! Also, the search field already shows up when the app has no identifying URL, so why not put it everywhere?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hey there Dean, thanks for the feedback. Glad you're enjoying Password AutoFill! The reason we only show items with associated URLs when we're provided a URL is that we want to err on the side of caution and not let you fill an item that might not be related.

    The reason we show all items when we have no information is because, well, the alternative is for 1Password to be completely useless. 🙂

    I hope this explains a little about the choices we made here. Thanks again!

  • Dean Lubaki
    Dean Lubaki
    Community Member

    Hello @MrRooni
    What if it was an option in the advanced setting menu?

  • It's possible we could do that, but it's unlikely. It's really in our DNA to only show results that match the incoming URL.

  • mhavekes
    mhavekes
    Community Member

    This is the feedback I have as well, ability to search when the app url is not an exact match with the 1Password entry.

    Everything else works absolutely great.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2018

    @mhavekes: As Rooni mentioned, that's pretty unlikely.

    @Dean Lubaki: I'll elaborate a bit more here.

    While you can always search for anything in the main 1Password app, we've always made it so that, when invoking 1Password at a website, it only offers you logins matching that URL, as a protection against phishing. Otherwise you open 1Password at paypa1.com (with a number one), don't see your PayPal login, search for it, and then fill your real paypal.com login credentials at an impostor site.

    That's exactly how it works on iOS, but you might have noticed that in the 1Password desktop apps you can search for whatever you want. The difference is that the 1Password desktop app can open the URL for a login to take you to the correct site; the 1Password mobile apps cannot. So, if the above scenario played out on your computer, even if you were fooled into trying to use your PayPal login at a phishing site, 1Password would not fill it there because the URL didn't match; it would open your PayPal login's saved URL first before filling.

    I hope this helps clarify a bit. Be sure to let me know if you have any questions! :)

  • Dean Lubaki
    Dean Lubaki
    Community Member
    edited August 2018

    @brenty How about showing a red banned notifying that it might be a phishing attempt and to be careful?
    I know you want to take your users by the hand and ensure they do not fall into traps, but you have powerusers too. Please don't become like Apple who's now almost only catering to the average user.
    Just hide the option in the advanced menu AND show the banner, that way you will have taken all the precautions as a company.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2018

    @Dean Lubaki: The thing is, we're not going to let 1Password fill credentials for one site on another. Period. That's bad security, and, security being our business, we can't play fast and loose with it. A banner is not a bad idea, except that it would be meaningless to give the user the option to search but not do anything with the results. As such, the banner would have to include an explanation as to why 1Password is letting you find what you want but not act on it, and that would seem almost spiteful (if such a thing could be said about software) to me. We can't absolve ourselves of responsibility for people shooting themselves in the foot if we're giving people a gun, so we don't offer the gun in the first place.

  • Dean Lubaki
    Dean Lubaki
    Community Member

    I understand.
    @brenty is there a way to send you a DM or something? I have some more questions that do not fit in this thread

  • mhavekes
    mhavekes
    Community Member

    Haven’t thought of that.

    I’ve been using the Mac app as well, when. I match it doesn’t auto fill but I could still copy the password and see the username.

    I understand why this feature won’t be added (but still miss it)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Dean Lubaki: Feel free to start a new discussion in the appropriate category (best guess is fine; we can always move it). And you're welcome to @-mention me. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Haven’t thought of that. I’ve been using the Mac app as well, when. I match it doesn’t auto fill but I could still copy the password and see the username.

    @mhavekes: The same is possible with 1Password for iOS: you can copy and paste passwords anywhere you want. We can't stop you. But we do want to ensure that 1Password isn't squirting our sensitive information where it doesn't belong. Better safe than sorry.

    I understand why this feature won’t be added (but still miss it)

    Can you elaborate? 1Password has never had the ability to show non-matching logins in the extension. But you can find anything in the app, since there's no URL involved, and tapping a URL in a login can take you to that page.

  • mhavekes
    mhavekes
    Community Member

    example:

    • discordapp.com has no entry in my 1password
    • using safari on macOs 10.14 beta and 1password 7.1 Beta 4 for Mac
    • i press command-\ (1password fill-in shortcut)
    • the extension opens with no match but with the searchbar focussed
    • i can search for every login, observe username and copy the password with arrow keys
    • i can easily login even though the website url did not exactly match.

    This is not the same as on iOS of course but i'm used to it and that's why i was missing it.

    is the API for in-app passwords the same as for safari on iOS?
    It might be doable to change this behaviour for apps only. These are heavily checked by apple and scam apps aren't a thing afaik.

    also, the app url might be a subdomain of the actual website url, I'm not sure if 1password matches those in iOS right now.

  • is the API for in-app passwords the same as for safari on iOS?

    It is indeed. We've been discussing this internally and there are some good cases for changing this behavior, but as of right now we're taking a conservative approach.

    also, the app url might be a subdomain of the actual website url, I'm not sure if 1password matches those in iOS right now.

    I believe we do match these correctly.

This discussion has been closed.