Autotype/Shortcuts for Name/password

Newsuer22Newsuer22
edited December 2018 in Windows

Greetings,

I want to switch from Keepass to 1Password and registered today for a trial.
First of all I would recommend you to give a clearer/better instruction/comparison what a new user should or can use especially if he/she should use 1Password app and extension or only the 1Password X extension but maybe I missed something.

Now to the questions:

Does the 1Password app have a autotype feature like Keepass for incompatible apps like battle.net and steam?
In Keepass I can open for example steam then highlight the saved login in Keepass and press the shortcut ctrl+v and it autotypes it in steam.

The alternative in Keepass is Ctrl + b to copy the name and Ctrl +c for the password.

From the looks of it in the 1Password app I need to select if I want to copy the password or the name which is one added step in comparison to Keepass.

"Type in Window" doesn't recognize steam nor battle.net app.

But I love the Design of the app it looks great and is not old looking like Keepass.

Unfortunately I don't see me switching if the options are missing that I mentioned especially for the "high" monthly fee vs free.

But maybe I just missed something ?

If not I hope something like this is planned and added while I have the trial active.

Thanks for reading.

Merry Christmas and a wonderful new year to all of you.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @Newsuer22: Merry Christmas to you too! :)

    First of all I would recommend you to give a clearer/better instruction/comparison what a new user should or can use especially if he/she should use 1Password app and extension or only the 1Password X extension but maybe I missed something.

    I'm not sure what you're looking for exactly, so it's hard to give you what you're looking for. You can learn more about 1Password here:

    Get to know 1Password X

    And if you have questions about it just let us know. :)

    Does the 1Password app have a autotype feature like Keepass for incompatible apps like battle.net and steam? [...] "Type in Window" doesn't recognize steam nor battle.net app.

    The new 1Password app does not have Auto-Type yet. Instead, it currently has a more basic "Type in window" option, which does not have a keyboard shortcut associated with it, that we'll be building on over time. It works for a lot of standard Windows apps, but tends to have issues with cross-platform toolkits and UWP. It's something we'll be working to address in future updates though. Definitely try right-clicking to select the field to "Type in window", as that will work in many cases, but in others it will be necessary to copy and paste.

    But I love the Design of the app it looks great and is not old looking like Keepass.

    I'm glad you like it. :)

    Unfortunately I don't see me switching if the options are missing that I mentioned especially for the "high" monthly fee vs free.

    While I'd disagree that 3$US is "high", I guess I can't really argue that it costs more than nothing. :)

    But maybe I just missed something ? If not I hope something like this is planned and added while I have the trial active.

    Auto-Type is definitely not something that can be completed within 30 days -- especially during a holiday season. :lol: It is something we want too though, so if its too much trouble to press Control C/V, perhaps once we're able to add this and other features 1Password will be a better fit for you.

    Thanks for reading. Merry Christmas and a wonderful new year to all of you.

    Likewise, thanks for taking the time to get in touch, and to try 1Password in the first place. I hope you have a wonderful Christmas and New Year! :chuffed:

  • @brenty First of all thank you for your extremely fast response and that on a holiday

    I'm not sure what you're looking for exactly, so it's hard to give you what you're looking for.

    I was looking for a "comparison" for the 1Password App + Extension and standalone extension 1Password X.
    Which isn't mentioned in the "Welcome to 1Password!" secure note.
    That's what I meant with improving the instruction for first time user.
    Your post at https://discussions.agilebits.com/discussion/87652/chrome-store-extension-vs-direct-extention is the information I was looking for.

    While I'd disagree that 3$US is "high", I guess I can't really argue that it costs more than nothing. :)

    I agree that it isn't much that's why I used quotation marks. But I need to figure out for myself if the added value is worth the 3$US.

    Auto-Type is definitely not something that can be completed within 30 days -- especially during a holiday season.

    Definitely agreed. But I have a 6 months trial :) I think it should be feasible in the time, but of course I don't know your priorities etc.

    I have a few general security question, should I post them here or should I open another thread?

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 2018

    Hi @Newsuer22,

    I'm glad you've found what you were looking for and I do agree, we should find a way to make it more visible on our site as a comparison chart. The reason we're not there yet is that 1Password X is still growing up and not yet meant to take over the default 1Password experience with the regular 1Password browser extensions but for many users, it's already there.

    Definitely agreed. But I have a 6 months trial :) I think it should be feasible in the time, but of course I don't know your priorities etc.

    We can't promise anything, we can only recommend that you should only renew based on what 1Password gives you now, not what it could give you in future.

    What you can also do for the moment is keep an eye on our Beta changelog to see our progress here. Scroll down to the first 7.3.602 release to see new changes we're making to 1Password 7.3.

    I have a few general security question, should I post them here or should I open another thread?

    It is up to you, we can easily split the specific posts into a new thread if we think it should be in a new thread.

  • MikeTMikeT Agile Samurai

    Team Member

    Also, you can give the beta a try if you want; https://support.1password.com/betas/

  • Thank you for your response, I will ask here and feel free to split them if necessary.

    Before I ask the first question I want to make it clear that I don't accuse 1Password of anything and don't want to offend anyone, I'm just a little (or a little more ;) ) paranoid and curious.

    1. Is there any possible way to make sure that everything works as described? For all I know you can just lie about the encryption,keys, that you have no access etc.

    2. If I got it right, you store the database with all the user names/password/notes/license keys etc AES 256 encrypted in the cloud on one or multiple AWS server.
      What if a hacker got access to the encrypted databases and hold them until a flaw is found in the encryption or until quantum computers are available, even if you give out information about the hack, so we can all change the passwords, there are still all license keys,SSN, secure notes etc, if the user decided to add them and will then be compromised.

    3. Why don't you guys have a option to only sync them manually and then securely delete the database from your servers.
      What I mean with that is why isn't there a button in the windows/mac/iOS app to push the locally secured database in the cloud for lets say 20 minutes to sync up with all the others devices the user can open and then it gets automatically securely deleted.
      Just as an option of course for the more paranoid user. :chuffed:

    Again please don't take any offense on these question.

    If any question is stupid, then please tell me, I don't have that much experience with cryptography and/or servers.

    Thanks for reading.

  • brentybrenty

    Team Member

    @Newsuer22: We're a bit paranoid and curious too, so you've come to the right place! :lol:

    1) Is there any possible way to make sure that everything works as described? For all I know you can just lie about the encryption,keys, that you have no access etc.

    Sure! 1Password's behaviour and security model are well-documented, and you or anyone else can use network and process monitoring tools to verify that it works the way we say it does. But for those who don't have the time, expertise, or inclination to do that, there are external audits and independent security researchers that are incentivized to do so.

    2) If I got it right, you store the database with all the user names/password/notes/license keys etc AES 256 encrypted in the cloud on one or multiple AWS server.

    Correct. But if you want more detail, definitely check out the security white paper: https://1pw.ca/whitepaper

    What if a hacker got access to the encrypted databases and hold them until a flaw is found in the encryption or until quantum computers are available, even if you give out information about the hack, so we can all change the passwords, there are still all license keys,SSN, secure notes etc, if the user decided to add them and will then be compromised.

    It's certainly possible that some time in the future a way to efficiently break into the encrypted data could be found -- whether that be clever math or just advances in computing power. And, if someone malicious had a copy of your encrypted data from today, that could allow them to access it at that time. That's a lot of "if", so let's keep that in perspective. But there are two reasons I am not particularly worried about that happening:

    1. This isn't a 1Password problem. It would affect everyone using AES. That sounds like even worse news, but on the plus side everyone will have the same problem. At that point, I am much less concerned about someone targeting me when there are plenty of others of higher value. Obviously I can't speak for you though, so your mileage may vary if your importance on the world's stage is significantly higher than mine.
    2. The world will have moved on. By that I mean that the value of the data I have today will be less in the future: for anything important, account numbers will change, passwords will be outdated, etc., and any for which that is not the case, 1Password makes it easy for me to identify those that are most important to me to change them if needed.

    3) Why don't you guys have a option to only sync them manually and then securely delete the database from your servers.

    Syncing manually is not a good user experience, and we built this service because our customers made it clear to us that they have better things to do. But you can delete your account and all of its data at any time from the bottom of your Profile page: https://start.1password.com/profile

    What I mean with that is why isn't there a button in the windows/mac/iOS app to push the locally secured database in the cloud for lets say 20 minutes to sync up with all the others devices the user can open and then it gets automatically securely deleted. Just as an option of course for the more paranoid user. :chuffed:

    There wouldn't be a benefit to offering that, except as security theater. If someone is going to target your data, they're going to need to get the "keys" to it from you since we never have them. So it doesn't matter if the server doesn't have the encrypted data; they'll just get it from you instead. :naughty:

  • jan789jan789
    edited January 2019

    Does the 1Password app have a autotype feature like Keepass for incompatible apps like battle.net and steam? [...] "Type in Window" doesn't recognize steam nor battle.net app.

    The new 1Password app does not have Auto-Type yet. Instead, it currently has a more basic "Type in window" option, which does not have a keyboard shortcut associated with it, that we'll be building on over time. It works for a lot of standard Windows apps, but tends to have issues with cross-platform toolkits and UWP. It's something we'll be working to address in future updates though. Definitely try right-clicking to select the field to "Type in window", as that will work in many cases, but in others it will be necessary to copy and paste.

    Hi, I want to know something like this, too. There's not a 1Password icon in the Steam login field, in order to ask 1Passord to fill your login credentials. It also doesn't work with the Epic Games launcher, nor the LOTRO launcher.

    It works with Coursera, though, which is also a cross-platform app.

    Though "type in window" seems to be referring to a different function that I haven't yet learned.

  • brentybrenty

    Team Member

    @jan789: "Type in window" is the option you get when right clicking an item in 1Password mini, in the menu for a specific field:

    1Password does not inject itself into other apps, as that's a security and stability risk -- not to mention just bad manners. We're able to integrate with web browsers because they offer extension APIs we can use for that purpose. Other software, not so much. So instead we try to have 1Password type characters into the field that has focus in the selected app. The methods we're using for that currently have some limitations, so we're exploring other options in order to make it even more useful in the future. :)

  • Thanks again for answering these questions.

    But for those who don't have the time, expertise, or inclination to do that, there are external audits and independent security researchers that are incentivized to do so.

    After skimming through the audit and whitepaper I trust you, that everything is deployed like stated. But do any plans exist for an updated audit, the last one is from nov. 2015.

    Also the whitepaper misses the "How are servers deployed and managed" section.
    Would be interesting to know, at least for me.

    This isn't a 1Password problem. It would affect everyone using AES. That sounds like even worse news, but on the plus side everyone will have the same problem. At that point, I am much less concerned about someone targeting me when there are plenty of others of higher value. Obviously I can't speak for you though, so your mileage may vary if your importance on the world's stage is significantly higher than mine.

    I know that this problem wouldn't be exclusive to 1Password but it would affect it too.
    The problem I see is, when I have an offline vault it doesn't affect me (unless they hacked in my computer too) in such way it would if the server gets hacked and my data would be among all of the other peoples data.

    And if AES indeed would have been broken, I guess all the companies, would've changed to the "new" encryption method.
    That would leave the hacker with "mostly" low value target from previous hacks, which is better than nothing for them. :D

    The world will have moved on. By that I mean that the value of the data I have today will be less in the future: for anything important, account numbers will change, passwords will be outdated, etc., and any for which that is not the case, 1Password makes it easy for me to identify those that are most important to me to change them if needed.

    Good point. But for all we know AES could be hacked in 2 weeks even if it's not likely.
    And yes, we could change most of these things if we are fast enough, but either way it's a lot of work.

    But like you said that's a lot of "if". But I do appreciate that you did answer the question regardless.

    Syncing manually is not a good user experience, and we built this service because our customers made it clear to us that they have better things to do.

    I definitely agree, but I thought it would be good as an option for those for will trade the inconvenience for more security or at least a better feeling. :chuffed:

    There wouldn't be a benefit to offering that, except as security theater.

    The benefit I see in that is that the database from my account and those who would have used it wouldn't be in the (potential) hack.

    Another idea that I have is, if it would be feasible to implement an option to exclude certain entries from syncing with the cloud or 1Password Server.
    I have a couple of accounts that are too valuable to be even in a possible hack, like banking and company email accounts and server credentials with administrator rights.

    But either way for now, I'll use 1Password for less important things like forum and game accounts and stick to KeePass for the important ones, maybe some day you will implement 1 of those 2 things so that I can switch fully, would be great.

  • bundtkatebundtkate

    Team Member

    @Newsuer22:

    But do any plans exist for an updated audit, the last one is from nov. 2015.

    We actually do have one coming out soon. It looks like we're in the process of posting it, but I don't know that I have a link I'm able to share publicly yet. If you keep an eye on the security assessments page on the support site, though, you'll ultimately fine it there when we've got everything set up. Fairly soon, I hope! :chuffed:

    Also the whitepaper misses the "How are servers deployed and managed" section.

    It's missing a few planned sections. The white paper is one of those things our security team is constantly updating when they have the opportunity. Getting that info together and writing it up properly is a fairly significant undertaking, though, that demands a fairly lengthy period of uninterrupted time so I can't speculate on when they might take another pass at it. If the section is there, though, it is planned and will show up given time. :+1:

    I thought it would be good as an option for those for will trade the inconvenience for more security or at least a better feeling.

    It's this sort of thing that's tough. You're not wrong by any means, but it's not just trading convenience for a certain peace of mind, it can be viewed as a security risk as well. "Wait, what?" I know, hear me out here. An often overlooked aspect of security is accessibility of data. There's a point at which data becomes so secure that it's difficult for the person who owns that data to access it. Certainly your proposal doesn't go that far, but it does introduce a risk that your data will be unavailable at a critical moment. Imagine you forgot to press that button so your phone doesn't have a new password. You then go on a trip and only take your phone so you can't access that account. What if something happens to your primary device before your push that button and data is permanently lost? Automatic sync and a remote backup of important data is not only a convenience feature – it's a security feature. We think of security as a means of keeping the bad guys out, but I think most of us would definite "secure data" as data that is only in our possession. "Our possession" implies not only that it's not in the possession of the bad guys, but that we actually have that data. With your data synced to multiple devices, this risk may be small, but it's a risk all the same and one we can (and should, in my opinion) protect against. Many more folks are concerned about being able to access their data reliably than are concerned about AES being broken.

    Now, that choice should be yours (and it is in the sense that you can choose to use something other than 1Password for data where your threat model isn't satisfied by what we offer), but we have to consider the total population of our customers. Our customers are not just those who understand the risks involved with what you propose, but also those who would see documentation of that feature, be taken in by the perception that it's more secure (even if their own threat model doesn't require it), and would use it anyway without understanding the risk to availability. Sure, we could take the time to explain, but as a rule, people aren't interested in reading long tirades like this about a topic that most would likely deem boring or confusing (or both). We tend to avoid such features not because we don't understand why y'all might want them, but because we see them as a risk to others and feel that risk to them outweighs the benefits to folks like you. It's never fun saying no, of course, but ultimately there are some things we're just not comfortable with and I'd wager this is likely to be one of them, at least for the foreseeable future.

  • 1Password does not inject itself into other apps, as that's a security and stability risk -- not to mention just bad manners. We're able to integrate with web browsers because they offer extension APIs we can use for that purpose. Other software, not so much. So instead we try to have 1Password type characters into the field that has focus in the selected app. The methods we're using for that currently have some limitations, so we're exploring other options in order to make it even more useful in the future. :)

    I missed some of what came before that, under the picture. But this makes sense. Thanks for explaining.

    If it did inject code, then you'd have to reassure all the antimalware software that the app was ok all the time. Seems sensible just to not, if you can work out another way. Maybe other software will learn from you.

  • Thank you for answering. :)

    We actually do have one coming out soon.

    Good to know, thanks.

    Getting that info together and writing it up properly is a fairly significant undertaking, though, that demands a fairly lengthy period of uninterrupted time so I can't speculate on when they might take another pass at it.

    Understandable.
    I'll keep an eye on it, as I think it's really important and crucial information especially for the 1Password Cloud service.

    Our customers are not just those who understand the risks involved with what you propose, but also those who would see documentation of that feature, be taken in by the perception that it's more secure (even if their own threat model doesn't require it), and would use it anyway without understanding the risk to availability.

    Good point and you're right. Services that are aimed at the "mainstream" should just work and should be simple. One of the things why Apple is successful, but even in my own companies I use that approach.

    Maybe something like this would work, without putting the majority of users at risk:
    A hidden context menu that you open with shift + right click or even something like shift + control + middle click that gives the option to exclude the selected entry from syncing with a tooltip like "This will prevent syncing with all your other devices and will be unavailable on them."

    Just as a thought, if you don't add anything like that, then I need to live with it. 🤷

    -----If needed split this section and make a new thread.-----

    Had a look at the Password1 X extension and was wondering why it needs so many permissions:
    Don't know much of the API from Google Chrome so please bear with me if something is obvious.

    -Read your browsing history < Why?
    -Display notifications <Should be self-explanatory and no concern for security/privacy but didn't see an notifaction yet.
    -Read and change your bookmarks < Why? especially the changing.
    -Modify data you copy and paste <Why? Possible security risk?
    -Manage your apps, extensions, and themes < The thing that I saw is, it disabled the 1Password (DesktopApp) extension.
    -Communicate with cooperating native applications < I guess that is needed for the database within the extension?

    Did try to Google for the answers but didn't found anything except 2 permissons which are explained in the Changelog from
    1Password X.
    The extension with the Desktop App only needs 2 permissions:

    Read your browsing history < Don't know why. :D
    Communicate with cooperating native applications < Obvious.

    -----Again if needed split this section and make a new thread.-----

    The 1Password Desktop Extension for Google Chrome doesn't fill anything for me :( neither with ctrl + \ command, clicking on it or using the open site and fill option. Only the "Type in Window" option works.
    Using Win 10 Pro 64 bit with Desktop App 7.3.642 and Chrome extension 4.7.3.90.
    Google Chrome Version 71.0.3578.98 with Developer Mode on Extensions on.

    Restarted Computer/Chrome etc. just doesn't work. The Password1 X extension works fine.

    -----Again if needed split this section and make a new thread.-----

    Possible Bug Report?!
    If the Desktop App is denied the Internet access (Guess if no Internet available it will be the same) in my case via ESET and Watchtower active.
    The "Weak Password" Banner will flash every couple of seconds for half a second also it generates a log file with about 1 MB per minute.
    If needed I can provide a log or diagnostics but it just spams "Network request #1,093 failed in 8ms, status ConnectFailure (Unable to connect to the remote server" when requesting Watchtower update.
    Using Win 10 Pro 64 bit with Desktop App 7.3.642.

    Thank you for reading this long a** text.

  • brentybrenty

    Team Member
    edited January 2019

    I missed some of what came before that, under the picture. But this makes sense. Thanks for explaining.

    @jan789: You're welcome! Glad that Kate and I were able to help. :chuffed:

    If it did inject code, then you'd have to reassure all the antimalware software that the app was ok all the time. Seems sensible just to not, if you can work out another way. Maybe other software will learn from you.

    No kidding. We have enough trouble with antimalware as it is, being software that uses encryption (I suspect many flag this due to ransomware becoming popular...), so we want to continue to be a good citizen on people's computers, and hopefully the AV vendors will be kind to us. Cheers! :)

  • brentybrenty

    Team Member

    @Newsuer22: It isn't possible for me to "snip" that out of your post and put it somewhere else. Please feel free to start a new topic an @-mention me if you want to discuss something other than Auto-Type functionality. You may want to check out the previous discussion on the subject of extension permissions, but I'll be happy to discuss it further. I suspect that some changes Google has made to the wording of these (recently?) is what's throwing you off. Personally, I think it was clearer the way they had it before. The other things you mentioned really require a lot more detail to troubleshoot. Happy to help in any way I can, but let's not get too far off-topic here. :)

  • Newsuer22Newsuer22
    edited January 2019

    First of all thank you very much @brenty @MikeT @bundtkate for having the patience with me and being super helpful and friendly.
    I'm converted to 1Password for 99% of my passwords :)
    Looking forward to all the years to come.

    Sorry for going too off-topic on this topic, I'll open new threads in the specific subforums.
    The Autofill problem is fixed though, reinstalling 1Password to the stable version fixed it. Thought it will roll back automatically, from beta to stable, but it didn't.

    I want to add to the Autotype functionality, that I would love to not "just" have normal Autotype function, but the more secure option:
    One part of the Password typed and the other type via clipboard paste. So that it's immune to normal Keylogger and clipboard logging. When only affected from one.
    I don't want to advertise, so delete the link if needed, just want to give you the example what I meant with the Autotype.
    https://keepass.info/help/v2/autotype_obfuscation.html

  • bundtkatebundtkate

    Team Member

    It's not trouble at all, @Newsuer22! Honest, we wish more folks would question their software so heavily. Not only because we're dorks and enjoy talking about it, but also because it's just good practice. It's great to be able to have trust in the software you use, but in our perfect world, you wouldn't have to – you'd be able to see for yourself that it's behaving as it claims. We love to see our customers working to make that reality and holding us to account and we're always happy to talk about this stuff with y'all. :chuffed:

    As for auto-type, I'm going to avoid going into too much detail there because "type in window" is a fairly new implementation of what we once called auto-type back in 1Password 4. We're still very much working on making it more powerful and I expect it will change and expand a fair bit down the road, but that's far enough in the future I don't have reliable specifics just yet and I don't want to make any promises I can't keep. We definitely do still appreciate the feedback, though, and will keep it in mind as type in window matures. :chuffed:

  • brentybrenty

    Team Member

    In case anyone wants to follow the 1Password X discussion:

    1Password X permissions.

    Cheers! :)

  • PS, I eventually figured out I didn't have to download a different app to use 1Password mini; it's the name for a sort of a menu context type function.

    And I now know how to do this. It works in Steam.

  • GregGreg

    Team Member

    Hi @jan789,

    I am glad to hear that the existing functionality suits your needs. :) Please let us know if there is anything else we can help you with, we are always here to lend a hand.

    Cheers,
    Greg

This discussion has been closed.