Search form on autofill screen

Hi @ishiki. Thanks for your feedback. I'll be sure to pass this onto our team. However, we use URL matching on every platform to make sure that 1Password only fills in the right websites. As we're first and foremost interested in security, our goal is to keep our users as secure as possible. This isn't always the most convenient solution, but the most convenient solution isn't always secure.

You can add a warning message if you want, thus users will double check the URL but making it not convenient by forcing users to quit browser, open 1Password, unlock it, search login, copy, reopen browser, paste login is not a good solution, it's just badly design.

In cases where you're trying to fill into a website that doesn't match the Login you're using, I'd recommend verifying the authenticity of the site, then copying and pasting the URL from the site into the Login in order to avoid having to copy and paste from 1Password in the future. This way, we can be sure that 1Password is filling on 1Password.com and 1Password.ca, for instance, but 1Password will refuse to fill on 1Password.fake.

I understand but since you are not listening to your community, we have to post about this issue as much as possible.

@ishiki: No. First, being disruptive and disrespectful to others by making them wait while we reply to you in multiple places is unacceptable. If it continues, you're still free to contact us via email at support@1password.com if you need help with something, but you won't be able to participate here in the forum any longer. Please keep that in mind before commenting further.

Second, "Listening" doesn't mean someone does whatever you want when you want them to. Otherwise none of my family "listens" to me either, and we're in the same boat. :tongue:

Third, if you read the rest of the thread, you will see that there's a discussion here. There has also been in other threads, and internally, which Henry referenced above.

And I will have to repeat it once again, your current design is NOT preventing phishing. When no login have been found, users open 1Password and copy/paste login/password. Thus, phishing is not prevented and users are annoyed by the current design.

That's absurd, and repeating it doesn't make it any less so. We cannot stop people from copying and pasting their passwords, and should not because that would prevent people from moving their data somewhere else if they want to. Just because we cannot stop 100% of cases of people putting a password where they should not does not mean we should have 1Password facilitate phishing attacks by having 1Password fill in the wrong place. That's what this is about, regardless of how you want to try to frame it. You can copy and paste passwords anywhere else on your device. Again, 1Password's phishing protection is so that 1Password is not putting passwords where they don't belong. We can't stop you from actively circumventing that to get yourself phished though.

A warning message that warn the user about phishing and ask him to double check the URL + a search option to find the corresponding login + auto-add of the new URL in the login URL auth list.

We've already stated that it's something we can consider. But by the same token you need to consider that while that may be just fine for you, there are others affected by decisions we make. if you've ever used Windows, you'll know how much of a problem there's been with people dismissing the UAC prompt to let an app run. It's purpose is nearly identical to what you're saying: to offer a warning that what they are about to do is risky, but give the user the option to proceed anyway. However, most people just click blindly, and the result is the proliferation of malware in spite of the warning and protections in place in the OS, since most people just continue anyway because it was just in the way of something they were trying to do.

Please listen to the community and don't answer with some generic response explaining what phishing is but rather explain to us why the proposed solution is not yet implemented.

If you think the responses have been "generic", I'm wondering if you're even reading them. I get that we're not saying "Yes! Right away!" like you want us to, so there's perhaps less incentive for you to read, but if you do you'll see there's nuance. Ultimately we need to to consider all 1Password users, not just you, when making decisions about things like this. If you were the only user of 1Password, we'd probably do what you're suggesting, as it wouldn't affect anyone else anyway. But there are millions of others out there whom we need to help stay safe online.

We've explained our reasoning multiple times. You don't agree with our reasoning, and that's fine. Everyone has an opinion. As mentioned already, it's something we'll continue to evaluate as we develop future versions of 1Password, based on feedback from everyone. I'm sorry we're not able to give the answers you're hoping for at this time, but we are listening to you and everyone else. Otherwise we wouldn't be here. :tongue:

You made an excellent point here:

I think that's the main issue with the current system. Users do not understand that's intentional, on the contrary, they think that 1Password is not working properly since it does not find the corresponding login. Therefore, users are annoyed by the fact that they have to copy/paste the logins manually and they do not even think about an eventual phishin attack and they do not check the URL.

This is the only reason we'd even consider changing the behaviour. Making the change would certainly make us look better, to you because it's what you clearly want and to those who think 1Password is "broken" otherwise, but it would be negligent and short-sighted of us to do so. Security needs to come first, and then if we can find a way to make it more convenient without sacrificing that everybody wins. That's the idea. :)

We've added the ability for the user to confirm that they want to fill a Login at a URL other than the one they've assigned to it in 7.4, yes:

Search within Password AutoFill to find and fill the perfect login. {#3333}

What is the URL you're visiting, and what is the URL you have saved in the Login you're trying to fill?

:+1:

Ben