The Master Password itself is stored along with all my other passwords! It autofills!

I am using Chrome on Windows 10. I have downloaded and installed the Windows 10 x App as well.
I have disabled "autofill passwords" on Chrome and 1Password is selected as the default password manager.

I note that my "master password" itself (not the Key, but my personal password) is stored in the vault. When 1password times out after 10 minutes, I get a dialogue box asking me to sign back in. AND IT AUTOFILLS MY DANG master password! Anyone passing by my desk at work could get right into my 1password account!

Help!

(I should add, sometimes it doesn't autofill, inexplicably)

I don't know the versions, but they were just installed yesterday so presumably the most up to date.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:The Master Password itself is stored along with all my other passwords! It autofills!

Comments

  • 1Password doesn't automatically fill at all, @kburgeson – it requires that you tell it to do so either by selecting a Login item from 1Password X, using Go & Fill from the desktop app, or . Chances are, this is Chrome filling that Master Password for you. I know – you turned it off! But, actually, Chrome doesn't allow you to disable filling any longer – it only has a setting to disable saving future passwords. Anything you've already saved will continue to be filled unless and until you remove them from Chrome. Because this means those passwords will be gone forever **make extra super sure you've imported them into 1Password first***. If you haven't, here's how:

    https://support.1password.com/import-chrome/

    After you've imported your passwords, you can get rid of them all at once following these steps:

    1. Open Chrome and type Ctrl + Shift + Delete to open chrome://settings/clearBrowserData
    2. Click Advanced
    3. Check the box next to Passwords
    4. Make sure nothing else is checked in both the Basic tab and the Advanced tab
    5. Click Clear Data

    After this is done, Chrome will officially stop filling passwords for you and you should find that your Master Password no longer fills either. Of course, if you're still having trouble, let me know. :+1:

  • kburgeson
    kburgeson
    Community Member
    edited October 2019

    Bundtkate (love that name!), it wasn't Chrome. I had specifically said "no" when Chrome asked me if it wanted to save 1password, and that selection was noted in the Chrome password manager (along with other sites where I had declined, eg paypal, banks).

    The 1password entry in the Vault includes both my master password and the secret key. Perhaps I inadvertently asked 1password to save the master password (I assume it saves the secret key there automatically) - but I am shocked 1password would ever offer to save that password. I thought that was the one thing that had to be memorized. (Much less offer to fill it in when logging back in ...)

    I think I've solved my immediate dilemma by deleting the master password in the 1password entry in the Vault. It does seem likely that I asked 1password to save and fill that password - but I'm quite surprised that would even be an option.

    Anyways, does that sound right to you? I "authorized" 1password to retain and fill the master password? (That it would do so seems to me to be a big vulnerability, lots of newbies would have their master passwords subject to autofill without really realizing it.)

    Also thanks for taking the time to respond :) And I have also cleared password data in chrome...

  • Thanks so much for your kind words, @kburgeson! I've had this same online handle for as long as I can remember. Baking is my absolute favorite hobby so, although I have less time to do it these days than when I was still in school and living with my parents, the moniker seemed appropriate.

    It actually does make more sense that it was filling inconsistently if it was 1Password. I'd bet what was happening was that you were accidentally clicking or pressing enter with your 1Password Login item selected in the inline menu. It'll pop up any time the field is focused so an errant keystroke isn't the hardest thing to do in that scenario.

    As for that Master Password being saved, that's actually not on you. Not only is it an option to save it, @kburgeson, we actually do it by default when you create your account. I know it seems a bit non-intuitive, but when you think about it, it makes sense. In order to fill that Master Password, 1Password must be unlocked. It it's locked, 1Password won't offer to fill. And what do you need to unlock 1Password? Yep, your Master Password. If 1Password is unlocked when you leave your desk, it's absolutely true that you've got yourself a pickle. Anyone who sits down at your computer can see all of your passwords whether your Master Password is saved there or not. It's unlocked so they need only open 1Password and look around. In short, it doesn't add any appreciable risk to have it saved in your vault – you should make sure it locks when you leave your device whether your Master Password is saved or not.

    Of course, the solution to this is to make sure 1Password is locked when you're away, whether or not you save your Master Password in 1Password. The best way to do this will depend on your personal habits, though. I generally lock my PC when I step away. It's a habit I learned when working in a large office with tons of people, so even though I work at home now and really don't need to be as worried, there's nothing specifically motivating me to change that. So, in 1Password, I actually have it set to stay unlocked all the time unless my PC goes to sleep or my PC is locked. This all but guarantees it will lock when I'm away. If you leave your PC unlocked when you leave at times, a better solution for you might be a shorter autolock timer so that 1Password locks quickly when you walk away. And, of course, you can always lock it manually if you need to. You can learn more about locking 1Password X and adjusting its autolock settings here:

    https://support.1password.com/getting-started-1password-x/#lock-1password

    Now, it's up to you whether you want to save your Master Password or not, but it's actually something I usually recommend. What saving your Master Password does do is add substantial data loss protection. Chances are, one thing that motivated you to start using 1Password is that we humans are absolute rubbish at remembering passwords. Remembering just one is easier, but that doesn't change the facts, we can do and do forget stuff. If you do forget your Master Password, though, you might have access to 1Password still on a device like an iPhone or Mac or Android device where you can unlock with your fingerprint or face. If that's the case, you can look to this Login item to recover your Master Password and boom – you're back in business.

    I hope this both helps explain what happened and helps you decide whether to save your Master Password or not. Of course, if you have additional questions, ask away. I'm here to help. :chuffed:

  • kburgeson
    kburgeson
    Community Member

    Thank you for the most comprehensive help I have ever received online! I suspect this will help many.

    Personally, I really think I can remember my master password and will post hints in my email acts that will ensure.

    Again, many thanks. Awesome!

  • It's no trouble at all, @kburgeson! I do some must signing in and out with testing various and sundry things, I keep mine saved purely for convenience, but that's the lovely thing about saving it to a Login item. If you don't want it saved, you can just get rid of it and you're set. Another tip? Jot down that Master Password on your Emergency Kit and keep a printed copy somewhere safe. Think of it as disaster planning. Hopefully you'll never need it, but should something happen where you lose access to all of your devices at once, that Emergency Kit will have you covered. :+1:

    Thanks again for your kind words and should you ever have additional questions, you know where to find me. :chuffed:

This discussion has been closed.