I am same. I open app and copy/paste passwords too and make sure setting clipboard that wipe copy/paste after 30 secs. Keychain usually fill out for me most of time. Once in while I need open password manger app for copy/paste.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password migrants thread
- Thread starter MacBH928
- Start date
- Sort by reaction score
I also do the extra step of manually copy/pasting.
Do you use Quick Access (if you're using 1Password) or open the full program?
Do you allow the use of the OS Accessibility settings or AEServer? I'm not exactly sure what this does besides authenticating a user (the same user) for remote access from another Mac. Maybe I'm off base on this...?
How does Apple seamlessly integrate the filling of passwords from the keychain throughout the OS without the use of extensions or apps? Is there an undocumented API? Yes. I'm a bit confused
Not to mention using web browser extensions creates an security risk.
I'm trying to evaluate my own practices in light of your comment. I do use the browser extensions. Could you say more about what are the security risks?
I could imagine there's a concern that 1Password has access to the information on web pages; that's a risk with every browser extension. And there's also the risk that a web page cracks the 1Password extension's security; I suspect that security is at the same level as that of its main application. Do you have particular concrete concerns?
An extension, as useful as it may be to use, creates a possible vector usage due to leaks and information being sent (intentional or not) to the developer of the extension and other possible parties. There have been numerous examples of bad results in this light with third party extensions. And while I have not directly researched any problems related extensions in such a manner, I made a decision years ago not to introduce a third party swinging door into my usage.
That's pretty nice. One website I use has two logins on one page: one for administrators and one for normal users. I would have liked two separate password entries, each one targeted to its own fields. I don't see any way to do this in 1Password.
Last night, I took a bit of time studying, trying to figure out how 1Password detects username and password fields. It's not obvious. They must have a bunch of rules that they apply, inspecting the ids and names of fields on the page, looking for the ones they want to fill.
If there's ever a problem with 1Password finding the field, I click on the field and use the 1Password global shortcut to fill it. That's the same shortcut I use to fill fields in any application that needs it. But, the ability to tweak which field should be used would be nice.
Thanks. So the concern is trust in the extension, not trust in the website. That makes sense since the 1Password extension is seriously hardened against a malicious website.
I do use a few highly regarded extensions, but there's always a risk of a bad code making its way into one of them.
I guess if a normal app gets compromised, the OS has more controls that prevent that it from accessing various things on the running system. A browser extension has extensive access to the web page. In fact, I've reviewed some of the pages that the 1Password extension operates on and saw how it actually modifies the contents of the page to get its work done. Oh boy, there's a lot of trust required when using an extension.
At this point, if I were to decide that the 1Password extension is not to be trusted, I would have to conclude that no extension can be trusted, since I trust 1Password the most. I'll give it some thought.
I wonder how many password managers, besides Keychain, allow you to autofill without the use of a web browser extension. Codebook, which is what I use, has a Mac extension that works with Apple’s Password AutoFill to autofill in Safari. (Edit: To be clear, Codebook uses an extension to work with Apple’s Password AutoFill, but it isn’t a browser extension.) However, if you prefer not to use any extension at all, you can use Codebook’s helper application (Secret Agent) to autofill in any browser.
I try never to put a password on the clipboard because of the security risk. With Secret Agent, I can copy data in Codebook into any browser or any other location (e.g., the password field when mounting an encrypted drive).
I try never to put a password on the clipboard because of the security risk. With Secret Agent, I can copy data in Codebook into any browser or any other location (e.g., the password field when mounting an encrypted drive).
Last edited:
1-Yes
2-Brave+Firefox
3-I am unaware of any concerns when it comes to security with extensions. I keep hearing its dangerous but so far haven't heard news about any one getting hacked from the extension as long as you stick with the reputable guys.
speaking of which, this talk made me revise my extensions and found "auto tab discard" has not been updated in two years. deleted immediately.
thanks for sharing. Never heard of them before.
Last edited:
Do a web search. There are plenty examples of unsafe browser extensions found after the fact.
A big example of a security threat is with ad-blocker extensions. Many people blindly install and give full permission to such apps and extensions, even though doing so allows the extension to see every website visited as well as credentials used etc. The same threat exist with password manager and extensions. Just because a person trusts 1Password or some other known entity doesn’t mean the extension can‘t be exploited due to bad code, not to mention if such were to happen after one has already given full permission, the likelihood of a type user catching such a leak or nefarious use would be very slim, in my opinion. And yet, people put themselves at security, privacy, and Malware risk every day by loading extensions into their browser because it will save them a few clicks of the keyboard.
Question about the new Apple Passwords app. On iOS/iPadOS and maybe MacOS, it is secured by FaceID, ok. But when FaceID fails, does it fall back on the device's 4 or 6 digit password? Is that then all you need to unlock the Passwords app and expose all information in it?
I checked out secret agent, trying to think about how its security compares to that of a browser extension. I see from this page..
Troubleshooting Codebook Secret Agent
Secret Agent provides quick access to your Codebook records for inserting credentials into other applications. If you’re not familiar with Secret Agent, this documentation explains how to enable it, it’s capabilities, and how to setup Secret Agent Actions for multi-field insertion. Great! you...
discuss.zetetic.net
that Security & Privacy has to be set to allow automation, which shows "Allow the apps below to control other apps. This will provide access to documents and data in those apps, and to perform actions within them."
and to allow Accessibility, which reads "Allow the apps below to control your computer."
I haven't studies what that implies. It could be just as risky as browser extensions. Naively, I might think that access to every running application is far riskier than access to just the browser.
I have a nagging feeling that the clipboard is the riskiest since it's somewhat accessible to every running application. That's why password managers always clear the clipboard after a short time (but maybe not short enough).
I guess if I don't trust browser extensions, system control extensions, or the clipboard, I'd better start typing my credentials to log in.
because simpletons like me do not know that the extensions can read the clipboard and input credential in websites. I thought they were locally on the website but can't send information back nor read my actions on the site.
one would think that no app should read the clipboard until we "paste" the information in.
Yes. Safari, Firefox, Chrome.
True. There is also a security risk in cutting/pasting. When you bring up 1Password to fill in a form on a webpage it is verifies the URL before it does the paste. When you do a manual paste you normally wouldn't be checking for some hidden character in the URL which means you are pasting into a malicious rather than the intended website.
As far as I know it is 'much' more risky to do a cut/paste instead of using 1Password extension (in many ways).
It's not only the verification, also the time something stays within buffer/cache and also that no other 3rd party extensions can access the clipboard of the copied password (only working via 1Password and not via traditional copy/paste).
I'm really struggling with figuring out what the safest way to work is. I see three choices since I'm not willing to type in my passwords: browser extension, system-wide extension (1Password calls it "Universal Autofill"), or the clipboard. I plan on posting a question in the 1Password forums to get their thoughts.
The clipboard seems the riskiest. 30 seconds till the clipboard is cleared is an eternity in software time. Using the clipboard requires you to trust all running software on your computer with your passwords since it all has access to the clipboard. 1Password sets the timeout to 90 seconds and it's not easy to adjust it. I wonder what protections the OS affords to protect the clipboard, specifically against background processes.
The browser extension seems the next riskiest. I read some stuff by a security researcher yesterday. I'm more clear on the risks. It has nothing to do with trusting 1Password's extension and the worry that I've given it access to my web pages. Rather, the 1Password code is running in a hostile environment. It injects stuff into potentially dangerous web pages and that code communicates to the 1Password application running in the background on my system. The risk is that the web page can somehow gain access to that communication channel. I would think that 1Password is seriously hardened against that risk, but who knows if it's good enough.
The safety offered by the browser extension, in that it checks the URL before filling in passwords, is significant. But, it's only significant if a user doesn't just quickly paste in the password themselves, making the assumption that the password extension is somehow failing. I do a quick check of the URL when that happens, but I wonder how many people do. I don't even do it all the time.
I have a feeling that Universal Autofill is the safest. I am forced to trust the 1Password program since I am giving it broader access to my system. But, I certainly do trust it; I wouldn't have put all my passwords into a program that I didn't trust.
This could be the case. Really interested in the answer (if we get one) from 1PW Forums.
Another point why actually Apples own Passwords app will be the safest of all (because of direct integration into macOS).
Take a look at Apple's Clipboard Viewer program. It shows the contents of the clipboard. No pasting is required.
You can download it here
Downloads and Resources - Xcode - Apple Developer
Find Xcode downloads, tools, documentation, tutorials, videos, and more.
developer.apple.com
It's part of the "Additional tools" package. You'll need a developer login to get it, but that's available free of charge.
isn't this why there is a lock icon next to the URL to check its authentic? or is this just to ensure the connection is encrypted?
I think maybe some sort of a new icon should verify if the website is legit or not backed by an international organization like ICAAN or something.
Take a look at Apple's Clipboard Viewer program. It shows the contents of the clipboard. No pasting is required.
View attachment 2393821
You can download it here
Downloads and Resources - Xcode - Apple Developer
Find Xcode downloads, tools, documentation, tutorials, videos, and more.
It's part of the "Additional tools" package. You'll need a developer login to get it, but that's available free of charge.
this is flawed design IMO. No software should access anything else in the system until I give it access to it, and for the clipboard thats when i hit ctrl+v
I’m happy that my post has spurred conversation regarding this subject 😀
If you would be kind enough to link to your post on the Agile Bits forums, or DM me, I would appreciate it.
Hi,
just found this thread, so sorry if this is already known here. I haven't read very much yet. And am not even sure what it is mainly about. 🙈
Just wanted to let you know what is is still possible.
I am still using 1Password 6 with iCloud Sync on macOS 15 Developer Beta and 1Password 7 (what was a free upgrade) on iOS/iPadOS 18 Beta without any problems except the Safari integration.
In Firefox (even in the latest nightly build) I can use a legacy extension what is still working, but not in any other browser.
Strangely it also doesn't work in any other Firefox based browser. Luckily Firefox is my main browser anyway.
But even without any browser integration 1Password can easily be accessed in the menu bar.
I have two licenses that came with a Parallels Bundle. I think one of them even startet on an earlier version like 4 or 5 and got a free upgrade to 6 back then.
I'll just stay with this as long as it is working.
Edit: I forgot to mention that I am even running this on an M2 Pro and M3 Mac in emulation because it's only available for intel CPUs.
just found this thread, so sorry if this is already known here. I haven't read very much yet. And am not even sure what it is mainly about. 🙈
Just wanted to let you know what is is still possible.
I am still using 1Password 6 with iCloud Sync on macOS 15 Developer Beta and 1Password 7 (what was a free upgrade) on iOS/iPadOS 18 Beta without any problems except the Safari integration.
In Firefox (even in the latest nightly build) I can use a legacy extension what is still working, but not in any other browser.
Strangely it also doesn't work in any other Firefox based browser. Luckily Firefox is my main browser anyway.
But even without any browser integration 1Password can easily be accessed in the menu bar.
I have two licenses that came with a Parallels Bundle. I think one of them even startet on an earlier version like 4 or 5 and got a free upgrade to 6 back then.
I'll just stay with this as long as it is working.
Edit: I forgot to mention that I am even running this on an M2 Pro and M3 Mac in emulation because it's only available for intel CPUs.
I will. I don't think I'll get to the post for a couple of days. Now that I'm committed to reporting back here, I'll definitely follow through.
No and almost. The lock icon says the connection is encrypted and authenticated. It's authenticated in that the domain name shown in the URL bar is the site that delivered the content that is being displayed. (There are a lot more details to that.) The problem is that the domain name could be that of a malicious website. A person could purchase a certificate for the domain www.bankofameriica.com, install it on their server, and present a webpage for that domain. That webpage would show with the lock icon. You might not notice the double "i"; the password extension would.
The flaw is the use of the clipboard for inappropriate content. The clipboard is designed for easy communication between applications; it's been that way for decades.
It could be that a thread that accesses the clipboard has to satisfy certain conditions. Perhaps the thread has to be initiated by some user action. But, certainly it's not a physical action on the computer itself since a remote desktop session can use the clipboard. I really don't know anything about what protections there are around access to the clipboard. Perhaps someone on this thread knows.
The Clipboard Viewer application requires me to click somewhere before it displays the clipboard's contents. Based on that, we do know that any foreground application can probably access the clipboard without the user triggering an action that is explicitly represented as a clipboard copy.
Yes you keep saying that in different posts. Dont know why.
A cursory search "In 2020, 106 browser extensions were removed from the Chrome Web Store, being used to steal user data, take screen captures or even steal credit card information from web forms" Article here
Re the new Strongbox Sync .... it sounds good. I had some questions and thought I would share what Strongbox folk confirmed with me:
I have multiple devices using iCloud to sync. iPhone, iPad, mac, Windows 11 PC (via keepassXC and windows iCloud app)
1 Strongbox sync will not work with the KeepassXC supported W11 P
2 I just have to select Strongbox Sync on ONE of the Apple devices and thus all the Apple devices will Sync via Strongbox Sync using Cloudkit. There is no need to repeat the process to change over to strongbox sync for each Apple device in turn.
3 iCloud sync, while not recommended, will continue to function as it was.
I use iCloud to sync my iPhone, iPad, Mac and Windows 11 PC (via keepassXC and using the icloud for windows app). I did not know icloud was so unreliable (I have had ZERO problems so maybe i am just lucky) I asked what do you recommend is the best means to support these devices? They said "If you're not having issues with iCloud at the moment, perhaps leave it as is. If you do have problems, we usually recommend Dropbox, OneDrive or Google Drive"
My own use case, I am thinking I will just dump keepassXC on windows and switch to Strongbox Sync. I only use W11 for gaming so don't really need a PMgr on it. Its very rare that i use it on the PC
I have multiple devices using iCloud to sync. iPhone, iPad, mac, Windows 11 PC (via keepassXC and windows iCloud app)
1 Strongbox sync will not work with the KeepassXC supported W11 P
2 I just have to select Strongbox Sync on ONE of the Apple devices and thus all the Apple devices will Sync via Strongbox Sync using Cloudkit. There is no need to repeat the process to change over to strongbox sync for each Apple device in turn.
3 iCloud sync, while not recommended, will continue to function as it was.
I use iCloud to sync my iPhone, iPad, Mac and Windows 11 PC (via keepassXC and using the icloud for windows app). I did not know icloud was so unreliable (I have had ZERO problems so maybe i am just lucky) I asked what do you recommend is the best means to support these devices? They said "If you're not having issues with iCloud at the moment, perhaps leave it as is. If you do have problems, we usually recommend Dropbox, OneDrive or Google Drive"
My own use case, I am thinking I will just dump keepassXC on windows and switch to Strongbox Sync. I only use W11 for gaming so don't really need a PMgr on it. Its very rare that i use it on the PC