1Password's use of Secure Input

Super Contributor

4 years ago

Other than not using Secure Input (which is a non-starter) I'm not sure there is anything we can do on our end to improve the experience here.

That dismisses an obvious option: Use Secure Input for masked password fields only.

Or provide an option: Use Secure Input for: All fields vs. Masked password fields

I don't understand the current reasoning. Secure Input breaks accessibility tools and input devices. Secure Input also changes basic macOS window-stacking and focus behavior. But it doesn't provide a meaningful increase in security against malicious actors. It isn't intended to be a protective bunker.

Or am I missing something?

Secure Input does protect against well-behaved user processes that have been granted specific Accessibility permissions. If that's considered a serious threat, 1Password could alert the user when a new event tap is detected.

But the clipboard is always available to other user processes, without any additional privileges.

And screenshots don't require privileges. (Malware often takes screenshots when Secure Input is toggled!)

Secure Input doesn't protect against processes that have been granted Screen Recording. Or processes that use Accessibility to control the system.

And Secure Input can't protect against more insidious or privilege-escalating malware, anyway.

So I guess I don't get it.

Forum Discussion

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

To permanently delete 1password account & all data

Issue with 1Password Browser Extension Not Searching Note Fields

Password entry gets converted to a Login entry

Allow copying as pasting a passkey

Can't set "purchase date" field expiry in future