Clipboard, browser extension, or universal autofill for macOS web pages - which is safest

Baz

Thanks for the reply. Making recommendations on how best to protect yourself against a threat is difficult without understanding your threat model and the specific threat that you're trying to protect against. The articles that my colleague shared earlier outline the technologies and architectures that 1Password has implemented to protect you and your data from a wide variety of threats.

To answer your specific question: copying a password to the clipboard would arguably be the least secure option since, as my colleague stated earlier, it makes your password available to other apps on your Mac through the macOS system clipboard. If you're careful to only install apps that you trust then this might not be a concern to you. When you copy a password (or other concealed field) from the desktop app, 1Password will mark that password using the org.nspasteboard.ConcealedType flag (a macOS API) to indicate to legitimate apps that respect that flag (such as Alfred's clipboard manager) that they shouldn't store that password since it is sensitive information.

I would recommend using either 1Password in the browser (the browser extension) or Universal Autofill since they both have safeguards in place to protect against exfiltration of data and filling of login information into the wrong website/app. This helps protect you against phishing attacks where a malicious actor might masquerade as the website/app that you're trying to access. Universal AutoFill, since it operates outside of the browser, will also make sure that your browser is legitimate and intact by checking the browser's code signature before filling and asking you to double-check that you'd like to fill your login credential if it can't make that determination itself.

And, suppose their first choice fails. For example, suppose the browser extension (if that was their first choice) doesn't correctly fill in the fields.

If filling with 1Password in the browser and Universal Autofill both fail then you can drag and drop your login credentials from the 1Password pop-up window (or the desktop app) to the login form as long as you're sure that the website or app is legitimate: Use drag and drop to fill in apps

Is there a specific threat that you're trying to protect against that I can provide more clarity on? Security is the team's primary priority at 1Password. In addition to the amazing work that our developers and security team have done to make sure that 1Password protects your data in various environments and scenerios, 1Password also undertakes multiple independent security audits from external venders, which you can read about here: https://support.1password.com/security-assessments/

-Dave