Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Clipboard, browser extension, or universal autofill for macOS web pages - which is safest
There's a bit of a discussion about this over at MacRumors (a 5 gazillion page thread about 1Password). The current side topic asks what is the safest way to enter credentials into a web page. I prom...
Thanks so much for your detailed answer. It's very helpful. I hadn't even realized that drag and drop was a possibility.
My question was a general one, motivated by a discussion over at MacRumors. I was trying to get an answer that I could relay as a general recommendation to all readers of the thread. Many people comment that they fear browser extensions in general, so much so that they use copy and paste as a workaround. You've confirmed my intuition; that approach is the exactly wrong one. A 90 second delay in clearing the clipboard cannot protect against apps or websites listening for clipboard events and capturing the data as soon as it's placed there. I've seen that happen with GPG Keychain (even when running in the background) and I'm pretty sure any website I'm visiting could do the same. (I just have to work up the motivation to code a test case.)
One common refrain on that thread is the user's trust in the intentions of the browser extension. I think that's a concern for extensions in general, but doesn't apply to yours. Some extensions are from companies that deserve our trust, in the same way we trust our browsers.
At this point I'm left choosing between Universal Autofill and the browser extension. My concern about the browser extension is driven by Tavis Ormandy's criticism of extrinsic browser password managers. I read quotes of that here - https://grc.com/sn/sn-822.htm. Even though it's an old conversation from 2021, I still tend to lean more towards autofill because of it.
Would you say that it's a fair comment that autofill is running in a less hostile environment than the browser extension and that would give a slight edge to the safety of autofill? I am careful about which applications are installed on my computer. I'm less careful about which websites I visit; there are just too many for me to vet each one. I did appreciate 1P_Evon's link to "About the security of 1Password in your browser". The comment "1Password runs in a sandboxed background page provided by the WebExtensions API, not in the untrusted web environment" (and others) does help balance the scales a bit, but not completely.
