Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Clipboard, browser extension, or universal autofill for macOS web pages - which is safest
There's a bit of a discussion about this over at MacRumors (a 5 gazillion page thread about 1Password). The current side topic asks what is the safest way to enter credentials into a web page. I prom...
1P_Dave
Moderator
ModeratorThanks for the reply. I think that it's great that you're digging deep to make sure that 1Password protects you against the threats that you're concerned about.
One common refrain on that thread is the user's trust in the intentions of the browser extension. I think that's a concern for extensions in general, but doesn't apply to yours. Some extensions are from companies that deserve our trust, in the same way we trust our browsers.
That's a fair point. With 1Password, it's important to always remember that your data is end-to-end encrypted before ever leaving your device. That's true whether you're using the desktop app or the browser extension. 1Password is also very careful to make sure that your data never leaves your device unencrypted and that extends to turning features off by default that might pose even small privacy concerns like checking for vulnerable passwords: About Watchtower privacy in 1Password
At this point I'm left choosing between Universal Autofill and the browser extension. My concern about the browser extension is driven by Tavis Ormandy's criticism of extrinsic browser password managers. I read quotes of that here - https://grc.com/sn/sn-822.htm. Even though it's an old conversation from 2021, I still tend to lean more towards autofill because of it.
If you haven't seen it already then there are a few great posts from our security team on the subject when it was discussed back in 2021:
- https://www.reddit.com/r/1Password/comments/ntbf2m/comment/h0sqhku/
- https://1password.community/discussion/comment/602337/#Comment_602337
I particularly like the following line: "If we were aware of something which a malicious website could to 1Password we would have already designed around that."
We not only have a development team constantly improving how 1Password in the browser works, but we also have a separate and dedicated security team making sure that 1Password keeps your data safe and staying on top of vulnerabilities discovered in the wild. If 1Password in the browser wasn't safe to use then 1Password wouldn't make it available to users.
Would you say that it's a fair comment that autofill is running in a less hostile environment than the browser extension and that would give a slight edge to the safety of autofill? I am careful about which applications are installed on my computer. I'm less careful about which websites I visit; there are just too many for me to vet each one.
It's important that you use a safe and secure web browser and that you only install extensions from legitimate web stores that are trustworthy. I'm not aware of any known vulnerabilities that could affect 1Password in the browser just by navigating to a certain webpage.
You can feel confident about using 1Password, whether your choose to use 1Password in the browser or Universal Autofill. I wouldn't say that one is "more secure" over the other unless we're talking about a specific threat and so I won't be able to rank one as being better than the other in a general sense. And if you're aware of a specific threat that can successfully target and compromise 1Password in the browser then I encourage you to report that threat through our bug bounty program and claim a reward: Strengthening our investment in customer security with a $1 million bug bounty
-Dave
