Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Feature Request? Auto fill automatically?
Hello everyone,
I'm a new user coming from Dashlane after 6 years of using it, and I can say 1Password is amazing and always gets updated and gets all the new features, The only thing I miss is the...
It was explained that autofill without interaction is indeed NOT secure, because you can be victim of injected malware javascript on a hacked website. The domain doesn't matter in this case.
The problem is not that passwords get submitted to a malware domain by submitting the login form. The problem is that injected code has the ability to read input fields while you type or while something is autofilling a field. Submitting isn't required. Autofill a field without submitting is enough. Once the code has read the data, it can submit it to anywhere in an invisible background request.
You see regular use of this field peeking feature with controlled input where a certain format is enforced or certain characters filtered while you type.
To require a manual action from the user avoids the problem that some malicious website redirects to an infected regular website and your credentials being automatically autofilled and abducted. This could work without any manual interaction without a chance to intercept by the user, if autofill is completely automatic.
The new auto submit after manually confirming autofill is probably all we can get from a security point of view.
