It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
How do I disable form autosubmit?
In 1Password 8 when I fill a login in Safari, it automatically submits the login. I would like 1Password to fill out the fields but not hit the submit button.
In earlier versions of 1Password, I w...
1P_PeterG
Community Manager
Community ManagerHi Former Member, thanks for raising this concern.
So, auto-submit was disabled partly as a security feature in 7.2 and now it is forcibly enabled?
Auto-submit wasn't removed for any security-related reasons. At the time it was based on considerations around usability and the reliability of the experience.
However, I can understand where this might have come from. We have discussed auto-fill options and potential security risks around those in the past, but those potential behaviors diverge from how Quick Access acts.
This is from a blog that our security specialist Goldberg wrote a while back:
Automatically filling a web form with no user intervention other than visiting the page can, if combined with something that works around the anti-phishing mechanism [of 1Password], lead to an attack where lots your usernames and passwords are submitted to a malicious site in a way that is silent and invisible to you.
There are some important considerations here. The original discussion pertained to auto-fill that would be triggered by nothing other than visiting a web page. In the case of Quick Access, you have to tell it to fill. This is the difference between "manual auto-fill" (what Quick Access does) and "automatic auto-fill" (which we are not doing).
Secondly, 1Password's anti-phishing protection offers an additional important measure of security that's worth noting. 1Password won't fill your credentials from domain A into domain B, even if you manually invoke autofill functionality on that site. It has to match the domain you've assigned to the item (although, like in all aspects of security, nothing is bulletproof and our engineers have designed other aspects of 1Password to provide protection in case a malicious website is somehow able to get around this particular defense measure).
We're happy to receive feedback on Quick Access, and whether our current approach is the right one, but I did want to specify that we aren't reversing any previous security design principles or going back on prior reasoning with this feature. 👍
For additional context, I'd highly suggest checking out Goldberg's 2017 blog post in full here, which is, characteristically, an edifying read.
