How do I disable form autosubmit?

I am very happy with auto-submit
But it would certainly re-assure some people if you make it optional

But please do not remove it

1Password 8 will happily auto fill the wrong credentials on subdomains. Which “may” not be a security issue but it sure is annoying. On Wordpress sites auto submit occurs with empty 2FA fields. 1P_PeterG , can you guarantee that 1Password will NEVER accidentally put login information into the wrong fields?

Mostly annoying though is that you are dictating how 1Password works for individual users. You had settings that allowed each user to choose what to do, and you have chosen to remove that choice for users. Pretty I am not alone on this. Sadly 1Password team seems to be sitting on their laurels now that they have market share. This is disappointing, as gone are the days when you listen to your users. 😕

Looking at your own blog, let’s focus on the auto submit portion:

Sometimes a website doesn’t behave as 1Password might expect, resulting in passwords being filled sub-optimally, or fields being left blank. If 1Password were to automatically submit forms in these cases, users are left with an experience that we don’t feel reflects how we want 1Password to work and can lead to confusion.

This hasn’t changed, it is still the case, why has your team deemed your own sales pitch, and this valid issue, now invalid?

1P_PeterG since you are appearing to deflect by comparing auto fill with auto submit, let me quote the article:

If you are using a password manager that doesn’t allow you to turn that feature off, switch password managers.

This to me, and I suspect to all your users, could apply to auto submit as well.

Any developer worth his salt, knows when to say “we screwed up.” Maybe time for your team to consider this? Forcing auto submit is only one small issue with 1Password 8.

Don’t get me wrong, which is probably easy to do with my rant style here, I do think 1Password could one day be great again. But you need to take a step back and consider that just maybe, some of your decisions are wrong. You are not too big to fail.

Good luck!

Hi 1P_PeterG, I wonder if the mention that Former Member is noting is from this link:
https://blog.1password.com/1password-7.2-for-mac-welcome-to-the-dark-side/#mojave-mo-secure

I don't exactly read that as stating that the removal was for security, but it does seem a reasonable interference from the title of the section (Mojave, mo’ secure) and previous material.

That is the same section that notes:

You’ll also notice that 1Password 7.2 no longer automatically submits passwords once they have been filled. This was a difficult decision to make, but we made it for a few reasons that we wanted to share:

...

We feel strongly that removing the ability to automatically submit passwords is the right call. I’ll be fully transparent, it’s taken some getting used to, but now that it’s part of my workflow… autosubmit? I don’t miss it.

Personally I agree with that, please at least restore this as a user configurable option! The current behavior is pretty broken for many sites I use.

Hi Former Member, thanks for raising this concern.

So, auto-submit was disabled partly as a security feature in 7.2 and now it is forcibly enabled?

Auto-submit wasn't removed for any security-related reasons. At the time it was based on considerations around usability and the reliability of the experience.

However, I can understand where this might have come from. We have discussed auto-fill options and potential security risks around those in the past, but those potential behaviors diverge from how Quick Access acts.

This is from a blog that our security specialist Goldberg wrote a while back:

Automatically filling a web form with no user intervention other than visiting the page can, if combined with something that works around the anti-phishing mechanism [of 1Password], lead to an attack where lots your usernames and passwords are submitted to a malicious site in a way that is silent and invisible to you.

There are some important considerations here. The original discussion pertained to auto-fill that would be triggered by nothing other than visiting a web page. In the case of Quick Access, you have to tell it to fill. This is the difference between "manual auto-fill" (what Quick Access does) and "automatic auto-fill" (which we are not doing).

Secondly, 1Password's anti-phishing protection offers an additional important measure of security that's worth noting. 1Password won't fill your credentials from domain A into domain B, even if you manually invoke autofill functionality on that site. It has to match the domain you've assigned to the item (although, like in all aspects of security, nothing is bulletproof and our engineers have designed other aspects of 1Password to provide protection in case a malicious website is somehow able to get around this particular defense measure).

We're happy to receive feedback on Quick Access, and whether our current approach is the right one, but I did want to specify that we aren't reversing any previous security design principles or going back on prior reasoning with this feature. 👍

For additional context, I'd highly suggest checking out Goldberg's 2017 blog post in full here, which is, characteristically, an edifying read.

Ah, I was just coming here to post about this and saw this from earlier this morning. Yes!, Pease, please, please allow us to turn auto-submit off. It's driving me mad. There are just too many cases where I want to do something after auto-filling:

• I tend to fire auto-fill pretty quickly after loading a page, often before I notice there's a "stay logged in" checkbox that I want to turned on. With auto-submit, I miss the opportunity to toggle it, which means I have to log in again next time I go to the site/app, at which point I repeat the cycle. It's vicious -- takes me a dozen-plus tries to break it sometimes. (Yes, I'm very dense. Or really, just very routine-driven.)

• I have multiple logins for many things, many logins for a few. As a result, I sometimes choose the wrong one. Up through v7, this wasn't a big deal - I would simply look to see which account got filled and redo it if necessary. Now, I'm slammed into the account whether it's the right one or not, which means I have to wait for the site/app to load, find the logout function and click it, then try it all again. And in some cases (especially when SSO is being used), switching accounts doesn't always work reliably, which means it might take a few tries or even force clearing cookies or switching browsers. And with direct support for contexts outside the browser, there are all new unintended consequences that can happen, like downloading content to the machine with Dropbox or similar, accidentally purchasing an app with the wrong account in the App Store (thus locking it to the wrong account), or accidentally saving a file to the wrong account (MS Office). And some of those unintended consequences can have further consequences with one's employer, compliance, etc.

• Some sites have secondary controls that appear as you're going through the login process; this is the OP's point. Sometimes, these are on the first page and visible right off the bat, which means I can deal with them if I'm not moving too quickly (see first item above). However, at other times, they only become visible once you fill in the username portion, or worse, they're only visible on the second or third page of a multi-step login process. In these cases, the only thing I can do is go back to my mid-'90s pre-password manager days and copy/paste the credential.

So, auto-submit was disabled partly as a security feature in 7.2 and now it is forcibly enabled? This means in the right circumstances, 1Password 8 is now insecure (for example, 1Password fills in the wrong fields with your data, which is then sent to the server and stored in a log file). Had I known 1Password 8 was still in Alpha, I would not have tried it out. Now up to 4 pretty significant bugs which have all been forwarded to 1Password. 5 bugs if. you include the fact that this is an electron app and not a native app. The only thing holding me to 1Password right now is its ubiquity.

Just updated to V8. I can see now that credentials filled via the safari extension are being auto submitted again. I understood that auto submit was removed years ago so I am surprised to see it is back.

I have a site that I need to manually enter parts of a second password, which I would normally do after auto filling then manually submit. How can I set autosubmit to never on this item?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

+1

I'd like the ability to turn autosubmit off or on by website, like before but absent that ability to turn it off for all. I generally like it submitting but I have a few I use, e.g., Etrade, with dual factor turned on, and that requires me to add the one-time password manually after 1password autofills the password line, i.e., it's the password+one-time code, right in the password field. This version simply won't work with websites like that. It almost locked me out. What I have to do now is manually open site, manyally copy over user name, manually copy over password, then I enter the one-time password and click submit.

+1 to restoring this ability to globally disable auto-submit.

Just echoing above, but I depend on 1Password not auto-submitting for a number of sites, for example a site that requires an OTP to be appended to the password that is entered, or one that takes the OTP at the same time as the password but 1Password fails to autofill it, or ... These now become very manual copy paste interactions between me and the site.