This. I am using LastPass for example, because it is probably only password manager, where you can completely disable auto-fill (you need to click on an input field and then pick a profile - so it is "on demand" fill) which makes automatic harvesting attacks much harder. I have switched from 1Password exactly for that reason - 1Password is very aggressive in filling input fields for you.
The most 1Password has ever done (in my experience) is submit after I select the login to use, even on sites with only one login. I disabled that aspect, and I always have to toggle the helper via ctrl/cmd-\. It has never pre-filled a login field without me asking it to, and that's across v4, v5, v6, and v7.
Not-so-happy LastPass user here: I evaluated alternatives, but LastPass is the only one which somehow works on Linux/Firefox. I have even tried to make pressure to 1password about that, without much success: https://discussions.agilebits.com/discussion/comment/410603/...
I stopped using browser based password managers and switched to KeePass. It's a bit more work to pull passwords and back them up, but for me it beats trusting cloud services with security critical data.
This! I love my setup. I use KeePassXC and sync my password db with NextCloud. I love having an open source password manager that is useful across all of my devices, be it Android, Linux, Mac or Windows.
+1 for enpass, using it to manage and sync passwords between android/iphone/ipad/mac/linux (via dropbox). The single wart is it doesnt autofill firefox on android, you have to switch to a custom secure keyboard where you can manually fill on a field-by-field basis once you've authenticated with master pass or fingerprint.
Another thing I appreciate is that there is an npm module to decrypt your own wallet; this gives me confidence that I can access my secrets if there is some problem with the app or company.
1Password does in fact work on Linux and Firefox -- although it's not prominently advertised for some reason; I usually have to search for the page.
We have a team of developers using macOS and Linux, and we use the team functionality to manage both personal and company passwords. We made the switch to 1Password specifically because of Linux support [1].
I couldn't make it work 6 months ago, they answered to the issue I referenced above that it wasn't officially supported and they never sent any updates about that on that issue, so I supposed that the situation stayed the same. I wonder why they don't update their issues anyway
I haven't used it myself, but it was created by Wladimir Palant (creator of AdBlock Plus extension), I believe after they examined the LastPass extension and were rather unimpressed with its security practices.
They don't have a 'horrible track record'. LastPass has always had some of the fastest response times to security issues. They've had certain breaches in the past, but nothing that has exposed any users' passwords.
I like not having my passwords tied to a device, private key I could lose, etc. With an algorithm, I can still avoid credential stuffing, since all my account use totally different secure passwords, but I can derive them without having to look them up.
I realize someone could figure out my algorithm, but they'd probably need several of my passwords and at that point you're talking about a targeted attack.
Most normal websites don't make you rotate password. When a site has a breech and forces me to change it, I do have an addition to my algorithm for that. I use Keepass to store passwords that violate my algorithm (sites that don't allow my special chars, or that say my password is too long, etc.)
I'm on my third iteration of password algorithms. I use my password manager to store which algorithm I'm using for which site and try to update old ones to new ones as I encounter/use them.
There aren't that many exceptions to my rules, so I can usually remember those exceptions if I use them frequently enough.
Machine accounts that require rotation get their own special secure password that I don't use anywhere else.
Is this new behaviour? In the version of 1Password I have (6.8.8, Mac) it detects the website, but I have to click on the specific login using 1Password Mini to fill the fields. It's never done it automatically as far as I can tell.
It tends to be browsers which are gung-ho about automatically filling in login details.
Nope, I have used 1Password most of last year, maybe they changed it after the data harvesting attack from a few months ago, but for me, the tool was very aggressive in submitting data without me interacting with the website. At the time LastPass was the only major player with "click to launch" feature.
The only way I can think this would happen is if you clicked a URL from within 1Password, which would visit the site and then auto fill. Otherwise you have to press a hot key. That is literally how it has been for years with the only option to change being whether or not it tries to submit the login automatically after filling.
Think I missed that, what happened? I don't enable 1Password autofill or any of it's browser extensions, I just see it as additional attack vectors waiting to be compromised.
> 1Password isn’t affected by this problem because it doesn’t include an automatic autofill feature.
Are you sure we’re talking about the same app? I’ve used 1Password for years, and it’s never autofilled for me. Maybe it was actually your browser’s built-in keyring?
I think they're confusing the 1Password browser extension.
1Password has a native app, which I use on both windows and osx, and I just don't install their browser extension for autofill features.
Though, given that I avoid autofill like the plague, I could easily be misunderstanding the issue too. I'm speaking of a subject I don't use, I don't think anyone should haha.
Sorry, I completely screwed here. I think I am way overworked.
It's Dashlane that I was using, not 1Password.
After Dashlane I was using 1Password for a week but it was not for me, moved to Padlock and now with LastPass.
I have migrated to 1Pass and then from it to LastPass, thus the confusion.
I checked the history of my backups and somehow forgot about my migration from Dashlane that was the initial tool that would do autofills. Sorry for the confusion, I've should check that more thoroughly. A good sign for me it is time for a walk.
The KeePassXC browser integration also does it the way you describe where you choose a profile instead of having the firm already filled in when the page loads.
I use an installed 1Password app, and avoid browser autofill extensions like the plague. Browser extensions don't have a good track record I believe, regardless of company. I don't blame the companies, I blame browser extensions.
I see little benefit in autofill integration, I just click the button in my task bar, click copy, and paste. LastPass has been pretty sketchy in the past too, I don't trust them. I've been quite happy with 1Password, fwiw.
I've been using 1password for many years, and that's not how 1password works for me. There might be a setting to enable that behaviour somewhere, but by default, it doesn't autofill without prompting. That's true for every version, OS, browser plugin, desktop app, mobile, etc.
Edit: I just saw your comment that it was actually Dashlane that autofilled! Nevermind then. :)
