Not everyone is using a computer. Any task which requires manual action lowers the security due to human factor
4 Likes
ā¦ and yet people donāt, and then realize they should have. These are all failure points.
There will always be passwords at some point because of how basic they are, and I doubt banking is going to want to be reliant on other companies for authentication as an example.
I hope so. The problem isnāt passwords itself but everyone failing to create strong passwords, using password managers. Instead of enforcing passkeys they should have kept promoting 2FA and encouraging users to use that (but not mandate it).
Of course all of this requires a reliable and modern computer or smartphone which makes Passkeys inaccessible to the poor, underprivileged, or anyone who does not own or operate a capeable device.
This also applies to cash vs digital.
I would rather have a piece of paper with all my passwords written down, stored in a drawer at home, than have Google, Apple, or Microsoft handle anything regarding security for me!
Passwords are one of the few things I would not write down on paper. Something as sensitive at that shouldnāt be stored unencrypted because as soon as someone gets a hold of that paper Iām done for.
I donāt think thereās much worry about that, i mean as long as they can afford a phone and the poorest of the poorest countries have people who can afford a phone.
If Apple and Google support such features in their base APIs then it will be supported by all flavored OSes based on these.
Agreed, and also the fact simply comes now it has zero physical protection. Itās worse than biometrics because at least someone has to go to the effort of chopping off your finger, or forcing you to comply - you least get the opportunity to know about it.
That article just turned 4 years old 
Hereās a new one.
TL;DR: All of the major cloud-based password managers suffered a serious vulnerability. Proton Pass has already fixed it and Bitwarden soon will. 1Password and LastPass donāt care. KeePass is unaffected 
.
3 Likes
Do you think that stealing a payment card or personal data with a single click is a high severity issue?
Bitwarden sees this vulnerability slightly differently. Maybe it could be reason why it was not fixed even after more than 4 months.
Where was this in your tldr? Its like you choose to only highlight the bad parts of programs you donāt like, it is as if you have an agendaā¦
2 Likes
If youāre using Bitwarden, an update (2025.8.0) is coming later this week.
The thing is that this vulnerability, relying on clickjacking (but not only), has been fixed by many other password managers like Proton, NordPass, Dashlane, etc.
This means that this specific issue is fixable. And both 1Password and LastPass have concluded that it was not critical enough to fix. Iāll let you be the judge on this, but as a long time 1Password customer, I feel betrayed and outraged at how they are dealing with this.
avoidance again. The point is 1Password isnāt the only manager playing fast and loose here but you donāt want that smoke when its a precious FOSS program.
Anyway this is off topic, and should really be discussed in the thread you link.
1 Like
At least Bitwarden is going to make a fix soon while 1Password isnāt. Turns out 1Password isnāt as competent as everyone here thought.
Weāre discussing the removal of 1Password and the requirement of open source for password managers arenāt we?
2 Likes
Yeah but both this issue and the removal of 1Password are separate topics with their own threads.
1 Like
Bitwarden just released their fix. 1Password still hasnāt.
Not sure this adds much to this already very long thread but I am in favour of this proposal.
I think recommending proprietary tools makes sense in categories where there are not many trusted open source options but in the password manager section we do now have multiple options and I canāt see any reason not to raise the minimum bar.
Open source is not a silver bullet but its hard to argue it is not preferable over proprietary options. I think requiring this now and slightly changing our recommendations is a good thing as it shows things are improving generally in this category.
(I also think the page should encourage keepass and local password managers over cloud ones if the user is more technically inclined but thatās a different topic)
3 Likes
Cloud password managers are a life saver for anyone dealing working in complex business and hundreds, if not thousands, of passwords. Alas, a local KeePass is almost always better in a case of a public vulnerability like the one I shared in the other thread.
That being said, I wonāt lie that I donāt feel comfortable using 1Password anymore. Unless they take care of the matter in a radically different way, this is a breach of trust. Not really compatible with a password manager or any other kind of security oriented app.
Meanwhile, you do have open sourced alternatives likes Bitwarden and Proton Pass that are taking care of things in a transparent way. Proton definitely won this time tho, as Bitwarden took 4 freaking months to fix the vulnerabilityā¦ So, yeah. I have the feeling that Proton is on the right path to become the new go to.
3 Likes
Official reply from 1P
Hi all,
Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.
A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.
Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded thereās no comprehensive technical fix that browser extensions can deliver on their own.
Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extensionās autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, weāre extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.
On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.
Passkeys are not impacted by clickjacking. Passkeys are tied to the website theyāre created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, thereās nothing permanent to steal.
Weāre preparing a security advisory that will share more details soon.
3 Likes
āItās the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.ā
https://socket.dev/blog/password-manager-clickjacking#:~:text=Itās%20the%20opinion%20of%20the%20Socket%20Security%20Team%20that%2C%20if%20this%20is%20the%20case%2C%20the%20mitigations%20currently%20implemented%20by%20other%20password%20managers%20may%20also%20be%20bypassable.
Discussion with 1Password
After filing the request for CVE numbers with US-CERT the Socket Security Team reached out to the impacted password manager vendors to alert them about the pending CVE assignment. At time of publication, only 1Password responded.
On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by TĆ³th could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. Itās the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.
1Password stated they considered this dialogue popup solution, and implemented it for credit card fields, but opted-not to implement this for PII due to user feedback, according to the H1 triage logs with TĆ³th:
Security and usability are a balance, one that we are always making tradeoffs back and forth to find the right solution. Sometimes there is no perfect solution, only the solution that works best for the most users. As I mentioned previously, it is only with user feedback that we chose to remove the prompt for the PII items that would prevent clickjacking from occurring. A change that weāve documented in the support article under the "Identity alertsā section.
As of the time of publication, 1Password has chosen not to provide an official statement to the Socket Security Research team about TĆ³thās research.
While it is easy to assume vendors are simply ignoring these vulnerabilities, the reality is more complicated. Mitigating DOM-based clickjacking in a way that is both robust and frictionless for end users is a technically difficult challenge. The most straightforward solution, adding confirmation dialogs before autofilling, does introduce usability friction that some users may push back on. Password managers walk a tightrope between security and usability, and choices about which safeguards to enforce ultimately reflect product decisions about that balance. That said, the research highlights that whatās convenient for users in the short term can leave them exposed to systemic risks that attackers may exploit.