1Password warns before saved passwords are entered on scam sites

1Password is rolling out a built-in anti-phishing feature that blocks autofill and shows a warning when saved logins are used on sites with mismatched URLs; it is enabled by default for personal users and can be configured for business and enterprise accounts.

1Password is introducing a new anti-phishing measure in its browser extensions and apps. The update aims to stop saved credentials from being automatically provided to sites whose addresses do not match the URLs where those logins were stored. Instead of silently refusing to autofill, the app now shows a proactive warning when a user attempts to paste a saved login on a mismatched site. The change responds to increasingly convincing phishing pages, including those assisted by AI. Key details: - The feature blocks autofill and displays a warning pop-up when a saved login is pasted into a site with a different URL than the stored entry. - It is built into 1Password's browser extensions and apps rather than as a separate add-on. - Individual and family users receive the feature enabled by default as it rolls out. - Business and enterprise customers can enable the protection through the 1Password admin console under Authentication Policies. - The protection builds on existing URL-matching and restricted-autofill safeguards and is described as an additional layer, not a complete solution. Summary: The update adds an extra prompt intended to reduce accidental credential disclosure by blocking automatic entry on sites with mismatched addresses. The change is rolling out now and is enabled by default for personal accounts, while business and enterprise administrators can configure it through the admin console. The measure is presented as a step to lower risk as phishing pages become more sophisticated, and its broader effectiveness will unfold over time.