Tried the new Passwords app today for the first time.
When I open a webiste for which I have saved a password in the Passwords app, and put the cursor in the “username” field, there appears a popup with suggested usernames, and after I select the username, the “password” field is filled up automatically. This is convenient of course, but doesn’t seem to be really safe. Isn’t it that if the Passwords app is not open currently, it should ask me a user password first?
I believe it’s safe. Writing new accounts to the database is different than retrieving existing accounts. You can’t access or use existing passwords without entering your password.
@McWimmish I won’t call this “safe”. Here is a real-life case. I left my Mac not locked for 5 minutes. Then someone (e.g. my colleague at work, but it doesn’t matter) take it, click Safari, open some sensitive website (e.g. “adult content”, but again, this doesn’t matter) where I have an account but isn’t logged in currently, and then nothing will prevent this person to login there.
Maybe I simply don’t understand how to setup or use the Passwords app properly? I don’t mean this topic to be a rant. What I need is simply some technical help.
There is always a trade-off between security and convenience/usability.
If you want to avoid such situations (and are willing to bear the inconvenience), you can enable the use of Touch ID for auto-filling passwords (my default), or completely disable the auto-filling for passwords.
The touch-id option is under:
Settings → Touch-ID & Password → Use Touch ID for auto-filling passwords.
Disable auto-filling for passwords completely is under
Settings → Autofill & Passwords → Autofill Passwords and Passkeys
It should be linked to the URL you are at.
This means that if you get redirected to a malicious URL which pretends to be a legit site, your password manager shouldn’t offer to autofill your username or password.
So you need to Lock your computer. Problem solved.
It should be linked to the URL you are at. This means that if you get redirected to a malicious URL which pretends to be a legit site, your password manager shouldn’t offer to autofill your username or password.
Yes, I already linked the records in the Passwords app with their respecive URLs. And yes, if I will be redirected to a malicious URL that pretends to be a legit one (think of something like http://goooogle.com), Passwords won’t offer to autofill my username or password.
But this doesn’t have anything with the problem I tried to solve.
Could you help once more?
If I open Passwords and create a password there manually, and specify the respective website(s), I can remove this website later.
But if the password was added in Passwords by selecting the “Save Password” button when signing in:
then it is not possible to remove that URL in Passwords later. On the following screenshot the “minus” button is grayed out. Why?
It always asks me for touch id or a password. For each and every website. Perhaps your settings are different. Besides that, never leave your laptop unlocked. You can develop the most secure software, but that’s useless when people ignore the basics of security.
I wanted to try it it just for 2FA, but am I right that it only will allow you to save 2FA along with a login/password entry?
