Feedback on Mac browser autofill and other password-saving measures


#1

Hello - just curious, as the idea of disabling auto-fill in my Mac browser came up in a different thread about some funkiness with secret agent, in certain password entry forms.

I got to thinking about how browsers are saving this information, because it’s tempting to use their native functionality to save certain form info. I guess Mac Safari might be using the Keychain.

I wanted to “ask the experts” what you think about the security of saving information in these native browser systems. I read somewhere else that it’s generally weakly encrypted.

Could you please comment, offer any insight, perhaps on the difference between those and Codebook?


#2

Hi @rickcogley,

We are somewhat reluctant to comment critically about the security of browser auto-fill and password saving features in current, popular web browsers. They are useful features that come with risks, so what may work for one person might not be a good fit for someone with another scenario or different concerns.

Codebook doesn’t interact directly with web browsers through a plugin. The encryption used is described here. How data is encrypted in the Keychain on OS X and iOS depends on quite a few different factors and circumstances, so I can’t offer a direct comparison to Codebook’s encryption.

Safari uses the Keychain. Apple publishes quite a bit of information on the Keychain in OS X and iOS. The iOS Security Guide might be particularly helpful as it discusses the latter in detail under the section titled “Encryption and Data Protection.”

The EFF also regularly writes about browser security, you can search their website for articles they’ve published on the topic like this one. They also have articles on various means to protect your privacy, identity, and access to your data on their Self-Defense Project website.

Hope that helps!


#3

Thanks @wgray, I appreciate the extra effort to give me those links. I’ll give those a read, for sure!