Security of using Secret Agent vs. the clipboard

Hello,

There is a discussion on MacRumors Forums (1Password migrants thread | MacRumors Forums) about password managers, and the issue of moving data from a password manager to other applications and browsers came up. People are understandably reluctant to use the clipboard because of security concerns. I use Secret Agent for convenience, and because I assumed it is more secure than using the clipboard. However, I don’t see anything on zetetic’s site confirming that using Secret Agent is more secure, and thus was hoping someone from zetectic would comment on this issue.

Thanks!

Hey Greg,
Thanks for posting this question regarding Secret Agent to us on our discuss board. Neither Secret Agent for Windows or Mac use the clipboard during the Secret Agent action. For Windows, we use a Win32 API for sending keystrokes to a window/ text field and Mac uses an AppleScript for text insertion. Please let us know if you have any additional questions.

Cheers,
Don

Hi Don,

Thanks for your quick response to my post. However, I continue to wonder about the relative security of Secret Agent. Using an AppleScript sounds safer than using the clipboard, but is using Password AutoFill for MacOS, which I think uses Apple’s Password AutoFill subsystem, more secure than using Secret Agent?

Thanks,

Greg

Aug 14, 2024, 9:38 AM by notifications@zetetic.discoursemail.com:

Hi @Greg,

Password AutoFill in Codebook for macOS uses the Authentication Services Framework to interface with your Codebook data.

When first enabling Password AutoFill on your macOS computer, Codebook adds something called a ASPasswordCredentialIdentity which includes a serviceIdentifier (i.e. website url, or app associated domain) along with the username/email to the AutoFill store. This is what the macOS system uses to suggest credentials to AutoFill. When you edit data within Codebook from macOS (i.e. change a username/website in an Entry), this record gets updated with the appropriate data.

When you select a credential to fill (either from the macOS suggestion or from searching by hitting the key button), Codebook provides the applicable password/username associated with that credential which macOS then uses to fill into the target username/email + password field from which AutoFill was triggered.

Secret Agent and macOS Password AutoFill are both secure, we wouldn’t consider one more/less secure than the other.