|
|
Safari 5 password manager
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
Someone should make a Safari 5 extension that is a very basic password manager.
Just basic manual store/fill of logins with storage in the keychain.
Safari can't remember/autofill logins for some sites that use non-standard forms and we need something to fill the gap!
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by tightsocks
Someone should make a Safari 5 extension that is a very basic password manager.
Just basic manual store/fill of logins with storage in the keychain.
Safari can't remember/autofill logins for some sites that use non-standard forms and we need something to fill the gap!
Those fields probably have autocomplete disabled on them as a security measure at the HTML level. This should not be overridden. Check the source code for:
<input type="text" name="cc" autocomplete="off" />
|
|
|
|
|
|
|
|
|
Moderator Emeritus
Join Date: Mar 2004
Location: Copenhagen
Status:
Offline
|
|
This should not be overridden.
Why not?
Storing your passwords is inherently unsafe, but it should be up to the user, not the site, whether to take the chance. Most sites I can think of where storing your password would be a really bad idea (like netbanking sites) use Java applets or something similar anyway, and thus provide security against password storage at a higher (or deeper?) level than just HTML.
Measures against password storage at the HTML level is fairly useless, in my eyes.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
Already overriding the "autocomplete=off" tag with this extension.
We still need something that we can use to manually store/add/copy/paste items to the keychain easily from within Safari.
Forms like the drop-down login form at Twitter.com or the login form at Howardforums.com don't use "autocomplete=off"
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Oisín
Why not?
Storing your passwords is inherently unsafe, but it should be up to the user, not the site, whether to take the chance. Most sites I can think of where storing your password would be a really bad idea (like netbanking sites) use Java applets or something similar anyway, and thus provide security against password storage at a higher (or deeper?) level than just HTML.
Measures against password storage at the HTML level is fairly useless, in my eyes.
I suppose an extension that puts the onus on the user is fine with me, but I'm still a little weary of that. I can't count how many times I've used a public machine where a user forgot to log out of their email, there was some browser history which showed some pretty weird browser activity, there was a login form I could easily negotiate with autocomplete, whatever. At one of my last jobs we were fairly certain that there was a keystroke logger installed somewhere that was helping compromise accounts. It's bad enough when these sorts of things exist, but couple this with ignorant users or users cavalier about their own security, and I'm generally inclined to err on the side of security.
Put it this way, as a developer I like the autocomplete setting - I don't want to have to deal with compromised accounts, nor do I want to be associated with them in any way, no matter how remote the possibility.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by tightsocks
Already overriding the "autocomplete=off" tag with this extension.
We still need something that we can use to manually store/add/copy/paste items to the keychain easily from within Safari.
Forms like the drop-down login form at Twitter.com or the login form at Howardforums.com don't use "autocomplete=off"
I think autocomplete looks for the form names and/or CSS IDs of fields and completes them accordingly. It is probably best in terms of effectiveness not to tether autocomplete to particular pages since these pages may change, but I think if you were to design something like this this is probably how it might best work.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by tightsocks
Safari can't remember/autofill logins for some sites that use non-standard forms and we need something to fill the gap!
There *is* something to fill the gap. It's called 1Pasword.
-t
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
There *is* something to fill the gap. It's called 1Pasword.
1Password is overkill for my needs.
Need something lighter then 1PWm but which is secure (ie. keychain) and always available (ie Safari extension/toolbar)...
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
LOL, overkill I what respect ?
It does what you need it to do, and there is nothing elsen that compares.
-t
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
Originally Posted by turtle777
LOL, overkill I what respect ?
It does what you need it to do, and there is nothing elsen that compares.
-t
It has many features that I don't want for my limited use and it also has some shortcomings that also make me unwilling to adopt it as my main password manager...
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by tightsocks
It has many features that I don't want for my limited use and it also has some shortcomings that also make me unwilling to adopt it as my main password manager...
Well, don't use the features you don't use.
What things are you missing ?
-t
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by besson3c
Put it this way, as a developer I like the autocomplete setting - I don't want to have to deal with compromised accounts, nor do I want to be associated with them in any way, no matter how remote the possibility.
As a user, I dislike the autocomplete setting for three reasons. One is that it implies that your site is more important than my email, which strikes me as presumptuous, and the second is that such a password will just end up on a postit stuck to the screen anyway. The third is that it is part of the general trend of being too safe rather convenient. This is like those bans on cell phones at gas stations in some countries, for fear that they might ignite fumes - I remove a big chunk of your convenience in the name of safety, because it protects me from potential harm and doesn't hurt me at all.
(sidenote: The cell phone ban is among the most absurd rules I've ever seen. Everyone and their grandmother has had a cell phone for 15 years at least, most countries do not ban them at gas stations, and there has been exactly zero accidents as a result. Hey, mr regulator: Would you like me to draw you a picture?)
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by P
As a user, I dislike the autocomplete setting for three reasons. One is that it implies that your site is more important than my email, which strikes me as presumptuous, and the second is that such a password will just end up on a postit stuck to the screen anyway. The third is that it is part of the general trend of being too safe rather convenient. This is like those bans on cell phones at gas stations in some countries, for fear that they might ignite fumes - I remove a big chunk of your convenience in the name of safety, because it protects me from potential harm and doesn't hurt me at all.
I don't understand the first argument. When a server is compromised it doesn't just affect the admins, it affects you too. When a webmail server is compromised by spammers it is used to send out ridiculous amounts of spam, which creates backlogs of queues, a less responsive interface, and most importantly, it puts the server on black/blocklists which affects all other users. If I've misunderstood your point, I apologize.
Do you put your passwords on post-it notes and attach these to public computers? Compromised accounts often occur at public machines, not always in homes that have some degree of physical security. I think this argument has more to do with enforcing long and complicated passwords or passphrases, and I actually agree with you on that - forcing longer and more complicated passwords trades off fewer support requests and user convenience for some amount of security, and even this is debatable when you are dealing with keystroke loggers, for instance.
As far as your third argument, I agree that there is a balance, but again, as a developer I would still prefer to keep a safe distance away from anything that may potentially compromise my systems. There are a number of places where people use public machines or machines that do not belong to them:
- waiting rooms (e.g. when getting your car repaired)
- internet cafés
- libraries
- computer labs
- a friend's or girlfriend/boyfriend/ex-girlfriend/ex-boyfriend's house
it is so easy to forget to log out, or you forget to switch your browser to private browsing mode, or whatever. Rule of software engineering: if you give your users a gun they will find a way to shoot themselves with it.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by besson3c
Rule of software engineering: if you give your users a gun they will find a way to shoot themselves with it.
That's why I'm for password protected guns.
Oh, wait, nevermind
-t
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
sudo shoot --bullet
sudo shoot --rocket
|
|
|
|
|
|
|
|
|
Moderator Emeritus
Join Date: Apr 2001
Location: Wasilla, Alaska
Status:
Offline
|
|
(I know, it's been done to death, but it still makes me laugh.)
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
Originally Posted by turtle777
There *is* something to fill the gap. It's called 1Pasword.
-t
Just found lastpass.com
It is basically a free 1Password 'lite" The form filling routines are almost exactly like 1Password's.
Still a bit overly complex for my needs, but it seems to do exactly what I'm looking for, i.e autocomplete for sites with login forms that aren't handled by Safari.
And it's free...
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Well, they say it's safe and that your data is encrypted and unreadable, but still, I'd be uncomfortable giving a website all of my passwords.
-t
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
Originally Posted by turtle777
Well, they say it's safe and that your data is encrypted and unreadable, but still, I'd be uncomfortable giving a website all of my passwords.
-t
In my case I'm only giving them a handful of less important logins.
It would seem however, that the entire security system rests on the security of the email account associated with the service.
If you can access that email then it would seem that you can reset the master password for the service.
They even offer two factor login support, but it can be turned off by anyone that can get access to the associated email account and click the confirmation link in the email!
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by tightsocks
In my case I'm only giving them a handful of less important logins.
It would seem however, that the entire security system rests on the security of the email account associated with the service.
If you can access that email then it would seem that you can reset the master password for the service.
They even offer two factor login support, but it can be turned off by anyone that can get access to the associated email account and click the confirmation link in the email!
Unencrypted plain text emails cached to your local hard drive or stored on your hard drive, in the case of POP email accounts, that can be skimmed through by a simple grep command without requiring authentication, or in the hands of a third party whose data you do not own (in the case of GMail or the like)? I think I'm with Turtle...
Sensitive information in email = bad
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
I'm not absolutely positive about the password recovery procedure via email...
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by tightsocks
I'm not absolutely positive about the password recovery procedure via email...
It's good that you are looking into it!
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2005
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Originally Posted by turtle777
Well, they say it's safe and that your data is encrypted and unreadable, but still, I'd be uncomfortable giving a website all of my passwords.
LastPass supposedly stores its files encrypted locally.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by besson3c
I don't understand the first argument. When a server is compromised it doesn't just affect the admins, it affects you too. When a webmail server is compromised by spammers it is used to send out ridiculous amounts of spam, which creates backlogs of queues, a less responsive interface, and most importantly, it puts the server on black/blocklists which affects all other users. If I've misunderstood your point, I apologize.
I know that there are problems if passwords are compromised, my point was over the relative harm from a break-in. None of the major webmail services use that flag, as far as I know, so why should you for what is likely a less important site?
Originally Posted by besson3c
Do you put your passwords on post-it notes and attach these to public computers? Compromised accounts often occur at public machines, not always in homes that have some degree of physical security.
But disabling password managers on a per-site basis does nothing to solve the "public machine in a lab" problem. It's possible to disable password managers on a per-computer basis in say a lab, and that's different, but that tag only means "I don't like password managers, so noone should use them".
Originally Posted by besson3c
I think this argument has more to do with enforcing long and complicated passwords or passphrases, and I actually agree with you on that - forcing longer and more complicated passwords trades off fewer support requests and user convenience for some amount of security, and even this is debatable when you are dealing with keystroke loggers, for instance.
My pet peeve is not those rules, but rules about changing passwords at a certain interval. Everyone I know just appends a digit at the end and increments by one, not only defeating the purpose but actually decreasing net password security.
As for longer and more complicated passwords, I find that education works much better than rules. Some people combine this with dictionary attacks run by admins to weed out the worst passwords.
Originally Posted by besson3c
As far as your third argument, I agree that there is a balance, but again, as a developer I would still prefer to keep a safe distance away from anything that may potentially compromise my systems. There are a number of places where people use public machines or machines that do not belong to them:
- waiting rooms (e.g. when getting your car repaired)
- internet cafés
- libraries
- computer labs
- a friend's or girlfriend/boyfriend/ex-girlfriend/ex-boyfriend's house
it is so easy to forget to log out, or you forget to switch your browser to private browsing mode, or whatever. Rule of software engineering: if you give your users a gun they will find a way to shoot themselves with it.
And all of this is fine, but the tag in question cannot possibly distinguish those situations. All it can do is disable password managers completely, which will only lead to the password being written down somewhere, which is much less secure.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|