macOS Sonoma Brings Apple Password Manager To Third-Party Browsers (macrumors.com) 19
An anonymous reader quotes a report from MacRumors: The macOS Sonoma update that is in testing allows Mac owners who opt to use Google Chrome, Microsoft Edge, or another browser to use Apple's Password Manager for filling passwords. Developers and public beta testers running macOS Sonoma can use their iCloud Keychain passwords with non-Safari browsers at this time, autofilling passwords and one-time codes. Third-party browsers can also save new passwords.
Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.
Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.
Security model? (Score:3)
Without a lot more detail, the concept of this raises huge red flags for me.
A critical part of the security model for cloud passwords is that they're only accessible by apps that have permission to access those keychain items, which for all intents and purposes, means Safari and a few specific bits of the operating system. Will this involve keychain dialogs to grant the app permission to see a password, or are they doing an end run around keychain security and granting broad keychain access to a swath of passwords willy nilly? What prevents someone from installing an app that pretends to be Chrome, and using it to exfiltrate passwords?
It being a Chrome extension likely means that it's a signed blob by Apple that feeds passwords into Chrome's password manager upon request. That makes the fear of someone wrapping it with another app and calling it inappropriately even more likely. In my mind, I'm likening that to a modified "sudo" app that takes no password, runs as root, and can be puppeteered by arbitrary shell scripts running as any user on the system....
So what steps did they take to protect the security of our passwords as part of implementing this feature? Where's the threat model analysis paper? They did write one, right?
Re: (Score:2)
I agree, it raises a lot of red flags for me too around impersonation and password exfiltration. While TFS doesn't make it clear Apple isn't actually giving carte blanche access to web browsers, it's making its own browser extensions available to them that can access the Keychain. That's much more acceptable (but me, personally, I still wouldn't use them).
Again, what prevents a rogue malware app from running a Chrome browser extension?
I hope the answer is that it will throw up a keychain dialog the first time an app requests access to a password item, whether that app is Chrome or something else. But I'm worried that this might not be the case, and I'm baffled as to why Apple would need to do anything special in the operating system to support that, so the fact that this is tied to an OS release (rather than supported all the way back to Jaguar when keychai
Re: (Score:2)
I hope the answer is that it will throw up a keychain dialog the first time an app requests access to a password item
Safari does. As does every other app. Its at the OS level. If an app wants access to the web passwords in the keychain it has to ask permission from the user. Not sure why you'd think they'd weaken it for Chrome when they wont do it for their very own browser.
Re:Security model? (Score:4, Informative)
I think you're overthinking this. Every other cloud password manager has a Chrome extension already; not having one would render the products largely useless. The extensions don't feed into the Chrome password manager, they directly operate on web pages, looking for username and password fields and populating them (if you have autofill turned on) based on whatever passwords are bound to that URL.
I'm not saying implementing a browser extension for a password manager is trivial, but it's a problem that's been solved many times. Knowing a bit about the internal processes at Apple, this feature has certainly been through several rounds of design, security reviews, etc.
Re: (Score:2)
Without a lot more detail, the concept of this raises huge red flags for me.
A critical part of the security model for cloud passwords is that they're only accessible by apps that have permission to access those keychain items, which for all intents and purposes, means Safari and a few specific bits of the operating system. Will this involve keychain dialogs to grant the app permission to see a password, or are they doing an end run around keychain security and granting broad keychain access to a swath of passwords willy nilly? What prevents someone from installing an app that pretends to be Chrome, and using it to exfiltrate passwords?
It being a Chrome extension likely means that it's a signed blob by Apple that feeds passwords into Chrome's password manager upon request. That makes the fear of someone wrapping it with another app and calling it inappropriately even more likely. In my mind, I'm likening that to a modified "sudo" app that takes no password, runs as root, and can be puppeteered by arbitrary shell scripts running as any user on the system....
So what steps did they take to protect the security of our passwords as part of implementing this feature? Where's the threat model analysis paper? They did write one, right?
Actually, they've already been field-testing this sort of connection for about 2 years:
https://appleinsider.com/artic... [appleinsider.com]
Re: Security model? (Score:2)
You can already interact with the keychain from the command line, so I assume anything can delegate that way:
https://ss64.com/osx/security-... [ss64.com]
That might require a password to run it, which could be cached unless elevation is required. So thatâ(TM)s the bar to implementing things. Of course, it would be better if the Macâ(TM)s Touch ID were invoked every time, which is what Safari does.
I think that the evidence is that Apple protects things but provides a way to give individual apps access or enti
Re: (Score:2)
I think that the evidence is that Apple protects things but provides a way to give individual apps access or entitlements.
They do. Each keychain item has an ACL. The concern is how this interacts with them.
Just look at things like Zoom or Slack that even need permissions configured to share the screen.
That's a completely unrelated mechanism.
As for why they donâ(TM)t enable this on older Macs - why would they?
As far as policy questions go, the answer would be because Chrome runs much farther back, and it is generally considered abusive to release an extension that doesn't.
But I really don't care about that. I'm not going to use it either way, so that's kind of moot. The reason I'm concerned about their version support is that releasing it for only the very latest software update of the
Alternatively... (Score:2)
You can use Bitwarden and have easy access to your passwords (and secure notes, and credit cards, and ...) in Safari, Firefox, and Chrome on your Mac. AND if you find yourself on a different computer - even one running Windows or Linux - you can still easily access all of that secure information.
Re: Alternatively... (Score:1)
Re: (Score:2)
There is but one password manager for me: pass (Score:1)
Re: (Score:2)
These kinds of tools work okayish for single users willing to jump through hoops. For even marginally more complex use cases, the ease of use of cloud-managed password managers more than outweighs the slightly decreased security. Bitwarden for example is still very secure, as well as being open-source, audited, etc. there's even Vaultwarden, an independent reimplementation of their server, available as well as a cli client if that's your thing. It has sophisticated organization support which lets me easily
Re: (Score:2)
Bitwarden is open source so it has a lot of security pros combing through its source looking for holes.
Do NOT trust lastpass, theye've dropped the ball and gotten pwned and thats a *very bad* situation.
Nice (Score:2)
Has the experience improved though? (Score:2)
Last time I considered Apple's Password Manager for my parents (who use iPhones, iPads and a Windows laptop), I found that, without an Apple computer, it was impossible to bulk import credentials from ... well ... anywhere - not even a bog standard CSV file was supported. This seemed rather counterproductive, considering that Apple should be making it as easy as possible for people to migrate existing credentials to their service.
Even more concerning, it was impossible (without buying an Apple computer) to
Why use it? (Score:1)
Apple's Password Manager is terrible. Editing entries, importing/exporting, adding notes, it's a nearly complete fail.
Bitwarden is the way.
Meh. (Score:1)
Iâ(TM)ve used keypass, Lastpass, in the past. and now use Bitwarden. Until APM reaches feature parity with Bitwarden, including being cross platform (unlikely since this is Apple), itâ(TM)s a non-starter for me.