←back to thread

110 points thunderbong | 6 comments | | HN request time: 1.16s | source | bottom
Show context
reddalo ◴[] No.41911976[source]
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
replies(5): >>41912021 #>>41912023 #>>41912226 #>>41912321 #>>41913160 #
1. sureIy ◴[] No.41912226[source]
Safari's absolutely. It uses a OS-wide keychain secured via hardware.
replies(2): >>41913007 #>>41917232 #
2. larschdk ◴[] No.41913007[source]
Does this prevent other software running on the same hardware from accessing the keychain?

E.g. on Windows, any program can access the entirety of the credential store for the current user.

replies(1): >>41914830 #
3. bdash ◴[] No.41914830[source]
Each keychain item on macOS has an access control list associated with it that lists the applications that are granted access to the keychain item. If an application not on the ACL attempts to access a keychain item, macOS prompts the user for authorization. The ACL entries identify applications based on properties of their code signature and so are not spoofable.
replies(1): >>41916168 #
4. sureIy ◴[] No.41916168{3}[source]
Correct. The best part of this system (Keychain Access) is that it has been around for more than 20 years. Only this year it got a UX makeover.

One interesting thing I noticed is that Chrome and Firefox can also seamlessly see and use Passkeys I stored in Safari even if normally they don't read the passwords from there.

Using each passkey however still requires a fingerprint every time.

replies(1): >>42013212 #
5. NotPractical ◴[] No.41917232[source]
Chrome uses it too. However the CDP protocol allows any local app to control the browser so you can use that to open the browser in windowless mode, examine the list of passwords at chrome://passwords, then open a bunch of tabs to all of those sites and extract the passwords from the HTML forms they get auto-inserted into.
6. bdash ◴[] No.42013212{4}[source]
Passkeys are a different story than the keychain more generally. Other browsers that work with passkeys via the system APIs had to jump through hoops and get Apple's approval to do so: https://developer.apple.com/documentation/bundleresources/en...