is Passwords.app still leaking data to everyone having access to the system, as the old version does?

[bsmr]

Hi,

is the new passwords.app still leaking data through keychain access as all older versions of macOS does?

When opening macOS keychain.app you can see under local objects > passwords > web-formular-passwords 'ALL' websites, usernames, reg.-dates of data you have within your Apple-Passwords!

Everything directly accessible, unlocked and open for everyone (except the passwords itself).

Can someone check, if this is still the case within the new app?!

 

[Mike Boreham]

Keychain Access in Sonoma only shows password after user password is entered. It is not enough to already be logged in, it required specifically to reveal password.

 

[bsmr]

Keychain Access in Sonoma only shows password after user password is entered.

Yes - indeed. But without login you can see every entry, every saved website within Apple Passwords and every username.

With all other password-managers they're protected!

 

[adrianlondon]

Opening the Passwords app on Sequoia requires the user password (or TouchID) before it will open.

 

[bsmr]

Opening the Passwords app on Sequoia requires the user password (or TouchID) before it will open.

Can you try opening local keychain on the mac (does open without any credentials) and there you can find what I mean.

 

[Apple_Robert]

Can you try opening local keychain on the mac (does open without any credentials) and there you can find what I mean.

It opens like you said. Why do you have a problem with the current set up? You said it can be opened without credentials but, that isn't true. The reason you noted what can be done is because credentials were already used to log into the Mac. If I want to see the password for an entry, I have to enter another credential. If you are trying to suggest a lack of security, I don't agree.

It is up to you to secure your Mac when walking away and that can be done with a tap of a key.

You can't compare this Mac process to a stand alone app because they aren't the same.

 

[adrianlondon]

Can you try opening local keychain on the mac (does open without any credentials) and there you can find what I mean.

Keychain requires a password to open.

 

[bsmr]

Keychain requires a password to open.

This is great news, as with Sonoma this is not protected!

 

[Nermal]

This is great news, as with Sonoma this is not protected!

Hmm. I'm on 14.5 and I can open Keychain Access without a password, but can't see any website passwords in there: for those I need to open "Passwords" via System Settings and log in.

 

[bsmr]

I'm on 14.5 and I can open Keychain Access without a password,

Select 'local items' on the left pane > select 'passwords' on the right side and under 'kind' look for web form passwords.

 

[Nermal]

Sorry, you're right. They're actually under "iCloud" on my computer, but they are indeed there.

 

[flexwithmarius]

Select 'local items' on the left pane > select 'passwords' on the right side and under 'kind' look for web form passwords.

Apple needs to lock that up. Have you filed a Feedback request listing it as a security concern?

 

[bsmr]

Have you filed a Feedback request listing it as a security concern?

No - because this and other points are the reason why I do not use Apple Passwords or however they call it...

I like to have things separated - just in case.

 

[flexwithmarius]

No - because this and other points are the reason why I do not use Apple Passwords or however they call it...

I like to have things separated - just in case.

Knows about security issue.
Fails to submit report because it doesn’t affect them.
“���this is why I don’t use it…”

This is why it hasn’t been addressed.

 

[bsmr]

This is why it hasn’t been addressed.

Apple doesn't care! Just look here: https://lapcatsoftware.com/FeedbackAssistantBoycott/

I will not waste my time with this.

 

[flexwithmarius]

Apple doesn't care! Just look here: https://lapcatsoftware.com/FeedbackAssistantBoycott/

I will not waste my time with this.

I've gotten through to them, they do listen, but they get a sh*t ton of reports on the daily. And I'm betting many of those reports are useless whiny hot garbage. Is what it is though, I've filed a report. Took less than 2 minutes. FB14068308.

On the bright side, Sequoia locks up keychain access and passwords completely so some common sense prevailed lol

 

[Iwavvns]

Apple doesn't care! Just look here: https://lapcatsoftware.com/FeedbackAssistantBoycott/

I will not waste my time with this.

And how exactly do you know Apple doesn’t care? Because there hasn’t been a fix released yet? Do you know how difficult it is to patch a bug, especially one that involves a high level of security? You can’t just write code, throw it in and call of a day. You have to make sure the new code doesn’t negatively impact the millions of other lines of code in the system. This takes a lot of time and a lot of testing.. otherwise the new code for the bug you’re trying to patch could cause several new bugs.

Until Apple specifically tells you “we don’t care”, then you don’t have enough information to make that claim.

Edit: And, yes, I have been writing code for many years.