Ugh, the people I work with (I work for a security firm) consider this a "hack" as well. This is expected behavior! How do you expect your passwords to autofill across browsers? It is called the login keychain for a reason. If someone has access to your user account, and your user account has associated web passwords that can be summoned without re-entering your login password, then the logical conclusion is that your web passwords are not safe.
However, Keychain Access is perfectly secure as a dead-simple manual password manager. Just create a new keychain (I call mine "webpasses"), give it a password different than your login password, and manually save your web passwords in that. Yes you have to open Keychain Access every time you want to save (or copy the plaintext of) a password. Yes it's a bitch. But if you save your passwords in the correct format (description=website URL, username=website username) then Chrome and Safari will find it, ask for your "webpasses" keychain password, and autofill, no questions asked. Bonus points because you can save your new keychain in your dropbox and use it across multiple (osx) machines. I store all my credit card numbers in one keychain file, everything is AES encrypted IIRC so it's as good a solution as any as far as "one-password-auth" goes.
[/rant]
(note: I chose this solution because I am paranoid -- er, security conscious. The average user will NOT want to enter a password anytime he/she wants to autofill, and there's really no way to do this in a secure manner)
I don't think it's obvious that Keychain isn't automatically secure within a logged-in user account. Apple makes a big deal about their products being intuitive, "it just works." They really ought to implement the system that Lastpass and other password managers use and allow the user to separately "unlock" Keychain before the passwords autofill.
*Edit: Actually it looks like you can set Keychain to lock automatically after X minutes of inactivity or when the computer sleeps.
Better yet, open "Keychain Access", go to the preferences general tab, and click "Show keychain status in menu bar". Voilà, now you can lock and unlock keychains without switching applications. (This has been around for a long time, too.)
Don't forget, unlike windows, LOCKING a mac is not easy. The only way I know is to use the lock command of Alfred. In windows: Windows + L = lock boom. Because of this, most people in the office leave their macs unsecured.
I guess a bigger question is why don't we use challenge/response authentication for websites? This way, a program like keychain could answer challenges without ever exposing plain-text passwords.
Still, somehow keychain would have to know the passwords, and presumably they would have to be encrypted with the login password of the current user. So it would still be possible for the current user to extract their own passwords. I don't think it is possible to hide passwords on the client side.
The server sends a challenge to the client. The client computes response = f(challenge, password), and sends the response. Then the server compares the response with its own computation of f(challenge, password). Since f is some type of hash function, we can assume that the client knew the actual password, as it would have been too hard computationally to come up with the correct response without it.
In such a scheme, the keychain can do the computation and the password never leaves the keychain. We can even go as far as to have the keychain be separate hardware (eg USB dongle), so the password never even has to exist on the client's computer at all.
I was simply trying to clarify the challenge-response mechanism for the parent poster, not suggesting you use keychain dongles everywhere.
Regardless, the idea that the plaintext password doesn't have to leave the device (whether the device is a dongle, your phone, or the keychain application) is a valuable consequence of the challenge-response mechanism, and I wish support for it were more widespread.
The reason for why it isn't widespread is because you also have to spread it across all your devices. Which is neither secure nor usable enough for the mainstream today.
Unless that is solved it isn't a solution worth considering.
Not worth considering as a 'fits all' solution, yes, but it still is worth considering for specialized cases; in general, those cases where the added inconenience is worth the added security. For example, some banks use effectively this for logging in to your online account. And that can be made to work with any device with a display and a keyboard:
- computer shows challenge#
- user types challenge# on bank supplied device
- bank supplied device shows response
- user types response on computer
On that note, it actually seems like a pretty good place for Apple to sweep in and take some thunder from 1Password et al, by sprucing up the Keychain app and making it something that everyone can sort of use without thinking about it. Just throw around talk of 'sandboxing' and 'secure access', turn it on by default, profit. Then if (by default) you needed an Apple device and iCloud account to login to all your shit... I think you see where this is going.
I don't think Apple will do that: I think that Keychain is like the Reader mode and Reading List in Safari. It has some features that are like those of a third-party service, but because Apple isn't invested in the service for its own sake, the effect is that it raises the bar for third-party services, not that it replaces third-party services.
Well I don't necessarily think it's a good thing... but it seems like just the sort of opportunity awaiting them (and their lawyers, when the antitrust suits eventually come).
However, Keychain Access is perfectly secure as a dead-simple manual password manager. Just create a new keychain (I call mine "webpasses"), give it a password different than your login password, and manually save your web passwords in that. Yes you have to open Keychain Access every time you want to save (or copy the plaintext of) a password. Yes it's a bitch. But if you save your passwords in the correct format (description=website URL, username=website username) then Chrome and Safari will find it, ask for your "webpasses" keychain password, and autofill, no questions asked. Bonus points because you can save your new keychain in your dropbox and use it across multiple (osx) machines. I store all my credit card numbers in one keychain file, everything is AES encrypted IIRC so it's as good a solution as any as far as "one-password-auth" goes.
[/rant]
(note: I chose this solution because I am paranoid -- er, security conscious. The average user will NOT want to enter a password anytime he/she wants to autofill, and there's really no way to do this in a secure manner)
EDIT: grammar