Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
In contrast, I have never heard of any issues with the Apple’s Password AutoFill.
Apple's autofill only works in Safari. If you use Codebook with a different browser, you'll need another way to transfer your passwords into the browser.

But I agree that system-native software is exposed to different risks than web-engine software and that there is likely a greater chance of malicious software being encountered in the web environment. On the other hand, the average user is happy to install unvetted, brand-new software on their system as long as there's a pretty web page behind it. There is an active thread now on these forums displaying a clear example of that.

In the document that was updated two days ago (9/11/2025), Toth stills lists 1Password as vulnerable.

Then Toth is missing it. All my browser plugins show as having the 1Password fix that they feel is the appropriate one. I've turned on that setting that requires a quick confirmation every time a clickjacking attack would attempt to capture data. And remember, 1Password's browser extension provides significant functionality without the need to even click on the web page at all, so a real worrier can just turn off click functionality completely.

which as the clickjacking incident shows, is a bad idea.

I read "bad idea" as "not the recommended approach because it is riskier than others". I would apply that description to the use of the clipboard. Codebook's secret agent might also be risky, but I don't know enough about the security measures they've taken with regard to the script that is running. I suspect no researchers are working hard at cracking secret agent, so vulnerabilities will be missed.

The 1Password team considers the browser extension safer than solutions where there is not active browser URL matching. They consider the risk of putting credentials into fields in the wrong website to be large. I tend to agree with this for me. My eyesight is not perfect and I log in to websites a lot; getting it wrong is likely. Using the clipboard or something like secret agent introduces a lot of risk.
 
Apple's autofill only works in Safari. If you use Codebook with a different browser, you'll need another way to transfer your passwords into the browser.

But I agree that system-native software is exposed to different risks than web-engine software and that there is likely a greater chance of malicious software being encountered in the web environment. On the other hand, the average user is happy to install unvetted, brand-new software on their system as long as there's a pretty web page behind it. There is an active thread now on these forums displaying a clear example of that.



Then Toth is missing it. All my browser plugins show as having the 1Password fix that they feel is the appropriate one. I've turned on that setting that requires a quick confirmation every time a clickjacking attack would attempt to capture data. And remember, 1Password's browser extension provides significant functionality without the need to even click on the web page at all, so a real worrier can just turn off click functionality completely.



I read "bad idea" as "not the recommended approach because it is riskier than others". I would apply that description to the use of the clipboard. Codebook's secret agent might also be risky, but I don't know enough about the security measures they've taken with regard to the script that is running. I suspect no researchers are working hard at cracking secret agent, so vulnerabilities will be missed.

The 1Password team considers the browser extension safer than solutions where there is not active browser URL matching. They consider the risk of putting credentials into fields in the wrong website to be large. I tend to agree with this for me. My eyesight is not perfect and I log in to websites a lot; getting it wrong is likely. Using the clipboard or something like secret agent introduces a lot of risk.
All really good points. There is a risk to not using the browser extension as well.
 
...I read "bad idea" as "not the recommended approach because it is riskier than others". I would apply that description to the use of the clipboard. Codebook's secret agent might also be risky, but I don't know enough about the security measures they've taken with regard to the script that is running. I suspect no researchers are working hard at cracking secret agent, so vulnerabilities will be missed...
You attempt to put using the clipboard on a par with using Codebook’s Secret Agent is absurd and comical. If you had a whole boatload of researchers working hard to crack Secret Agent, what would they be trying to do? Why would you develop software to intercept Secret Agent putting credentials into a browser, when you could just use a keyboard logger to get whatever information you want?
 
But I agree that system-native software is exposed to different risks than web-engine software and that there is likely a greater chance of malicious software being encountered in the web environment. On the other hand, the average user is happy to install unvetted, brand-new software on their system as long as there's a pretty web page behind it. There is an active thread now on these forums displaying a clear example of that.
Would you provide a link to this thread you mention, did you mean this one?
 
You attempt to put using the clipboard on a par with using Codebook’s Secret Agent is absurd and comical.

Secret Agent and the clipboard approach have the same risk that the 1Password people are talking about. Secret Agent requires you to search for the particular website whose credentials you want to use. Is my understanding incorrect? If Secret Agent can detect the website URL in the browser window then please let us know.

Why would you develop software to intercept Secret Agent putting credentials into a browser, when you could just use a keyboard logger to get whatever information you want?

"You"? Do you mean me? I would attempt to infiltrate with the tools at my disposal. Installing a keystroke logger might be much harder than detecting insecure behavior in the Secret Agent scripting approach. Security researchers work hard to safeguard against compromises to their software from threats on the local machine. Why do they do it if the presence of a keystroke logger makes their efforts futile? It's because they believe malicious code tries other things that are simpler to put in place than keystroke loggers.

If you had a whole boatload of researchers working hard to crack Secret Agent, what would they be trying to do?

If there were a whole boatload of researchers working hard to crash Secret Agent, then we can assume there would be a substantial bug bounty. What would they be trying to do? They would be rushing to be first to claim the money. They'd probably get it pretty quickly.

Years ago I wrote my own password program. On disk I maintained an encrypted structured document. I had a basic command line syntax which allowed for updates and queries. I would prompt for a password, decrypt the document in memory, parse its contents, and respond to the command. I'm not naive enough to believe the only thing I had to worry about was keystroke loggers. Tons of doors were left open to all but the most casual bad guy. Now and again I'd edit the document manually if I had a lot of changes. It might have been done with an editor which left temporary files on disk or credentials sitting in RAM (at the time I mostly used vim). There were so many mistakes just waiting for an attacker.

Your post seemed aggressive and defensive. You are obviously loyal to Codebook. I know of nothing which suggests they aren't exceptional at their jobs or that their product has any particular vulnerability.
 
Would you provide a link to this thread you mention, did you mean this one?

Not this thread. People have to make their own decisions on what to trust. I don't want to point a finger at anyone suggesting they made the wrong choice.
 
Not this thread. People have to make their own decisions on what to trust. I don't want to point a finger at anyone suggesting they made the wrong choice.

I wasn't looking to point fingers or disparage anyone's choice. Just trying to absorb information. I respect your decision.
 
Only really give some trust to password managers who show a full audit anyone can check.
 
Enpass Firefox extension failure.
When attempting to open a page a dialog box appears showing I am trying to open site "XXX" with a password from site "YYY". This began about one month ago. I have cleared cache and all cookies. So far, Enpass support has not solved.

Mac OS 15.6.1
Enpass 6.11.14
Firefox Enpass Ext 6.11.7.2
Firefox 140.3

Anyone else having this issue?
 
Enpass Firefox extension failure.
When attempting to open a page a dialog box appears showing I am trying to open site "XXX" with a password from site "YYY". This began about one month ago. I have cleared cache and all cookies. So far, Enpass support has not solved.

Mac OS 15.6.1
Enpass 6.11.14
Firefox Enpass Ext 6.11.7.2
Firefox 140.3

Anyone else having this issue?

enpass autofill was bad compared to 1PW and Bitwarden. Bitwarden was best for me. I do not recommend it, but I use 2 password managers, enpass for the mini assistant app on desktop and bitwarden as an autofill.

Enpass support is very slow to respond in my experience.
 
Secret Agent and the clipboard approach have the same risk that the 1Password people are talking about. Secret Agent requires you to search for the particular website whose credentials you want to use. Is my understanding incorrect? If Secret Agent can detect the website URL in the browser window then please let us know.
Secret Agent cannot detect the website URL in the browser window. However, if you are using Secret Agent and are concerned about putting your credentials into the wrong place, you can use the website link in the site’s entry in Codebook to open the applicable site first. Thus, I think this potential problem is easily avoided.
"You"? Do you mean me?
I was not implicating you! Despite our many disagreements, never once have a thought that you are a malicious or dishonest person.
If there were a whole boatload of researchers working hard to crash Secret Agent, then we can assume there would be a substantial bug bounty. What would they be trying to do? They would be rushing to be first to claim the money. They'd probably get it pretty quickly.
I don’t understand why whatever way Secret Agent uses to move information from Codebook to the proper fields in the browser window, would be less secure than whatever Apple Password AutoFill uses to fetch and place information from a password vault.
 
However, if you are using Secret Agent and are concerned about putting your credentials into the wrong place, you can use the website link in the site’s entry in Codebook to open the applicable site first. Thus, I think this potential problem is easily avoided.
I do that at times using 1Password. The main application can be triggered to open the website and fill in the login information with one click. It's not a perfect solution since sometimes the site where the login happens has to be navigated to from another starting location. It does seem precarious to count on a user to remember to never use Secret Agent unless they've navigated to the website using Codebook. I know that this wouldn't work for me, I'd get lazy and eventually decide it wasn't worth the extra effort.

I don’t understand why whatever way Secret Agent uses to move information from Codebook to the proper fields in the browser window, would be less secure than whatever Apple Password AutoFill uses to fetch and place information from a password vault.

I don't really know. I don't know what mistakes either company has made. But, there is a significant advantage that the autofill is built into the Safari executable and tied to the Apple security framework. If you remember that Tavis Ormandy of Google said you shouldn't use any extrinsic password manager at all. If you want to fill passwords in Chrome, the only safe way is using Chrome's password manager. I remember some of us discussing this on another MacRumors thread.


I kind of think of Apple's autofill as Safari's version of that. On an Apple platform, Safari has the home-field advantage.
 
Say...would it be considered paranoid to think the proprietary password managers might be snooping on my passwords? I just realised how dangerous it would be if all my passwords leaked and I have them stored locally on Enpass. Is there a way to mitigate the issue or you just have to blindly trust the vendor?


I like Password Depot the best so far.

interesting choice. Never heard of it. Any specific reason?
 
Apple's autofill only works in Safari.

Apple's autofill only works in Safari for MacOS, iOS or both?

Then Toth is missing it. All my browser plugins show as having the 1Password fix that they feel is the appropriate one. I've turned on that setting that requires a quick confirmation every time a clickjacking attack would attempt to capture data. And remember, 1Password's browser extension provides significant functionality without the need to even click on the web page at all, so a real worrier can just turn off click functionality completely.

Do you use the 1Password extension on iOS, or autofill that happens with iOS without using the 1Password extension?
 
Say...would it be considered paranoid to think the proprietary password managers might be snooping on my passwords? I just realised how dangerous it would be if all my passwords leaked and I have them stored locally on Enpass. Is there a way to mitigate the issue or you just have to blindly trust the vendor?

You have to trust the vendor.
 
Apple's autofill only works in Safari for MacOS, iOS or both?

When I wrote that Apple's autofill only works in Safari, I was only thinking about macOS. More specifically, I was thinking about Codebook on macOS since they make the point "Currently Password AutoFill is only available in Safari and other Mac apps that adopt support for Password AutoFill in their login views" at:


But, saying that Apple's autofill only works in Safari is wrong, even on macOS, so I should have been more careful. Apple's autofill will work on any input field that is created in a way that hooks into the iOS or macOS Authentication Services Framework. A password manager can implement a credential provider extension, thereby allowing it to be selected to handle requests from such fields. 1Password does not provide such an extension. Codebook does.


So, it takes two to play the game. A password manager must implement the credential provider extension and the input fields must be coded a certain way. Apple's developer tools make it easy to create applications so that input fields do their part. But the Safari developers took it even further; Safari's web rendering engine makes sure that input fields set up by some web site are rendered inside Safari with that machinery. Firefox and Chrome have not bothered to do that. I do not know if there are other browsers on macOS which do what Safari does when rendering web pages. I suspect there are none.

I'm less clear about the situation on iOS. It used to be that all iOS browsers were just using Safari's rendering engine; they weren't allowed to provide their own. If that is still true, then those browsers should behave just like Safari and autofill should work. But, I have a feeling (and vague memory) that this is no longer the case. So, if iOS browsers are using their own web rendering engines and don't bother implementing the autofill machinery when they render input fields, it just won't work. I found this wording

Once you've enabled Codebook for AutoFill Passwords, when you focus on a textfield in a login form in Safari (or any other iOS app that supports AutoFill Passwords) the keyboard will attempt to suggest an appropriate set of credentials from Codebook.

at


So, probably Apple's autofill won't work with any other iOS browser.


Do you use the 1Password extension on iOS, or autofill that happens with iOS without using the 1Password extension?

I don't use the extension. I find the system-level password service (which 1Password supports) is adequate to fill in whatever field is selected. This approach is analogous to using 1Password's "Universal Autofill" on macOS or Codebook's Secret Agent.
 
Last edited:
  • Like
Reactions: gregmac19
When I wrote that Apple's autofill only works in Safari, I was only thinking about macOS. More specifically, I was thinking about Codebook on macOS since they make the point "Currently Password AutoFill is only available in Safari and other Mac apps that adopt support for Password AutoFill in their login views" at:


But, saying that Apple's autofill only works in Safari is wrong, even on macOS, so I should have been more careful. Apple's autofill will work on any input field that is created in a way that hooks into the iOS or macOS Authentication Services Framework. A password manager can implement a credential provider extension, thereby allowing it to be selected to handle requests from such fields. 1Password does not provide such an extension. Codebook does.


So, it takes two to play the game. A password manager must implement the credential provider extension and the input fields must be coded a certain way. Apple's developer tools make it easy to create applications so that input fields do their part. But the Safari developers took it even further; Safari's web rendering engine makes sure that input fields set up by some web site are rendered inside Safari with that machinery. Firefox and Chrome have not bothered to do that. I do not know if there are other browsers on macOS which do what Safari does when rendering web pages. I suspect there are none.
I think you are right.

I remember reading the following on Strongbox’s website a couple of years ago, and sadly their prediction has not come true:

“AutoFill Passwords in Safari on Mac

Note that this AutoFill system on works only with apps and browsers that have upgraded to support the Password AutoFill system. So far, as of post time, the only major browser that supports AutoFill is Safari. We believe this will change over the coming months and we should see ubiquitous Password AutoFill support in most browsers and Apps in short order.”

I'm less clear about the situation on iOS. It used to be that all iOS browsers were just using Safari's rendering engine; they weren't allowed to provide their own. If that is still true, then those browsers should behave just like Safari and autofill should work. But, I have a feeling (and vague memory) that this is no longer the case. So, if iOS browsers are using their own web rendering engines and don't bother implementing the autofill machinery when they render input fields, it just won't work. I found this wording

at


So, probably Apple's autofill won't work with any other iOS browser.
I suspect that Apple’s AutoFill works with most iOS browsers when using Codebook, and can attest that it works with Brave and Firefox in addition to Safari.
 
Last edited:
Note that this AutoFill system on works only with apps and browsers that have upgraded to support the Password AutoFill system. So far, as of post time, the only major browser that supports AutoFill is Safari. We believe this will change over the coming months and we should see ubiquitous Password AutoFill support in most browsers and Apps in short order.”
The other browsers will not implement it at all. Strongbox is waiting for this feature since a long long time....

But actually it is also good not to use Strongbox anymore. Has been sold by the developer - and now no development there...
 
Has been sold by the developer - and now no development there
I was googling this, and it seems no one, and I mean no one is happy that strongbox has been sold. Those who have been on lifetime licences have not seen any updates, and the those on the subscription model had an update 5 or 6 months ago. Nothing since then.

There seems to be little info on the company that bought them, but it seems people are nervous that this company has tried or is trying to implement metrics and telemetry into the app. I can't say for sure, but it seems a lot of negativity is being directed towards strongbox recently.
 
  • Like
Reactions: bsmr
I did.

————

Hello,

Thanks for reaching out and for your purchase. It’s much appreciated!

Rest assured we are still developing Minimalist as it is our personal password manager and we use it everyday.

That being said, we have recently slowed down development and will likely continue at our new pace. This is primary because Minimalist has matured (mostly) into what we want it to be, and the remaining features we’d like to add are somewhat complex and will take time and effort to get right. These include:
  • Shared Vaults (in progress)
  • Passkey support (next up)
  • One-Time Password AutoFill support (iOS 17 / macOS 14 and up)

Additionally, we will continue pushing out bug fixes as needed when new versions of iOS / macOS break things.

In summary, if you’re looking for a constant stream of updates, new features, and new designs, you’ll probably want to look elsewhere. However if you’re looking for a stable password manager to get the job done without changing too much over the years, Minimalist is your best bet!

Thanks again and take care!

- Jeffrey

All Good Things...​

We had a good run, however it's time to say

Goodbye to Minimalist

Thank you to everyone who has supported Minimalist over the years. Your support has been greatly appreciated.

Unfortunately, the amount of time and effort required to continue developing Minimalist has officially exceeded what we have to offer.

As such, we have made the difficult decision to cease development effective immediately, and end support as of August 1st, 2026.

The final version of Minimalist (3.7) will be available in the App Store until August 1st, 2026. There is also a macOS only version available for download directly from this site.

In this final version, we've updated the built-in export options for Apple Passwords, Safari, and a new Text File format. These options include all Minimalist data, including custom fields, so you will have access to all your data once Minimalist is no longer available.

Thanks again to everyone and take care!

- The Minimalist team

 
  • Haha
Reactions: MacBH928 and bsmr

All Good Things...​

We had a good run, however it's time to say

Goodbye to Minimalist

Thank you to everyone who has supported Minimalist over the years. Your support has been greatly appreciated.

Unfortunately, the amount of time and effort required to continue developing Minimalist has officially exceeded what we have to offer.

As such, we have made the difficult decision to cease development effective immediately, and end support as of August 1st, 2026.

The final version of Minimalist (3.7) will be available in the App Store until August 1st, 2026. There is also a macOS only version available for download directly from this site.

In this final version, we've updated the built-in export options for Apple Passwords, Safari, and a new Text File format. These options include all Minimalist data, including custom fields, so you will have access to all your data once Minimalist is no longer available.

Thanks again to everyone and take care!

- The Minimalist team

Not surprised. They should have been honest in their reply to me.
 
  • Like
Reactions: DCIFRTHS and bsmr
I think you are right.

I remember reading the following on Strongbox’s website a couple of years ago, and sadly their prediction has not come true:

“AutoFill Passwords in Safari on Mac

Note that this AutoFill system on works only with apps and browsers that have upgraded to support the Password AutoFill system. So far, as of post time, the only major browser that supports AutoFill is Safari. We believe this will change over the coming months and we should see ubiquitous Password AutoFill support in most browsers and Apps in short order.”


I suspect that Apple’s AutoFill works with most iOS browsers when using Codebook, and can attest that it works with Brave and Firefox in addition to Safari.

Thanks for that. After I saw your post, I tested Firefox on my iPhone and AutoFill worked fine. In fact, 1Password was available to provide the credentials.

I found this, which is that vague memory I referred to in my earlier post:


So, maybe the browsers we're using are still WebKit-based.

I was surprised to see that 1Password does support Apple's AutoFill on iOS. But, it makes sense if all browsers benefit from it that they would make the effort.

I set up 1Password and Apple Password to handle passwords on my phone and tested both with a random site. I found 1Password to be far more cautious that Apple Password when the site was unrecognized. 1Password only offered entries for matching sites whereas Apple Password offered more (I had only one test entry in Apple Passwords and that was offered to me to use). I can search for other entries using 1Password, but it warns strongly that the site doesn't match and asks for confirmation. Apple Password, in response to just clicking on a random entry offers to assign it to the site; it's not phrased as a warning.

I realize now that the way I've been using 1Password on the iPhone has been Apple's AutoFill. I always select a popup at the bottom of the screen and use it to pick an entry from 1Password. I could also have selected "AutoFill" on the field. Both approaches offer the same password managers that I've set up in Settings. I wonder what the differences are between the two approaches. Does anyone know?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.