A few security questions on using password macros:

I have a macro that enters an account number and a password (which are stored in Keychain Access) into two fields in Safari. In the account field, text entered (even if done manually) appears as plain text; in the password field (which is a secure field), text entered appears as dots.

Using the macro:

  1. Is there a way to have the account number enter as dots instead of plaintext, so the number can not be seen by others?

  2. Is there a way to allow passwords to be entered ONLY into secure fields. (This was a nice feature of QuicKeys…)

  3. Is there a way to prevent someone from going into Keyboard Maestro changing the macro’s trigger to another application (let’s say Text Edit) and running the macro and seeing the account number and password?

I think the answers are all “no” but I don’t know that for 100% certainty.

Another approach vector is that I believe macros are stored in plain text on your Mac and could be read there, too.

You could, I believe, enter them into the Keychain and have Keyboard Maestro pull them out with a shell script that calls the security command but that does t help with most of your other concerns.

By what method is it doing this ?

Yes, if you use JavaScript, you can first set the attribute of the <input> field to type="password", then enter the data.

Yes, if you use JavaScript to enter the data into the fields, you can check first to see whether an <input> field is of type="password".

I think that would give you a false sense of security even you found a way to achieve this. If anyone can open up Keyboard Maestro, they just create their own macro to retrieve your keychain passwords. Keyboard Maestro is, after all, designed to be easy-to-use and even someone who has not used it before could create a macro from scratch fairly easily after looking at what actions are available.


Note that for the JavaScript methods to work, it requires the web browser to allow injection of JavaScript from other applications. As you sound like you're being security-conscious, it's prudent to warn you that there are potential security risks with this.
1 Like

Hello @Tomas, @tjluoma & @CJK, to protect Keyboard Maestro on my Macs against unwanted changes, I use the app iLock (8,- $).
I have also set up a "Wireless Network Trigger". As soon as I leave my private Wifi, the selected apps are blocked. They will be unlocked when I re-enter my private Wifi.

In my video, the passwords are inserted using a KM / macro macOS keychain. Of course, this is also possible with a 1Password autofill :wink:

https://cl.ly/f6dafce93f43

1 Like

You could perhaps run a JavaScript to change the type of the text field to be a password. It is likely that would not affect the behaviour of the web page, but would result in entered text being bulleted.

No.

No. But if someone can access your Mac and mess with your macros, all of your security is already lost. They can easily download and install anything else they want, including key loggers and screen grabbers, etc.

Thanks everyone for the replies - I had kind of figured that there is no really foolproof way to make the macros really secure, but it good to hear the various viewpoints. And at some point I plan on looking into iLock - sounds like it may be useful.

1 Like

Let me know if you use iLock @Tomas. I can send you my created macros if you are interested.

Thanks @appleianer for your suggestion for iLock. Use it now for my finance app. I am interest in your macros.

1 Like

Until tomorrow you will get a video tutorial and the macros. Do you also use the App Launchbar 6? Would then also send you the actions for iLock.

Not using Launcher anymore. Use Alfred instead.

OK. Please excuse one more question, unfortunately I forgot to ask questions earlier. Do you use 1Password?

Yes. Use 1Pasword. And german is no problem for me :wink:

Thanks for the feedback. Then I'll include 1Password.

1 Like