Using KM to prevent accidental typing/pasting of passwords into the wrong app window?

Questions & Suggestions
1

I know this is kind of a weird edge case request, but oftentimes when working on my Mac, my fingers are faster than the OS, and I sometimes accidentally type my password into the wrong window (e.g. Slack or Messages), either because I don't realize that the wrong window has focus, or the window steals the focus of the window I intended to type the password in.

I thought that it would be great if KM could intercept sensitive typed-strings, such as passwords, so that you could prevent such things from happening. Obviously you can create a simple "Insert text by typing" action based on a typed-string trigger, but I don't feel good about hardcoding my password into KM as plaintext, especially because I sync my macros via Dropbox.

Anyone have a good workaround for this? If not, please consider this a feature request. My initial thought is that KM could have it's own encrypted data vault where you could store sensitive strings like passwords or credit card numbers, and have it automatically unlocked via the system keychain, so that the macro has access to the string while KM is running.

I'm sure this has wide-reaching security implications, though, but it's just an initial thought, off the top of my head.

2

That would be an opportunity for your project. You could create your own vault with a master password for Keyboard Maestro.

3

Yeah I already know about reading/writing passwords to the Keychain using KM. I've written many KM macros which do just that.

The twist with my request, however, is how do I define a "typed-string" trigger using a highly sensitive typed string as the trigger? Currently you have to use a plaintext string to define the trigger.

I was thinking that if would be cool to have a "secure-typed-string" trigger that allows you to reference a string stored in the system Keychain, but not have it exposed in plaintext within the KM Editor UI and .kmmacros/.kmsync files.

4

I'm not sure that could be reliably implemented. It is for this reason, and many others, that I use 1Password. When the browser window is opened to a web site that needs a login, I just press the 1PW hotkey, and it ONLY inserts the PW for the active window/tab. So I can NEVER type my PW into the wrong page.

5

The closest you can come is to have a Typed String trigger with the start of your password and then have it start beeping like crazy if it is ever fired.

To make this more secure at only slight inconvenience you could expand your password to include a low security easily typed unusual extra word at the front (say "qwert"). Since the remainder of your password is the same your password is just as strong as it was before, and since this part is weak anyway it is safe enough to have a Typed String trigger detect it.

It is an interesting idea for a feature. I will note it down although I'm not sure I will implement it - it still is problematic in that for any short (eg 8 character) password, by the time Keyboard Maestro detects the issue you will have typed most of the password.

1 Like
6

I'm a diehard 1PW user as well. But what you describe is only applicable to web browsers. There are many, many instances per day when you need to copy and paste a password into an app, which obviously would not have 1PW extension support.

7

That makes me curious. I've also secured several apps with passwords. Could you name a few that show you the password in plain text?

8

I assume you do know that when an App login is presented, you can bring up 1PW Mini, find the App, and then copy/paste or drag/drop both the Login ID and Password to the App Login window.

Having said that, I totally agree this is not nearly as convenient as the autofill with Browser logins.

1Password does offer an API for Mac app developers:
Add support for 1Password to your Mac app

Since this exposes each 1PW item as a JSON file, it might be possible to read the file with a script, and then invoke 1PW Mini to get the UserID/PW, which could then be pasted into the App Login window. But I don't really know -- this is just an idea.

9

I'm not sure what your point is here? My issue is not plaintext passwords being "shown" by apps. My issue is passwords being accidentally typed into apps as plaintext. As I mentioned in my original post, Slack and Messages are two apps in which this has happened to me.

10

Again, this is irrelevant to the issue I originally posted about.

My issue/request is not "I want Keyboard Maestro to support pasting passwords into app dialogues".

My issue/request is: "I'm an idiot, and sometimes accidentally type/paste cleartext passwords into unintended apps which steal the focus of the app I am trying to type/paste the password into. I'd like to see KM be able to support a way to store secure typed string triggers in the KM Editor, so that it can detect if I type my password into an app for which it could be catastrophic if I accidentally typed my password into"

Granted this is probably a ridiculous edge case, but it has happened to me enough times that I was motivated to look to KM as a possible solution to this dumb problem.

11

Here's an untested idea.

Create a macro group active ONLY for the apps for which you want to allow password input.
Create a macro in this group with as much protection/warning as you like (or can stand. :wink: )

  • Prompt for you to enter the password into a KM prompt that uses a Local variable, like "Local__Password"
    • It will not show
    • KM Local Vars are automatically deleted at end of macro
  • Paste what you have typed
    • Since the Macro is active ONLY when one of your designated Apps is frontmost, this should give you some protection.

Note: I would NOT store any passwords in KM global variables.

12

Hey Mel,

1Password 7 Mini works globally now. It is no longer confined to web browsers.

See the Keyboard Shortcuts section in the General Prefs of the 1Password app.

-Chris

13

Again, this is irrelevant to my issue.

To reiterate, the issue is not copy/pasting password data from a password manager into apps/webpages.

The issue is copy/pasting data from a password manager into the WRONG app/webpage by accident.

14

Of course, there is no automation that can prevent ALL human mistakes, and still allow human interaction with the computer. :wink:

Having said that, 1Password tries to ensure that the username and password are inserted into the correct web page by comparing the URL of the current web page with the item setup in 1PW.

Unfortunately, it cannot do the same with native Mac apps.

Here is an example Macro to set the password for a Mac app, based on an actual Macro that I use. It uses the macOS Keychain tool.

==You will need, of course, to==

  1. Set the Keychain password for "AppName Password" (change "AppName" to your App) outside of KM.
  2. Change the App selected for the Trigger and the Pause Until Action to the target app of your choice.

This macro is triggered by the launch of the target app, and then also makes sure that App if frontmost before continuing. That should provide pretty good assurance that you are pasting the PW into the correct app.

Of course, you can add other tests that you want.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MACRO:   Enter App Login When App Launches [Example]


#### DOWNLOAD:
<a class="attachment" href="/uploads/default/original/3X/8/a/8a26cc882a1dfd461fabec3c5e85f8927b56822d.kmmacros">Enter App Login When App Launches [Example].kmmacros</a> (42 KB)
**Note: This Macro was uploaded in a DISABLED state. You must enable before it can be triggered.**

---



![image|487x1279](upload://Aqsl66REOyG3Xv2ROJLE0gxF4Kj.png)
15

thanks all for your responses. i was having similar questions and your answers were helpful to me.