I'm not sure those passwords are stored in Keychain, anyway. The forms-filling function of Safari has been called a security problem. If it totally uses Keychain, it may not be a real problem. I simply turn that function OFF in Safari Prefs and don't worry about it. I think one reason for the security concerns is that the Keychain is not encrypted as much as other methods.
The way many 'auto-fill' systems work is the name or id used in the form for each item is used to decide where to insert what value. A 'password' text box is usually labeled/named/ided as 'password' so that's where the password is inserted. The other field is usually labeled/named/etc. as 'username.' The point is, each and every field has a name/id/label and that is saved with the value you want to associate with it. Unfortunately, some sites use
Flash® instead of real html and this make it difficult, if not impossible, to 'see' what the label even is, assuming there is one. The result of using this proprietary technology is that it becomes impossible to insert the stored data in the correct place(s). "Thanks Adobe. We have enough trouble remembering different passwords without your forcing us to do it all with our brains (which are not made for this kind of task) and preventing us from using our computers (which
are made for this kind of task!)!!!"
From the developers of 1Password:
QUOTE
Adobe Flash
1Password is unable to save and restore logins for sites that use Adobe Flash [for the login area]. As far as we know, no browser password manager anywhere supports Flash-based sites because it is a proprietary solution and does not interface with the browser much at all.
After working with a Flash consultant and reviewing the latest APIs provided by Adobe we found it is still not possible unless websites modify their code to allow it.
They also mention the javascript sometimes affects the use of the 'auto submit' function of 1Password, but I have not encountered that.
I seldom have trouble with this using 1Password, and it is always when the site uses
Flash®. I can sometimes avoid the problem by using two different 'password' files; one for the actual password and one for the other item. The 1Password 'file' contains nothing but the needed item and the url, of course. That's still only two mouse clicks instead of any typing, of course. And this allows me to have extremely secure and different passwords/usernames for every site.
One other method might be to use something like TextExpander/Typinator which replaces a very short bit of typing with the actual text you want. However, that will mean the password is completely openly stored on your computer, none of these apps do any kind of encryption, ASAIK. OTOH, once someone gains physical access to you computer, all bets about security are pretty much off!
"Just because you
can do something is not a valid reason to actually
do it."
