Is Apple’s Password AutoFill More Secure Than Using Plugins or the Clipboard?

We believe using the built in Password AutoFill subsystem is a very secure way to fill your passwords.

Of course, as with everything the devil is in the details. In principle, Apple's Password AutoFill is absolutely a better model, a system fully designed for the transmission of sensitive credentials from a Password Manager to a requesting 3rd party app/browser. There's no globally shared data that can be sniffed, so it's a thousand times better than using clipboard. It's also doesn't require a plugin and some arbitrarily designed IPC process. Further because the browsers do the integration work, it provides a unified standard for websites to fit into, and so, eventually, no more un-fillable logins. Having a single standard is beneficial.

The only issues we can see is if the 3rd party app/browser implementation (e.g. Safari) has some kind of security issue, but then this is always the case, even with other methods. Therefore, even in the worst case scenario, we believe using the system provided Password AutoFill subsystem is at least as secure as other methods, and probably more secure. This also leaves out other non security based factors like improved UX, simplification for websites by having a common standard.

In all, we're betting on Password AutoFill on Apple platforms.

What about Chrome and Firefox on macOS?

Unfortunately Chrome and Firefox are slow off the mark here in integrating with Apple Password AutoFill on macOS. In response, we've developed our own browser extension for Chrome (and other Chromium based browsers) and an add-on for Firefox:

We've also written a synopsis of how the browser plugins work at a technical level, and the design choices we made during their development: How Does the Chrome/Firefox Extension Work? Is It Secure?