iOS 7.1 - Safari Passwords & Autofill info not protected?

With iOS 7.0.6 on my devices it asks for my passcode before showing the password.

I'm just updating now, so I'll check to see if it still does it on iOS 7.1

It still asks me for my passcode before showing me the Safari passwords.

Can't remember where I turned this option on though.

You do have a passcode setup on the device don't you?

It would be very un-Apple-like if they reduced the security of the device by having just one password for everything. I certainly wouldn't want everything behind just one password.

If you don't want (or can't trust) people checking out your passwords, don't use the password storage feature. That's the only workaround and use a separate password storage app such as 1Password instead.

Entering a passcode when you pick up the device takes at most 2 seconds, and becomes second nature very quickly. Just because you only use the device at home doesn't mean it is immune to being stolen. I have a passcode on my iPad which is also only ever used at home.

This is a HUGE security risk. Do not turn on "Names and Passwords" in the safari auto fill settings. Anyone with your passcode to unlock your device can see all of your passwords. A passcode is NOT secure, anyone can watch you enter it.

An even bigger security risk is turning on iCloud Keychain. Do NOT turn this on. This exposes all of your saved names and passwords to anyone with your passcode. Major fail by Apple. This is exposed even if you have Names and Passcodes turned off!! Just look under Saved Passwords and see all of your keychain passwords which were protected by your password and iCloud passcode, now visible with your device passcode.

Apple, I would use these features if you required a password or even the iCloud passcode to view the passwords. Or, just don't ever show passwords in plain text and require desktop access for that feature.

Snozdop is right, you shouldn't be sharing your device passcode/PIN with anyone. I also agree with snozdops earlier statement that it would be very un Apple-like to have one password that accesses everything. Which is why I'm amazed that once you turn on these features (one even requires Keychain's three-step verification) all your passwords become instantly available to read with just your most common password protecting them (or none if you don't have your phone locked with a code).

I was aware that by having these features turned on, anyone with access to my phone could access my account on these sites and services. My main point is that allowing people to read all my passwords is an unexpected and unnecessary feature of the iphone.

snozdop wrote:

Anyone with your passcode to unlock your device can see all of your passwords.

Well, of course. That's why you shouldn't share your passcode with anyone. That's not a "major fail by Apple", you shouldn't be sharing your passcode.

A passcode is NOT secure, anyone can watch you enter it.

Yes, exactly the same as the PIN on your bank card, which is why you are encouraged to block people's view when entering it when paying for something. You should protect the passcode to your personal device, just as you would protect the PIN to your personal bank cards.

Is that also "a HUGE security risk"?

Are you really comparing devices passcode and bank card PIN?

Your money is not protected by a 5 digit PIN. It is protected by a state-of-the-art cryptography physical device, which is the chip on your plastic bank card. Which in turn is double protected by a 5 digit PIN. Two-factor authentication. "Chip&PIN".

It wouldn't be useful to protect your cellular phone (again, cellular phone, by which you call people) with the same security level. I don't even have a passcode set. Because I unlock my phone probably hundreds of times a day.

And since it is used so much, it is impracticable to be sure no one sees your passcode when you unlock your phone, if you have any.

On the contrary, passwords are used for more important things, like spending money for example, as you do with your bank card.

So, passwords must have a higher security level. Not the same by which you enable your phone to place a phone call.

So, yes, forcing your passwords to have the same protection as your phone calls IS a HUGE security risk.

I suggest everyone to erase all saved passwords in Safari from your Macs and iOS devices, to disable iCloud keychain, usernames and passwords saving, and to use a third party password manager instead.

i am currently on hold to yahoo, again trying to get my password (using ipad as skype phone). it has been over 2 weeks i have been locked out and i have spent hours on hold only to be cut off time after time. i am not allowed in because i cannot answer the question "where did you spend your honeymoon". i have the motivation to try the back door to get the password. has anyone ever had any success contacting yahoo? my other computers are all locked out but i can still get to mail on ipad so the password has to be in there...

I just found out about this I cannot believe it is so easy to see someone's passwords. In particular, if the device is not set up to ask for a passcode, how come all the passwords are accessible without asking for some sort of device or Apple Id Password. *Maybe* when the phone/iPad is set up to ask for passcode it might be ok that there is no two step verification. But it is plainly ridiculous that if the device has no passcode then even passwords are visible. This is particularly ridiculous for iOS since Safari on Mavericks clearly asks for the users' password before revealing stored websites' password. APPLE REALLY HAS TO FIX THIS!

jorgemlg wrote:

But it is plainly ridiculous that if the device has no passcode then even passwords are visible.

It's plainly ridiculous that people store sensitive personal information on a single-user device, don't passcode it and then leave it where other people can browse through it unmonitored. I wonder if those same people leave their wallets around for people to look through.

Submit your feedback directly to Apple using the appropriate link on the Feedback page:

http://www.apple.com/feedback

I'm extremely security conscious so I've set up my work iPads so that employees must enter complex passcodes (i.e. passwords) that expire monthly. A simple 4-digit pin is completely off the table. With that said I agree with jorgemlg. For whatever reason, something that I'll never fathom, the large majority of folks find it too strenuous an exercise to enter a fricken 4-digit pin (i.e. Passcode). Therefore regardless of passcode setting if they decide to use Keychain to store passwords and/or credit card info a password and/or fingerprint ID should be a bare minimum requirement.

pete deville wrote:

I'm extremely security conscious so I've set up my work iPads so that employees must enter complex passcodes (i.e. passwords) that expire monthly. A simple 4-digit pin is completely off the table. With that said I agree with jorgemlg. For whatever reason, something that I'll never fathom, the large majority of folks find it too strenuous an exercise to enter a fricken 4-digit pin (i.e. Passcode). Therefore regardless of passcode setting if they decide to use Keychain to store passwords and/or credit card info a password and/or fingerprint ID should be a bare minimum requirement.

What makes you think that people who are too lazy to use a 4-digit passcode to lock their iPad will put in a lock code for their Keychain? They're probably the same people who make lists of their credit card numbers in Notes. Should we force that to be password protected? Again, even a 4-digit passcode will defeat the vast majority of majority of thieves and it's already an option. My wallet doesn't have a passcode on it and yet, I don't have a huge problem because I'm careful what I do with it.