Apple changed the behavior of Safari in macOS 10.14.4, and you may have noticed it and thought it was a bug. Now, if you have stored a password for a website, when you select a login entry to autofill, Safari 12.1 for macOS automatically submits the login. Previously, it would fill the fields and still require you to click a Login or Submit or other button to proceed.
I understand Apple’s logic in making this change, as it reduces friction and takes less time to log into a site, much like dropping text message login codes into an autofill field for macOS and iOS. Apple described this Safari change in 10.14.4’s release notes as “Streamlines website login when filling credentials with Password AutoFill.”
So far, there’s no way to turn this autofill option off nor to choose sites to exclude. Some Apple forum users have complained that on certain sites that require a CAPTCHA—one of those distorted letters or photo-identification challenges—to be filled in that only appears after they enter credentials, the new autosubmit tries to login in and fails. (I’ve noticed this on some sites with CAPTCHAs, but others work fine.)
You might also note that you have to check a “keep me logged in” or “remember my username” box on sites that offer it before selecting the Safari-stored login. In the past, you could select it, then check a box. Now, you have to check the box first.
The only way to disable autofill is site by site, and then only by removing the keychain entry. If you use iCloud Keychain, this removal is synced across all your connected iOS and macOS devices.
You can remove an entry in Safari for macOS via Safari > Preferences > Passwords. Enter your macOS account password, then type in the name of a site you want to remove in the search field. Select one or more entries, click the Remove button, and then confirm the removal.
What makes Apple’s decision all the more odd is that AgileBits, the makers of 1Password, took the opposite course just in October 2018. The company removed an option for autosubmitting passwords, and explained it in a blog entry. Two elements stood out for me:
Not all sites respond as 1Password expects. We can see this with Safari autosubmit as well. That means you have to fiddle around more to login. On a couple of sites I routinely use, the new autosubmit process typically fails. I wind up switching to 1Password for the login.
Apple removed a mechanism AgileBits relied on to submit, because it could be abused by scripts on pages, resulting in the potential leakage of personal information. The blog entry noted, “As yet another step towards a more secure environment, apps that can virtually type the ‘Return’ key on the keyboard have been significantly restricted.” Apple trusts itself more than everyone else, because it controls the browser and experience, but it seems like it may be leaving users open to higher risks.
Apple often adds nuance to new features later, and it’s possible it would add a per-site option in Preferences > Websites, as it has with other feature, or provide a global on/off switch for autosubmit.
By Glenn Fleishman