[HOWTO] enable Safari to ask to save login password at all sites

[minckster]

Some sites, like Yahoo, use "autocomplete=off" to disable the browser's ability to remember the User Name and Password for logging into that site. Javascript bookmarklets that overcome this limitation don't work in Safari. What to do?

I found a way that enables Safari to ask about saving passwords at all sites. The technique isn't mine, but finding it took some serious Googling, so I'll share it here. You have to enable the root user and edit a binary file. (You may want to give some serious thought to the security implications of saving these passwords.)

1. Enable root user. With Netinfo Manager: Security -> Authenticate. Security -> Enable root user.
   
2. Ensure that all users have quit Safari.
   
3. Log in as root and backup the executable file "WebCore". I copied the file as WebCoreOrig and left one copy in its original directory and a temporary copy on the desktop. WebCore is at:
   
   /System/Library/Frameworks/WebKit.framework/Versions/A/Frameworks/
   WebCore.framework/Versions/A/WebCore
   
   
4. Get HexEdit through http://www.versiontracker.com/dyn/moreinfo/macos/10658 It's a .sit file, so you'll need Stuffit Expander (stuffit.com). The app is HexEdit.app, within the HexEdit folder, whose custom icon is so fancy that it looks like an app itself.
   
5. Use HexEdit.app and replace the first character of "autocomplete" and "AUTOCOMPLETE" in WebCore with some other character. Replace only the strings that are surrounded by "0"s, i.e., don't replace something like web.autocomplete. Spend some time searching for all of the instances of "autocomplete" (case-insensitive) until you see which two are surrounded by zeroes. There's one all uppercase and one all lowercase.
   
6. Save your changes. HexEdit will make another backup of the original file, which it will call WebCore~
   
7. There's no need to reboot. When you return to your own user account and navigate to Yahoo.com, Safari should ask to save your password.
   
8. You'll have to repeat this procedure whenever an update by Apple installs a new WebCore file.

Source: Thanks to "atverd" at http://www.macosxhints.com/comment....ocked+form+data&type=article&order=&pid=47765

 

[fryke]

This is actually too much hassle for me. And I believe those sites who _do_ that kinda know why they're doing it. Your mileage may vary, but to hack WebCore _everytime_ Safari's updated? Bah...

 

[Rainy Day]

A few comments:

1. No need to enable root! Doing so takes way too much time, is unnecessary, and creates an unnecessary security risk.
   
   Instead, simply change the permissions on the file and enclosing directory so you can edit it, and change them back when you’re done. (It is not necessary to change permissions for the directory just to edit the file, but it is needed for when Hexedit creates the backup file.)
   
   You can use the Finder for this: Select Go To Folder… from the Go menu to navigate to the file, and use Get Info to set the permissions (an Administrator password will be necessary). You can paste the pathname into the Go To Folder… dialog, but make sure there are no spaces or returns in what you paste else it’ll say it can’t find the folder.
   
   All you really need to change is the Owner (to yourself), then back to “system” afterward, because the file and directory are already set to read/write for the owner (however that could change in the future).
   
   This method is much faster, and far far safer, than enabling root.
   
   
2. You don’t actually need to quit Safari before you edit, but you do need to restart Safari to ensure the changes take effect.
   
   
3. fryke: No, do not assume that the sites which do this know what they are doing. What they are doing is forcing your password out of the security of the keychain! You will either be forced to save your password in a plaintext file, or worse yet, choose a weak password that you can remember (and probably one which is common to other sites, an added security risk). Make no mistake about it, "autocomplete=off" is the security risk by not allowing Safari to save it in the keychain.
   
   Also, sites do this because most people use Windoze, and Windoze sucks at security.

 

[Rainy Day]

Even easier, just use Autocomplete Always On! It’s a program which will patch WebCore without farting around with permissions, etc.

 

[minckster]

Thanks Rainy Day! Great info!

I want to add another password to my keychain (after an update wrote over my edits to WebCore), so it's time to force Safari to submit to my will again. Your suggestions will save a lot of time.

 

[sirstaunch]

Not sure how or why this is happening, but Safari always asks me if I want to save log in details, then autofills for me when I go back to a site