Keychain in iCloud?

Just curious. I store some files in iCloud (mostly photos), I think Notes, Websites, but not Keychain data. I haven’t done so because I’m concerned about security and not entirely sold on the idea of storing critical passwords remotely. Can one assume it’s safe to do so? How many of you do store your Keychain info with iCloud along with other files? It would be convenient, of course, but convenience can have its drawbacks.

Ah, you are probably storing more files in iCloud than you think; some stored encrypted, most not. Many are stored automatically in iCloud by Apple. Others are stored specifically by and for (Apple and 3rd-party) apps in iCloud Drive. To see what Apple (or rather, MacOS, iOS, iPadOS, etc.) will store in iCloud for you -and what it will encrypt and how – see Apple Support’s articles on Advanced Data Protection. To see what individual apps are storing in iCloud for you, look at “iCloud Drive” in Finder.

As for storing passwords in iCloud: MacOS has featured locally-stored Keychains on your Mac for a long time (System keychains, an X509 certificate keychain, and individual per-user Login keychains). And each user could create their own Mac keychains (selecting their own keychain names and passwords). More recently, Apple has allow you to opt in to an iCloud Keychain – which gets stored in iCloud and shared (primarily by Safari) across all your devices that you log into using the same Apple ID. Rumor has it that Apple will soon be providing a more generally-useful (iCloud-based?) password manager for upcoming versions of MacOS, iOS, iPadOS, etc.

To see what keychains are already on your Mac, run “Keychain Access”.

1 Like

Long before any “Password Manager” apps existed, I stored most of my passwords as Secure Notes in a private keychain (separate from my Login keychain) on my Mac.

Not as convenient as having a password manager apps late became (no automatic filling of passwords,have to open the keychain, select the Secure Note of interest, then cut & paste the password) – but very usable (and private).

You might want to take a look at the following from the Apple Plarform Security Guide. iCloud Keychain security overview - Apple Support

I’m reading this (and the lonked topics in the article) as saying that the keychain is sent to Apple encrypted (end to end encryption) with no ability of anyone (including Apple) to view the contents. There also a discussion of the processes that Apple has put in place in case you have to recover your iCloud Keychain to a device.

Seems pretty secure to me.

1 Like

I failed to note I am running Catalina.

Hmm. A lot more than I expected! I see that most of my passwords and other sign-on info is already stored there.

Thanks for the link. Will check it out.

How do you share passwords among your devices now? If you never use a password on more than one device, then of course, there is no reason at all to use iCloud Keychain. But presumably you do use passwords on more than one device, and there is a good bet that iCloud Keychain is more secure than whatever you are doing now.

Here is an article from 10 years ago, shortly after iCloud Keychain was introduced. As far as I can tell, it is still accurate. (Does anybody know for sure?)

Incidentally, on the idea of storing passwords remotely. iCloud stores items on your devices. iCloud is a synchronization service. (Sometimes, especially for big items like photos, they might not be downloaded immediately to all devices, but once you access the item on a device it will be downloaded. But that doesn’t apply to Keychain.) There is probably a copy on a server. In the case of iCloud Keychain, that copy is very highly encrypted.

I checked yesterday and realized that my Keychain data is being stored on iCloud. For some reason I assumed it was not. I have an (older) iMac and a new iPhone SE, and a somewhat old iPod, and an ancient Macbook Air that supports nothing at this point. You know, I forgot all about syncing my passwords on my iPhone. I just did that a few minutes ago. However, either they haven’t synced yet or something else is going on because iOS isn’t populating the password field with the password if I try to log on to a site that requires one.