Briefly as possible, here’s my situation and query:
Several years ago, I started using LastPass as the password manager on my Mac and iPad and iPhone. Like most users, I got nailed by the LastPass user data breach a year or two ago, but changed my passwords and seemingly avoided disaster. Inertia kept me from changing over to 1Password (which seemed to have issues of its own), but for the past several months, LastPass (and its LastPass browser extensions) have gotten very unreliable, to the point of unusable. Since my subscription comes up for renewal in the new year, I would like to transfer my passwords to either 1Password or Apple’s Password app, which showed up as a new app when I updated my Mini to Sequoia.
Does anyone have experience with this and any thoughts on whether Apple’s Passwords app is sufficiently robust as a password manager? If it is, any tips on migrating to it from LastPass?
I have never used LastPass but continue to be satisfied with the new Passwords app. Import from 1Password was straightforward and I’ve not launched 1PW since making the change.
My 1PW subscription came up in the past month and my previous employer paid it for another year as even though I’m retired, I still store account details for many of their logins. At this stage I think it’s wasted money but it’s comforting to have it ‘just in case’.
Well, here’s 1Passwords’ support article on migrating from LastPass to 1Password.
I held out on migrating to the account-based version until this past year. Now, the browser extensions and auto-fill work fine, the sync among devices is very rapid, and the family account allows my spouse to keep both her own private passwords and a shared pool where we both need access to the same login.
Fairly obviously, LastPass has been a disaster for many people. So understand why you need to change.
If you just want to store web page passwords and only use Apple devices, use Apple’s Passwords. 1Password has many extra features (e.g. I store all my software licenses in 1Password) along with being cross platform. I find it worth the money.
If you want more than Apple offers, do consider Bitwarden as well as 1Password.
Thanks for your help, trilo, Matt, and gilby101. Since all my devices are Apple, and my password needs aren’t too complicated, perhaps I will try porting to Passwords initially and see how that feels. I’d not rushed to move away from LastPass because I liked how it worked – when it worked!!! But it was giving me problems in both Firefox and Brave: browser extensions were not loading like they used to and were suppose to. When I start wrestling with apps, it is time to move on. I’ve not yet determined whether one can print out a doc from either of the PM’s discussed here that lists all of one’s passwords, for backup reference. I’d really like to do that before I get very far down the road in changing apps.
At this point, I think I agree with @gilby101’s point about trying Apple’s Passwords first to see if it meets your needs. If it doesn’t, 1Password is great.
Update: I successfully transferred the bulk of my passwords from LastPass to my Passwords app, with the exception of a small handful of passwords that had missing information apparently preventing them from being included. I will try to figure out which ones those were tomorrow. For instance, I am not sure what “Missing required information for (sn (name))” refers to, when the name after “sn” is just listed as my name or a brand of credit card. My wild guess is that it refers to an expired expiration date or changed 3-digit security code, which are no longer valid.
If all you need is a password only manager…Apple’s Passwords is just fine. If you need the Secure Notes, attachments, and all the other categories of secure info…1Password is the only viable solution IMO. I don’t like their new corporate users are most important approach…but if one needs/uses those other features, there is no, zero other apps that fit the bill.
It looks like Apple’s Passwords will do what I need. I did like the added security-checking features of LastPass, but I think most of those are also performed by my MalwareBytes app. If I discover otherwise, or get stumped on using Passwords, I will add to this thread.
If you mean searching to see if any of your passwords are compromised, the Apple Passwords app does that as well. There is a separate security tile that will show any of those.
Just to say: Passwords lacks the other features of 1Password, but not the family sharing. Family sharing goes back to iOS 17 and MacOS Sonoma as well (which, of course, 1Password also beats; it can share on any version on which 1Password runs.)
Years ago, I used LastPass, and when it seemed to be buggy (and based on recommendations) switched to 1Password — fortunately before LastPass had their major security disaster. But throughout that time, I also kept my iCloud Keychain up-to-date.
At this point, I use both 1Password and Apple Passwords. Here’s my assessment (which is somewhat consistent with what was written above): Apple’s Passwords is a solid, basic, password manager. However (and this is a huge flaw), unlike the Keychain Access application (on Mac), it has no way to store Secure Note Items (which is what Keychain Access calls them). I think that’s a big hole.
We need a good, secure way to store things like the answers to “Secret Questions” (never tell them the truth; your mother’s maiden name is easily obtained), recovery codes, and the like. Apple’s idea for that is to use the Notes app, but that is flawed since (a) these things are clearly Password-related, and (b) there is no way to create a secure folder within Notes (so things have to be individually protected, making migration a pain in the butt).
However (this is a big one), 1Password is not as drop-dead simple — not Apple-like — as Passwords. So for the less technical among us (e.g., my parents) I’ve been recommending they stick with Apple’s Passwords app. But I’m still looking for a good solution to secure notes for them (Apple, are you listening?).
Or even use a real word. If a site allows text input for Secret Question Answers, it is always possible to use a letters-and-numbers string of characters (easily generated, incidentally, by Keychain Access). Again, this points to adding Secure Notes to Apple Passwords.
FWIW, each Password entry has a notes field, and since I started testing using the Passwords app rather than 1P, I’m finding that’s the best solution for me. I can store each of those things in separate lines, like this:
First School
deqryq-Bukce8-goncot
Oldest Cousin
doqfu3-mofcyk-Riwpec
And I can select-and-copy from the Passwords app when I need to.
That said: it’s some manual work. I agree that I hope that Apple adds the ability to add some custom fields to the data at some point. (It would also be nice to specify length of password, create a PIN of x characters, etc.)
For me what I am finding is that Passwords is 100% reliable. 1Password for me would often get in a state where it would not fill in fields, tell me that I needed to open and unlock the 1Password app (though it was already unlocked, and doing so changed nothing.)
Doug, good point about the Notes field. However, I have a question:
Before the emergence of the Passwords app, back when Web site passwords could be accessed and managed via the Keychain Access utility, there was a notes field. And while viewing the Web site password itself required your login password, the notes themselves seemed to be unprotected.
Do we know that the Notes field shown in the new Passwords app are as encrypted/protected as well as the password itself is protected? That would seem to me to be an important consideration.
I don’t know for sure, but I’m reasonably certain that the entire iCloud Keychain is encrypted, metadata included. But I’ve not seen an analysis one way or the other.
But this does suggest that metadata is also encrypted.
Keychain items are encrypted using two different AES-256-GCM keys: a table key (metadata) and a per-row key (secret key). Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed searches, and the secret value (kSecValueData) is encrypted with the secret key. The metadata key is protected by the Secure Enclave but is cached in the Application Processor to allow fast queries of the keychain. The secret key always requires a round trip through the Secure Enclave.
By the way, I know that I am saying iCloud Keychain, but that’s just what Apple passwords actually are. Apple has just written an app to manage them more easily.
1password vaults are protected by two keys: one auto generated, the other your vault password. You need both to access the data on a new device. A big security win for 1password vs all competition that I am aware of.
1password 7 (but not 8, alas) lets you use a one password to unlock all vaults on your devices and a different (more secure) password to protect vaults synched in the cloud. It’s a hack, but you one I use: set up an empty local vault with the password of your choice. Then set up your subscription/synched account (which can have a really secure password that you would never want to type!). Set that as the default for new passwords. This is some compensation for the next item.
1password insists on offering access to passwords on the web. I hate that, but it is universal. Except that Apple allows turning off web access to iCloud files (all types or none) which I do. That would not stop a determined thief, since any data synched to the cloud is vulnerable, but it makes things a bit harder.
In any case the first item is most important and is why I use 1password for important items.
I also like being able to easily go straight to a site without having to use a bookmark (or trusting web search, which is unsafe!). And being able to store photos. And to generate passwords in a variety of formats and lengths (my security question answers are all auto generated “memorable” = pronounceable passwords). And to be able to easily share 1-time secrets. And having a shared vault for the family plan.
I use keychain for most of my passwords but I also have a lot of data to in 1password 7.
So, yes, I agree that this is a strength of 1P over other platforms. And, I think to be pedantic, it’s encrypted with a single key, but one that is a mangled key derived from your passphrase and what 1Password calls the secret key. So a more precise statement is that it’s protected by two passphrases rather than two keys - you need to know (or guess) both in order to access the account. It’s a very strong model.
But: if you already have one device with Apple Passwords, adding a new device requires a two-factor approval on another trusted device in order to get access to the keychain / passwords. And as part of the on-boarding the second device will also be asked to supply the passphrase of one of the other devices already using iCloud Keychain - in fact, it’s required because it’s the only way to get decrypted values in the Keychain, as Apple does not have a key.
So, if your iPhone is lost / stolen and the thief also knows the passphrase, Apple Passwords are essentially open. But it’s also true to say that it’s not trivial to add another device.