LastPass vs. 1Password vs. Apple's Passwords app

I’ve noticed this behavior in Keychain Access as well. I think, assuming I’ve read the above posts correctly and based on how I use Keychain Access, that the notes associated with passwords are encrypted when a user is logged out but the notes are always visible when a user is logged into macOS (not when a keychain is unlocked). In other words, anybody using the computer can see the notes by opening Keychain Access.

1 Like

Kudos to them…but in reality the Secret Key is just a second password…and is only needed for initial setup of a device. If a device is stolen…then the Master Password is the only protection…and we all know that in 2024 the only real protection is a long password. If the vault is stolen…needing to have both of them enforces a long basically impossible password to get in.

TBH…today a 17 or so character password of all 4 password food groups is long enough…yes a longer one is better but in reality a password crackable in a billion centuries isn’t any more secure than that takes 10 billion. The nice thing about length is that you don’t need to remember the completely random string of gibberish. Take any 3 words, put some special character between them, capitalize the first letter and add a couple numbers easily rememberable to you but not easily guessed…and that password is both easy to remember and plenty long and complex enough to avoid cracking. The fact that the 3 individual words re in the dictionary is irrelevant…because the dictionary tables need the entire password to be in the dictionary…and rainbow tables for faster lookup get too large to manage…forcing the cracker into brute force and there long is your most important friend.

That’s what 1PW is trying to protect against…the loss of the vault by them. On your device, having a sufficiently long password is what you need.

1 Like

I just checked - I have a few records in the Passwords app that have Notes.

They do not show up in Keychain Access. The only way to see the notes is to unlock the Passwords app.

3 Likes

Question,
Is there a way to erase the existing passwords stored on my MacBook Pro and iPad and export my passwords from 1Password to Apple Passwords?

You should be able to. Select one entry, and then, from the Edit menu, tap ‘Select All’. Right-click over the selected entries and tap ‘Delete’. Before doing that, you should use the ‘Export All Passwords’ command from the File menu.

1 Like

I’ve used PasswordWallet since the early days before the WWW and all it’s problems existed. Passwords are stored offline, a little safer(?). You will have to ask the experts about safey. It is still available at Selznick Software https://www.passwordwallet.com/ and I purchased a new copy for my new Studio running Sonoma. Meets my needs which are simpler than many younger people.

Personally, I don’t think age has much effect on privacy and security needs. I’d say it’s more a function of personality type and what sort of data is kept on devices.

Can someone confirm if Apple’s Password app stores its data on the iCloud. If thats the case PasswordWallet sounds quite reasonable as I store my passwords locally only. If the tin hat fits I would wear it!

Ta

It depends on what you mean by “on iCloud”.

The data remains local if you turn off iCloud Keychain sync on your device. (Be warned if you do this: I’ve read reports that iOS, iPadOS, and macOS updates turn that option on when it’s been explicitly turned off. That said, these reports are anecdotal.)

But iCloud Keychain data is not exposed online. Apple does not have keys for the data; it’s not on iCloud Drive; there is no access to your password data on the website iCloud.com. iCloud is just used as a sync mechanism. You need a device that has logged in to your Apple Account, passed two-factor authentication, and presented the passphrase for an existing iOS, iPadOS, or macOS device in order to sync passwords from the iCloud Keychain onto a new device. And merely having the Apple account and password is not enough to decrypt the stored password and passkey data if someone somehow was able to access the data online.

3 Likes

Advanced Data Protection for iCloud

Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.

With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 25 and includes your iCloud Backup, Photos, Notes, and more. The table below lists the additional data categories that are protected by end-to-end encryption when you enable Advanced Data Protection.

If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key. Because the majority of your iCloud data will be protected by end-to-end encryption, you’ll be guided to set up at least one recovery contact or recovery key before you turn on Advanced Data Protection. You must also update all your Apple devices to a software version that supports this feature.

You can turn off Advanced Data Protection at any time. Your device will securely upload the required encryption keys to Apple servers, and your account will once again use standard data protection.


Secure iCloud Keychain recovery

iCloud Keychain escrows users’ keychain data with Apple without allowing Apple to read the passwords and other data it contains. Even if the user has only a single device, keychain recovery provides a safety net against data loss.

3 Likes

@Halfsmoke and @ddmiller – following up a few days after you guys have had quite a discussion…

I found this on Stack Exchange

which suggests that, while there is protection for the Notes field, it is not as secure as the password itself. There is a link to that Apple Platform Security Guide, but that guide is from May 2024, before iDevice 18 and macOS 15 – so not as useful as it could be.

I’m going to keep digging into it, but I guess for now, the Notes field in the Passwords app might be adequate for “muggles” (maybe not for “wizards” like us).

2 Likes

Without rehashing the discussions of 1Password, I’ll just note that I’ve found the same problems with 1Password 8. It is much less user-friendly than v7. However, as @neil1 said, I’ve found no adequate substitute for it.

I’m still on v7 and will remain there until it doesn’t work anymore even though I have a subscription. I don’t really like the new interface or the loss of DropBox support. Their Secret Key doesn’t do much except for originally installing on a device. The non negotiable feature was the lack of local user managed backup and recovery…but their prime guy admitted awhile back there is a complete encrypted copy in the users Library solder that can be backed up and restored from independent of their server farms. My vault lives in DropBox and I’m staying on v7 as long as I can.

So, yes, I know that this has been discussed to death, but for me I think the issue is with the Safari extension. If I go into 1Password’s settings and turn on AutoFill then the Cmd-\ autofill keyboard shortcut always works. (See Use Universal Autofill in apps and browsers on your Mac | 1Password)

I believe that I am going to switch to a hybrid of using the Passwords app for Passwords that I share with my family (particularly with my wife) and 1Password for everything else. There is just so much else besides password data that 1Password can store, and so much that having multiple discrete vaults that is super-helpful to me.

As for LastPass: I used it from 2009, when I started using an Android phone (and 1Password was, at that time, not a valid solution on Android) until about 2015, when LastPass was sold to LogMeIn and I wanted them to have no part of storing my data, after I had switched to iPhone and iOS. After that huge security breach a couple of years ago, I’m glad I deleted all of my data when I did.

2 Likes

Note the comment on that article:

They are stored in the keychain and the whole keychain is encrypted, so it stands to reason that the notes are as secure as your passwords.

As for what’s posted on your article:

Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed searches and the secret value (kSecValueData) is encrypted with the secret key. The metadata key is protected by the Secure Enclave but is cached in the Application Processor to allow fast queries of the keychain. The secret key always requires a round trip through the Secure Enclave.

I believe that this is talking about on the device, not as the data is stored in iCloud when synced. As for MacOS, I have no way to search for any data in the passwords app without first opening the password app itself, which requires authenticating. As posted before, I don’t see any notes in the Keychain Access app (in fact, none of the iCloud Keychain passwords are there at all), and if I do any kind of spotlight search for specific text in the Notes fields of the passwords app, nothing is found.

Thanks for the info - greatly appreciated.

I remember a recommendation many years ago - might have even been on TidBits - that when asked a Secret Question - such as father’s middle name - to use None. I’ve extrapolated from that over the years & used real names but not my family’s real names. Has worked well for me since that time. I use names that will be easy for me to remember but impossible to guess since they aren’t real family names for me. I do the same when asked for favorite book, college roommate, favorite teacher, etc.

1 Like

Yep. When they ask security questions, you should just think of them as more passwords. Provide whatever strings you like and record them using whatever mechanism you use for tracking your passwords.

So when they ask for your father’s middle name, you can say “The Incredible Shmoo loves you”, and the system should accept it just as well as anything else. And nobody is going to guess it. (But don’t use what I just wrote, since it’s now public :slight_smile: ).

It’s not like these sites perform background checks to make sure you’re answering truthfully.

2 Likes

3 posts were split to a new topic: When you can and can’t leave fields blank