So, I’m not sure where to head to next. I take security seriously, and I’m not sure if I should stick with 1Password, which I’ve been using for the last 16 years, or start using Apple’s Keychain on my iMac. 1Password comes in handy on my iPhone also since it automatically syncs (as does Contacts, Calendar, and Photos using iCloud). So … what is the best approach. If it is Apple’s Keychain going forward, does it work across devices?
I’ve been using a Mac for about 25 years, just personally, not for business, and I still have questions and no one personally, family or friends to turn to for answers. That’s why membership in Tidbits and in NMUG and the few newsletter’s that I get help out.
The very reason why I did switch to using iCloud Keychain is precisely because it syncs very well from my Macs to my iPhone and vice versa. In my experience, iCloud syncing in general is not super reliable, but I will say that I have yet to run into any trouble with iCloud Keychain and its syncing.
Howard Oakley recently did a great little series on keychains. It’s very good reading to familiarize yourself with how iCloud Keychain actually works. Here are two articles from that series.
1PW is much more capable than iCloud Keychain…it lets you keep encrypted documents and uses categories to let’you more easily find what you’re looking for, and because it’s data is only decrypted on device may be more secure, I don’t know if the same is true for keychains or if Apple has any ability to decrypt them as I’ve never looked into it. 1PW is pretty much the gold standard though…and while the company seems to be turning away some from individual users and Macs in general towards their common code and business customers they’re still pretty much the best around in what they do.
I have to admit that v8 of their app is IMO several steps in the wrong direction…but it’s not my company to manage and IMO they’re being forced by their VC investors/part owners to make more profit at the expense of usability…so I’m currently sticking with v7 and will use it until it quits working, when I will reluctantly switch to vi as the only hard no issue for me (backup and restore at my discretion without needing their cloud to do so) has been resolved.
Documents, image attachments, and notes in entries make it an all in one secrets keeper more than just a password manager.
I’m planning to stick with 1Password for the coming year (my subscription just renewed last month) and see how Passkeys work with it, then I’ll decide next August whether to continue on or switch over to iCloud Keychain.
One of my considerations is making sure that my wife and/or kids will be able to access my passwords and passkeys with either solution. Right now I do have my wife listed as a legacy contact for iCloud, but I’ve documented for her how to access my 1P data. I don’t necessarily want to try out what will happen with legacy contact, but I may have to at some point to make sure that she knows how, and is able, to access my iCloud data, including saved passwords and notes, etc.
In addtion to the technical aspects of switching, you also might want to think about how you feel about making changes to your workflows and how you feel about relying on a small-medium sized business versus Apple for an important task.
For example, does the annual macOS update cause you any anxiety? Or how do you think you would react if you were notified by 1Password you had 30 days to find a new password manager before the company shut down?
These are hypotheticals, of course, but thinking through these sorts of things often are important in decision making.
Right, thanks for that. So that’s rather unhelpful.
She’s also a recovery contact for my account, so she’d be able to reset my Apple ID password and get access that way if for some reason she forgets my device passcode. (Well, she never uses it, so I wouldn’t be surprised if she did.)
Of course I could share passwords and passkeys with iOS 17. That’s really what I’d make sure happened if I do switch to iCloud Keychain.
I’m personally thinking that despite the claims of some…passkeys aren’t going to be the raging success they’re supposed to be. Websites have to be recoded to use them, right? Looking at how many websites still offer no support for 2FA or have less than rigorous password requirements and less than adequate password database security…passkeys are going to be a long time to see much market penetration. Sure…geek oriented sites will use them but the rest of the web maybe not so much. They’re an improvement of course over passwords…but the SQRL tech developed by Steve Gibson of SpinRite fame is also an improvement over passwords and despite it being open source and released for at least a year it has essentially zero penetration AFAIK. So…I’m not thinking passkeys are really going to improve on that.
I’m still sticking with 1PW because it’s so much more than just a password keeper for me…but despite having a subscription account their vault is currently just part of my backup scheme and I’m still on v7 because it allows DropBox and has real backup/restore capabilities built right into the app. 1PW claims their Secret Key makes the new v8 so much more secure…and from a strictly technical standpoint they’re correct…but with a decent master password say 20 characters long that’s still 11 thousand trillion centuries to crack in the best case according to GRC's | Password Haystacks: How Well Hidden is Your Needle? so while 11 trillion trillion centuries is technically better the improvement is meaningless. I don’t really like the their cloud only option…but can live with that if v7 of the app ever breaks. And now that they’ve admitted how a user can backup and restore their data independent of the 1PW server farm…there are no show stopper reasons not to use v8 if it becomes necessary to switch to v8 or s witch apps. I’ve also conducted a pretty exhaustive examination of the application space and there’s not a single one that provides all the features of 1PW v7 and also the features that v8 removed…in fact there’s not even one that provides all the features of v7 on it’s own.
While I am not using passkeys yet because of the relative non existence of them on the broader web…as far as 1PW is concerned a passkey is just a secret thing it stores and submits to the website when necessary…so it’s essentially just a better password that provides less visibility to the web site into who the user precisely is…and in these days of browser encodings and such I’m not convinced that a passkey is really an improvement except for the fact that it enforces long and complex and thus a greater cracking time since password and 1234 are still pretty popular password selections.
Wife and I are recovery addresses on our iCloud accounts…and while I use 1PW and she uses Password Wallet still our master passwords are still in each other’s database…and our son has a paper copy of our master computer and database passwords along with garage code and DropBox password so that he can get access to things when it becomes necessary. He’s also got an account on our family 1PW plan that I set up with updated master passwords and such, a text note with where stuff is and contact info, and a link to our estate plan trust documentation.
Like @neil1 my wife and I also rely on a paper copy of our master passwords (Mac and iCloud) if one of us should become incapacitated.
It’s a very simple system. Both have the other’s passwords in a sealed envelope in a vault. If the envelope is missing or has been tampered with we know the passwords are compromised. We also shared enough important information with each other that we know where the important stuff is once we’d log on to the other’s system. I feel fairly good about this. We can each back up each other with a simple system that at any time can be verified by eye (and we do) and involves no third parties, subscriptions, doohickeys, etc. Sure, our vault could get stolen. But heck, this is Berkeley, by the same token we could also just get shot dead in the next mugging.
Or hit by the bus or whatever. Realistically though…even if our vaults were stolen…the passwords are secure enough (i.e, long and have all 4 of the password food groups) that cracking them would require brute force as the retired computer security guy made sure they’re adequate against dictionary or rainbow attacks…and we’re just regular people, not high value targets so it’s not worth the expense of trying to brute force them.
FWIW, I’ve standardized on 1Password and have tried to stop storing passwords Apple’s iCloud Passwords. I say “tried” for two reasons:
I don’t like the fact that a thief shoulder-surfing an iPhone passcode and then stealing the iPhone could get access to absolutely everything on the device, including all iCloud Passwords. It’s highly unlikely such a thing would ever happen to me, but it’s not a theoretical attack vector and I remain perturbed that Apple hasn’t made any changes to prevent it.
When the Wall Street Journal articles about that hit, I deleted all the passwords from iCloud Passwords. I can’t remember at this point which device I used to delete them, but it was an extremely explicit action. They all came back.
I’ve just now tried to delete them all again, A and B from the iPhone running iOS 17, and all the rest from my iMac running Ventura. We’ll see if they come back again.
The other reason I prefer 1Password to iCloud Passwords is that I need to access my passwords in a variety of Web browsers.
That is another reason I’m likely to stay with 1P. Fwiw, though, iCloud passwords are coming to Chrome for MacOS next month, and to Chromium browsers in general with Sonoma as well.
I’m as concerned if something should happen to my wife and I together. We knew a couple who died in a car accident together; we also know of spouses who died within weeks of each other. It’ll be our kids who will need this info.
While we’re talking about Apple Keychain Access, what exactly does it cover? I use Firefox as my Password manager for web sites, but when I try to access apps like Zoom and Microsoft Teams directly, they cannot retrieve the password saved in Firefox. In some cases, like Zoom, I find that the password on my master password list (a sheet of paper) also is in Firefox’s password file (last updated in May 2020), presumably because I sometimes go through Firefox to get to Zoom. However, when I checked for Zoom in Keychain Access, it has a randomized many-character password from April 2023 that doesn’t work. When I go into iCloud keychain through System settings, I find no keyword at all under Zoom. But when I go through Keychain access I find the same randomized manycharacter password under both login and iCloud.
What’s particularly curious is that the passwords I find under System settings look like a old version of the the passwords I find under Firefox, and include passwords and sites that I deleted long ago. I very rarely used Safari for browsing, I wonder if Safari may have picked these up from Firefox at some point. But why do I find a different list of passwords under System Settings than by going through Keychain Access?
I can’t explain the Keychain Access/iCloud Keychain discrepancies, but they’re another reason I recommend using a standalone password manager like 1Password. Storing your passwords in a specific Web browser’s system works for that browser but nowhere else, as you’ve seen. That’s a recipe for trouble at some point.
I think that comment could perhaps be misunderstood. The iCloud Keychain is not specific to any browser, it integrates with iOS and macOS as well as their apps. Safari, as Apple’s default browser, integrates directly with that and as such, perhaps a bit inconsistently, lists iCloud Keychain entries relevant to browsing in a Safari settings pane.
But in principle any browser can do that. It’s not that this is somehow a Safari Keychain. It’s a macOS and iOS keychain in the cloud for which Safari just happens to offer great integration. In principle Firefox or Chrome could offer the same, they choose not to. Likely because they prefer to offer their own as they also want to be available on other platforms where iCloud Keychain is not available.
I agree with Neil that 1Password is the standard. I’ve been a user since it first came on Mac and also on iPhone, iPad. Been there through all the improvement from local d.b. storage to sharing to iCloud and now Agile’s own cloud server. Where I differ with Neil is that I think v8 is a good enhancement to the product and the latest tweak allows management of vaults and family members. I’m looking out to the day when I might need assistance with managing my affairs in a decade or more by having one of my siblings as a family vault member so she will have easy access to those passwords and other financial info from her own computer (a Windows system currently).
Also like Neil I use 1P to hold credit card info, bank info, financial broker account info.