Passkeys are coming: Apple's Keychain Access or a Password Manager?

My only real objections v8 are the lack of DropBox support which is minor in nature nd the ability to backup and restore independently from their servers. All of their cloud being unavailable is I admit unlikely but the old time sysadmin and computer security guy in me made that a show stopper. Their support people kept insisting that they would handle backups…and finally about 2p back and forth messages on their forum revealed that the data is only decrypted in RAM and the encrypted copy which syncs is buried in ~/Library…I have the location preserved and can dig it out if anybody needs it. Knowing this location…they admitted that backing up the folder to DB or TM or whatever a user liked and then restoring the folder if necessary would result in everything resending as it should…but getting them to admit this existed was harder than it needed to be. So…although I’m still on v7 because I like my vault on DropBox and not their cloud…but if/when it eventually dies or gets EOL’ed I have no major issues going to v8…but it’s a later for me thing. While I don’t like the non native macOS client and it’s not very Mac like I haven’t used it in most of a year so it might have improved or the backup and restore might have been added as a menu or preference option for auto backup like v7 has…but I can easily automate my own backup when I eventually switch. I’m also not impressed with the direction their VC masters are taking the company…management talks a good story and says they’re still in charge…but somewhere along the line they indicated their VC partners had given them $100 million IIRC and VCs don’t invest that much money without clear ideas on how to generate profit on their investment and sway over the company decisions. Their current business strategy appears to be more highly aimed at corporate, enterprise, and businesses than the former individual users basis…and that’s fine since it’s their and their VCs company to manage…and obviously they want to make more money and that’s fine too…but I don’t like the drift of a formerly Apple only company to whatever they are now, and the non native macOS client is a symptom of that drift…they’re no longer an Apple oriented company and I can accept that but it doesn’t mean I need to like it.

I have found that the Mac app Strongbox (available from Mac App Store) is capable of importing from 1Password 8 and retaining the organizational structure. The Strongbox database (by default saved in ~/Documents/my-vault-name.kdbx) is on my Mac so I can, if desired, store a copy on Dropbox or OneDrive or even iCloud Drive. This lets me have an accessible backup version but continue to use 1P8 as I do now. Of course I will have to periodically replace my .kdbx as I do edits and add items to 1P8. That’s if I decide to continue keeping the backup. In my decade + use of 1Password I’ve never lost access to my vaults.


1 Like

I took a quick look and while it does have better storage in other than their servers…it doesn’t handle Secure Notes which I use a lot of in 1PW including formatting of those notes. Like you…I’ve never lost access to my 1PW vault…but have always had v7 and earlier both keeping the vault in DropBox and also doing the auto backups to a folder on the computer that gets TM and all my other backup schemes so I could recover. If they had come out and just admitted that v8’s vault location on the computer and how to backup/restore it on your own…or better yet included that capability directly in v8 like it is in earlier versions there would have been a lot less confusion.

I also think they’re really over advertising their Secret Key…when it’s really just a second password. I can see why they incorporated it because it forces sufficient entropy in the encryption beyond what the Master Password results in…but as long as your Master Password is long enough…i.e. 20 characters or more…then its already got sufficient entropy to defeat any brute force attack in my great great great great great grandchildren’s lifetime so the fact that the Secret Key added another 20 bazillion centuries to that is essentially technically correct but meaningless from an actual security standpoint. I would still be using v7 at this point anyway because of the DropBox support for vaults which have always worked just fine…and for the life of me can’t figure out why they insist on only their servers…but hey, it’s their company and software to run. It’s still the best in the business despite the loss of capabilities from v7…and they’ve never explained why those useful features were removed beyond platitudes like we know best and users should just trust us and our servers will never fail (not actual quotes but they’re the gist of their attitude. The fact that the encrypted vault…which is what is synced to their servers and thence to other devices…exists as a file on a macOS device (or iOS or iPadOS of course) means that it could also be stored on a folder named say…DropBox that is synced between devices by some other company…but this capability was removed I guess to force users to pay for a subscription…but that could easily be forced by making the apps subscription based as they have instead of stand alone licensing. I realize they want to make money…but removing features that users use and want is just nuts. And I’m still going to use it because warts and all it’s still the best solution on the market for what most power users want.

You have answered the exact question I’ve been wondering about: upgrading to 1PW8. I guess I’ll stick with v7 since it’s paid for and works in all my devices.

…and 1Password has just been updated to be able to store passkeys.

1 Like

Actually Chrome Canary has the ability to save passkeys in iCloud Keychain. Apple and others are creating a common API for passkey interoperability. I believe 1Password will be using this as well.

Password managers will be supporting passkeys soon since the alternative is extinction. Apple’s Safari integration will be smoother at first but I expect others will follow.

I’m not a big 1Password fan, but passkeys are unlikely to require users to abandon 1Password.

All good points Neil. Would you share the folder in ~/Library/ where the 1P encrypted vault is stored? Besides using Time Machine I could make a separate backup copy of my vaults.


Very interesting discussion. I have used Dashlane for many years even for the extended period when syncing across devices stopped working. I do not store passwords etc. for any financial services sites there (banks, brokers, etc.) but keep these in a password protected document.
I have considered Keychain from time to time but rejected it for the reasons given by many of you: Safari is not my browser of choice, I prefer not to have all my eggs in one basket, etc.
However, when I open Keychain > login > passwords I find dozens of stored passwords that I don’t recall asking to be stored. These are mostly from Apple and Microsoft. I’m unsure what to do about these and would appreciate feedback.

Dave there says it’s at

~/Library/Group Containers/ Support/1Password/Data

He also went to great lengths to explain how it’s not really a backup but a local encrypted copy of the actual data located on their servers if one is using v8…but that restoring that local encrypted folder copy on say your laptop would thence sync back to their servers and to other devices…and per the description of how v8 works only the changed parts get synced both ways but that restoring that folder back to your macOS device would get it synced back to their cloud.

He went into great detail…again…in the post with all of that how doing your own backups was completely unnecessary since they handled all of that for us automagically and again insisted how their Secret Key makes v8 so much better and more secure than any other password manager. While that’s technically correct…it’s an obfuscation of the old truism that better is the enemy of good enough and just ignores that a sufficiently decent Master Password (20 characters with all 4 password food groups) would take at least 11.52 thousand trillion centuries to brute force (per which is plenty long enough. Yes…a bazillion times that is technically still “better” but not relevant from a security standpoint. They obviously incorporated the Secret Key to force users to have decent security regardless of choosing a lousy (i.e, short) Master Password while the data is stored on their servers since only the Master Password is required on one’s own devices. I’m not saying the double password isn’t a good idea as I understand why they did it…but “more secure than other password managers” is a bunch of marketingspeak IMO. And to be fair…I’m almost certain that they’ve got either their own servers in multiple data centers or are using virtual ones at Amazon or whoever with all sorts of backup and the likelihood of the 1PW cloud disappearing at the same time as all of my devices got borked and I need to recover from my personal backup is pretty remote…but as a long time sysadmin being able to bootstrap yourself by yourself is a pretty non negotiable requirement. He does state that if one restores that folder when the computer reconnects to the internet it will sync with their copy and thence to other devices…but depending on how long their were down and how far back in their backups they have to go to restore their cloud…one’s local copy may be more up to date…and since I have no idea what most of my passwords are as that’s what a password manager is for…being able to organically get to my data solely on my own despite any combination of calamities is what I call a Good Thing©.

1 Like

I got these replies from AgileBits, Inc. - 1Password the last fews days:

  1. "The location of the 1Password data file on the Mac is -
    ~/Library/Group Containers/ Support/1Password/Data

This folder can be backed up, however you would only want to restore from this location in the event of a world catastrophe where all our servers have been wiped out. The restore would break the ‘sync’ with our servers so it should NOT be used routinely or as a way to retrieve the previous version of an item.

With the existing safeguards in place, we feel users who “do nothing” automatically have a very robust backup solution."

  1. “Tommy here! I’m part of the Mac and iOS team here at 1Password. Yes, the file is backed up with Time Machine. Time Machine is a complete drive backup. The file is not excluded unless you take specific steps to exclude it for some reason.”



1Password is also cross platform for those of us who use android and windows.

There are applications other than Safari that store passwords in the keychain. For example, if you use Mail, it stores the passwords to the mail servers in the keychain. The app Transmit (by Panic) stores server passwords in there as well. There’s really nothing you need to do or be concerned about.

If you’re curious though, you should be able to use Keychain Access to see what applications and services have access to a particular item. That would give you a clue as to what stored the password in there.

I agree. That (lack of simple local backup) was a primary reason when LastPass had their second breach, I switched to Enpass (the other being they are cloud-agnostic).


I looked at Enpass…and just about every other alternative and would have seriously considered changing…but none of them provide all of the capabilities of 1PW and several still had backup/restore issues…so I had resigned myself to v7 until it died and then choosing the next best option of the backup/restore hadn’t been fixed.

1 Like

So how will you store your front door lock code or the logins for your kids Chromebooks or your passport numbers or your aging parents logins? I too would love to dump 1Password as it’s overly complicated but for now there is no alternative apart from encrypted notes. Even though I have a family subscription but I still use iCloud keychain for passwords with Safari. They need a proper interface / program!

Based on my brief experiment with using the latest version of 1Password to implement Passkeys, count me Not Impressed.

  1. My attempt to get a passkey from my bank completely failed, and then Firefox kept prompting me to use it anyway.
  2. I successfully created a passkey at Amazon, but it required more not less key-pressing on Mac, and the button in iOS didn’t work at all. Amazon still requires my 2FA code, so there was no speed advantage at all in using a passkey rather than a password.
  3. I created a passkey at HomeDepot, which worked great at first, but then they started sending me access codes via email (definitely not what I wanted!).
  4. I created a passkey at GitHub which works quickly and easily (but I rarely use GitHub).

I would also note that when I saved a passkey in 1Password, the iOS prompt above the keyboard offered that passkey instead of the password, so it was extra work to get a password when the passkey didn’t work.

I don’t know who this was designed for, but I’m not inclined to waste any more time testing it.

1 Like

I don’t remember why I opted against 1PW long ago, but I settled on BitWarden. Curious why others haven’t considered BitWarden as it seems well-featured enough for most users. I don’t need esoteric connectivity, just plain security w/ reasonable usability. Having worked in software long enough, my thinking is that perhaps if the solution is open-source then the profit motive doesn’t compromise the “it just works” security objective (my objective, anyway) as much.