Recently in one of our community channels we were chatting about the announcement that 1Password is now available for Linux, and someone said that they use iCloud Keychain and that it’s good enough for them. I’ve heard this before, and I never sat down to really outline what a password manager gives you that iCloud Keychain does not.
I wanted to understand what people are missing if they only rely on iCloud Keychain and there’s no better way to learn than to try to explain it. After listening to my arguments, you may still feel that iCloud Keychain gives you what you need, but maybe you’ll learn something that would be valuable to you in a password manager.
My recent experience is all with 1Password, but I used to use LastPass years ago. They’re both terrific services and have many of the same features. The names of the functions may be different, but I think if I use 1Password as an example you’ll get the point of the advantage of using a password manager.
Let’s start by understanding what iCloud Keychain does for you because it really is a terrific service.
According to Apple’s support article HT204085:
iCloud Keychain stores credit card numbers and expiration dates—without storing or autofilling the security code—and passwords and usernames, Wi-Fi passwords, Internet accounts, and more.
Obviously, this is the kind of data we want to protect. Apple explains that iCloud protects your information with end-to-end encryption. They protect it in transit and at rest. This is all terrific. Even Apple can’t get to your data.
However, this data is protected on your device only by your login password/passcode. How many digits long is your Mac login? Do you have numbers and letters and special characters in it? I have to admit that while my login password is probably better than average, it’s definitely not worthy of protecting my bank login. How about your iPhone’s login password/passcode? I wouldn’t trust my family jewels to mine!
Bad actors won’t get to your data stored in iCloud Keychain on the Internet because Apple is protecting it really well, but there’s still a huge vulnerability in your own device passwords.
The weakest link in passwords is us. Humans are not good at thinking up long, complex, random passwords. It’s not our fault, we’re simply not designed to do it. The non-complex passwords we think up are naturally repeated across websites because it’s just too hard to do anything else.
One of the great things about iCloud Keychain is that it suggests long, complex passwords for you when you first need to create one. If you allow iCloud Keychain to create your passwords and store them, you will be leaps and bounds ahead of everyone else. And this really is a game of being ahead of the pack.
The passwords that iCloud Keychain creates are long and complex as I said, but they’re also difficult to type and impossible to remember. They’re a random glop of numbers and letters and special characters. This is normally just fine because the goal is not to try to remember your passwords (you can’t), it’s to trust the systems, either iCloud Keychain or a password manager. Unfortunately, sometimes you do have to type them in and it will be quite the chore if you use iCloud Keychain to create your passwords.
The only way that these great passwords will be any help is if they’re always there for you. The fact that iCloud Keychain syncs across your iPhone, Mac, and iPad means that you’ve got them at your fingertips. If you know you can trust that iCloud Keychain will have your passwords when you need them, you’re more likely to let it choose your passwords for you, which is a good thing.
But what if you have a Mac with an Android phone? Or maybe you’re an iPhone user but you use a Windows PC. iCloud Keychain won’t be there for you. If you don’t have the passwords when you need them, you won’t trust iCloud Keychain and you’ll go back to using less-secure and reused passwords.
And what about passwords to accounts you share with others? Maybe you and your partner have a shared bank account or credit card; what happens if you have to change the password for some reason? How do you let your partner know? Maybe your memory is perfection itself but the rest of us have about a 50% success rate.
If something were to happen to you, I would assume that at least one person you love has access to your phone or Mac or iPad. They could log into your accounts because of iCloud Keychain which is great. But how do they know what accounts exist? If you take care of the phone bill, do they know what website to go to? How would they figure that out from iCloud Keychain?
Let’s switch gears and compare iCloud Keychain to using a password manager. Like iCloud Keychain, 1Password information is encrypted in transit and at rest with AES 256-bit encryption. If you lose your 1Password login, they simply cannot retrieve it for you (1password.com/…).
Let’s go through some of the features and advantages you get with 1Password.
One Long Complex Password
I explained that iCloud Keychain protects your passwords with your Mac or iPhone’s login, and it’s highly likely that you have fairly simple passwords on both. With a password manager, you create one wicked long password with numbers and letters and special characters and a goat in it. You make it this complex because it is literally the key to the kingdom.
You will have to type it in from time to time but in most cases, you won’t.
- Touch ID or Face ID on your iPhone and iPad can unlock 1Password
- If you have a MacBook with Touch ID, you can open 1Password with your fingerprint
- If you have a Mac with a T2 security chip, you can even use your Apple Watch to authenticate to 1Password.
1Password will ask you to type in the full password from time to time just to make sure you never forget it. With a password manager, this is the only password you have to remember.
1Password will suggest passwords for you just like iCloud Keychain when you’re first setting up an account. With 1Password you can choose an unmemorable pile of glop password just like iCloud Keychain, or you can use a setting in 1Password to have it offer to you a memorable password. Memorable passwords include a series of human-readable words with separators between them.
You can use a slider to set how many words you want, whether to intermingle words with all caps and what kind of separator it should use. This is almost as good as Bart’s XKPasswd.net service. Of course, Bart has a lot more options but if you’re in a hurry, 1Password has your back.
I want to emphasize that there’s nothing wrong with iCloud Keychain’s passwords from a security standpoint, but if you ever have to type them in, you’ll wish you had 1Password.
Many accounts these days allow you or even make you have two-factor authentication with an authenticator code. They often refer to it as Google Authenticator, but you can create these same authenticator codes with 1Password. It’s a bit buried, but once you know where it is and how to turn it on, it’s really easy.
If you use iCloud Keychain, you’d have to use a secondary app (like Google Authenticator) in order to protect your most important accounts with two-factor authentication. With 1Password, it’s built right in.
We talked about iCloud Keychain working across all your devices … but that’s true if you use only products from Apple. With 1Password, your passwords are available on your Mac, iPhone, Windows PC, Android phone, and now they even have a native client for Linux. If you live in a cross-platform world, a dedicated password manager is a much better option than iCloud Keychain.
Sharing With Others
If you use iCloud Keychain and change a password, you have to remember to tell your partner, other family members, or roommates. With a dedicated password manager, you can share specific passwords so that if you change the password they get the change automatically.
1Password does this through what they call Shared Vaults. Steve and I have our own private vaults because I don’t need access to his Apple ID, and he doesn’t need to log into my podfeet.com admin account. But we share credit cards and bank accounts and even more critical things like our Netflix password. Those all go in a shared vault. If for some reason I need to change a password on a shared account, I don’t have to remember to tell him.
In the most recent versions of 1Password, they’ve made it super easy to move items in and out of shared vaults; you simply drag and drop between them. The last time I used LastPass they allowed you to share logins one-by-one, which in some cases has advantages over the vault concept.
Remember we can have two-factor authentication with 1Password. If the site you’re authenticating to is smart enough to use an authenticator instead of insecure SMS, then the two-factor authentication is available to you and your partner with 1Password.
Things You Can Store
Every year 1Password adds new things you can store in your vaults. We’ve been talking about logins to online services but it’s so much more than that. 1Password has categories for the different types of data you may want to store in your vaults. Categories are very useful because they are tailored to prompt you to store exactly the right information for that piece of data.
For example, if you choose to add a Wireless router, it will ask you the base station name and password, but it will also give you fields for the IP address, the type of security and any attached storage passwords.
It took me a long time to trust 1Password with my credit cards, but it’s glorious to have them autofill for me after I authenticate into 1Password. Like you can with macOS and iOS natively with iCloud Keychain, 1Password can also store identity information so you can have your address, phone number, and birthday auto-filled. It was interesting to me that iCloud Keychain doesn’t store the CVV number from the card, but 1Password definitely will save it for you.
1Password recently added bank accounts as a specific category. I created my entries before this category existed, but they’re so much easier because it has dedicated fields for things like the routing number.
I won’t go through every type of account, but 1Password has categories for databases, driver licenses, email accounts, medical records, memberships, passports, reward programs, servers, and social security numbers.
They also have plain old garden variety secure notes. If you don’t use a password manager, and you need to write a secure note for yourself, you can easily use Apple Notes. It’s not a bad solution and the protection there is very good, but now you’ve got two places where you’ve stored information, iCloud Keychain and Notes.
One of the most valuable things 1Password can store is software licenses. While they don’t require the high security of a password manager, it is delightful to have them all collected in one place. It even picks up the pretty icon of the application so it’s easy to scan to look for the app license you need. I use this all the time.
I mentioned passports earlier and we actually used this feature of 1Password. When Steve and I were in Peru, someone stole his backpack at the airport in Cusco as we were leaving to go to Lima to then fly home. It had a lot of electronics in it, but more importantly, the backpack contained Steve’s passport. In order to get a new one, you need to know your old passport number. We had scanned in our passports to 1Password years before so we were able to not only give the number to the passport office, we were able to make a printout of it. I’m not sure it made a big difference but it did seem to help smooth out the process.
All of us have the goal of having accounts that are impenetrable. The threats to our accounts can come from so many different places, that I count on 1Password to watch for them for me.
They tell you if you’ve used a weak password and especially if you’ve reused a password. I’m pretty sure iCloud Keychain doesn’t tell you this. Remember, if you reuse a password, and one of the sites gets hacked, your other site is easy pickings.
I think that the reused password section in 1Password could be improved. Not because it won’t show me where I’ve duplicated a password but because it shows me duplicates that I can’t do anything about. There are at least a dozen services and websites that have two ways for me to get into them, so I have two entries with the same username and password combination. I guess it’s better that they don’t miss any but I’d sure like to be able to see a clean bill of health someday.
They also have a section for vulnerable passwords. They take the hash of your password, which is where they run your password through the algorithm that disguises it, and then they compare the disguised version to an online database of security exploits provided by haveibeenpwned.com.
I want to emphasize that your plain-text password is never exposed through this process, but if your hashed password is in this database, then it means the bad guys can recognize your hashed password when they attack other sites. You really truly do not want to use a password that’s in this database. This vulnerable password check is another service you get with 1Password that you don’t get with iCloud Keychain. You can always check every password of yours one by one at haveibeenpwned, but that’s pretty tedious!
1Password will also reveal to you if any of the websites for which you have a login have been compromised since you last changed your password. It then prompts you to log into the site and create a new one.
A recent addition in the last few years is that 1Password will show any logins you’ve stored that point to unsecured websites. If you’ve been at this for a long time, it’s highly likely that you’ve stored a lot of logins using the HTTP version of the web service. With 1Password, you can ask it to check all of your insecure sites to see if HTTPS is available. I’ve been fixing these as I use them but I really should spend some quality time fixing them all.
Another cool feature of 1Password is that it will tell you in a bright red banner if two-factor authentication is available but you haven’t yet set it up. I tend to fix these as I go too but I really should buckle down and do them all.
Notification of the availability of the option for two-factor authentication is yet another thing iCloud Keychain doesn’t give you.
Managing a Family
As the nerds-in-residence, most of us are also in charge of keeping our family members safe on the Internet. I’m sure your partner has very fine qualities, but maybe taking security seriously isn’t their top priority. With 1Password for Families, you can help manage the passwords of your family members. You can even reset their 1Password if they ever forget it which could be really handy.
The bottom line is that iCloud Keychain is a great service and I think it has helped many people to become much more secure in their digital life. But it’s pretty obvious that 1Password and other password managers offer a lot more than iCloud Keychain does to keep you safe online. I highly recommend you go check out 1Password at 1password.com. It’s $3/month for individuals and $5/month for families. If I had to narrow down my subscriptions to just one, the last one standing would probably be 1Password. That, or maybe TextExpander…