Recently in one of our community channels we were chatting about the announcement that 1Password is now available for Linux, and someone said that they use iCloud Keychain and that it’s good enough for them. I’ve heard this before, and I never sat down to really outline what a password manager gives you that iCloud Keychain does not.
I wanted to understand what people are missing if they only rely on iCloud Keychain and there’s no better way to learn than to try to explain it. After listening to my arguments, you may still feel that iCloud Keychain gives you what you need, but maybe you’ll learn something that would be valuable to you in a password manager.
My recent experience is all with 1Password, but I used to use LastPass years ago. They’re both terrific services and have many of the same features. The names of the functions may be different, but I think if I use 1Password as an example you’ll get the point of the advantage of using a password manager.
iCloud Keychain
Let’s start by understanding what iCloud Keychain does for you because it really is a terrific service.
According to Apple’s support article HT204085:
iCloud Keychain stores credit card numbers and expiration dates—without storing or autofilling the security code—and passwords and usernames, Wi-Fi passwords, Internet accounts, and more.
Obviously, this is the kind of data we want to protect. Apple explains that iCloud protects your information with end-to-end encryption. They protect it in transit and at rest. This is all terrific. Even Apple can’t get to your data.
However, this data is protected on your device only by your login password/passcode. How many digits long is your Mac login? Do you have numbers and letters and special characters in it? I have to admit that while my login password is probably better than average, it’s definitely not worthy of protecting my bank login. How about your iPhone’s login password/passcode? I wouldn’t trust my family jewels to mine!
Bad actors won’t get to your data stored in iCloud Keychain on the Internet because Apple is protecting it really well, but there’s still a huge vulnerability in your own device passwords.
Passwords
The weakest link in passwords is us. Humans are not good at thinking up long, complex, random passwords. It’s not our fault, we’re simply not designed to do it. The non-complex passwords we think up are naturally repeated across websites because it’s just too hard to do anything else.
One of the great things about iCloud Keychain is that it suggests long, complex passwords for you when you first need to create one. If you allow iCloud Keychain to create your passwords and store them, you will be leaps and bounds ahead of everyone else. And this really is a game of being ahead of the pack.
The passwords that iCloud Keychain creates are long and complex as I said, but they’re also difficult to type and impossible to remember. They’re a random glop of numbers and letters and special characters. This is normally just fine because the goal is not to try to remember your passwords (you can’t), it’s to trust the systems, either iCloud Keychain or a password manager. Unfortunately, sometimes you do have to type them in and it will be quite the chore if you use iCloud Keychain to create your passwords.
Syncing
The only way that these great passwords will be any help is if they’re always there for you. The fact that iCloud Keychain syncs across your iPhone, Mac, and iPad means that you’ve got them at your fingertips. If you know you can trust that iCloud Keychain will have your passwords when you need them, you’re more likely to let it choose your passwords for you, which is a good thing.
But what if you have a Mac with an Android phone? Or maybe you’re an iPhone user but you use a Windows PC. iCloud Keychain won’t be there for you. If you don’t have the passwords when you need them, you won’t trust iCloud Keychain and you’ll go back to using less-secure and reused passwords.
And what about passwords to accounts you share with others? Maybe you and your partner have a shared bank account or credit card; what happens if you have to change the password for some reason? How do you let your partner know? Maybe your memory is perfection itself but the rest of us have about a 50% success rate.
If something were to happen to you, I would assume that at least one person you love has access to your phone or Mac or iPad. They could log into your accounts because of iCloud Keychain which is great. But how do they know what accounts exist? If you take care of the phone bill, do they know what website to go to? How would they figure that out from iCloud Keychain?
Password Managers
Let’s switch gears and compare iCloud Keychain to using a password manager. Like iCloud Keychain, 1Password information is encrypted in transit and at rest with AES 256-bit encryption. If you lose your 1Password login, they simply cannot retrieve it for you (1password.com/…).
Let’s go through some of the features and advantages you get with 1Password.
One Long Complex Password
I explained that iCloud Keychain protects your passwords with your Mac or iPhone’s login, and it’s highly likely that you have fairly simple passwords on both. With a password manager, you create one wicked long password with numbers and letters and special characters and a goat in it. You make it this complex because it is literally the key to the kingdom.
You will have to type it in from time to time but in most cases, you won’t.
- Touch ID or Face ID on your iPhone and iPad can unlock 1Password
- If you have a MacBook with Touch ID, you can open 1Password with your fingerprint
- If you have a Mac with a T2 security chip, you can even use your Apple Watch to authenticate to 1Password.
1Password will ask you to type in the full password from time to time just to make sure you never forget it. With a password manager, this is the only password you have to remember.
Generated Passwords
1Password will suggest passwords for you just like iCloud Keychain when you’re first setting up an account. With 1Password you can choose an unmemorable pile of glop password just like iCloud Keychain, or you can use a setting in 1Password to have it offer to you a memorable password. Memorable passwords include a series of human-readable words with separators between them.
You can use a slider to set how many words you want, whether to intermingle words with all caps and what kind of separator it should use. This is almost as good as Bart’s XKPasswd.net service. Of course, Bart has a lot more options but if you’re in a hurry, 1Password has your back.
I want to emphasize that there’s nothing wrong with iCloud Keychain’s passwords from a security standpoint, but if you ever have to type them in, you’ll wish you had 1Password.
Two-Factor Authentication
Many accounts these days allow you or even make you have two-factor authentication with an authenticator code. They often refer to it as Google Authenticator, but you can create these same authenticator codes with 1Password. It’s a bit buried, but once you know where it is and how to turn it on, it’s really easy.
If you use iCloud Keychain, you’d have to use a secondary app (like Google Authenticator) in order to protect your most important accounts with two-factor authentication. With 1Password, it’s built right in.
Cross Platform
We talked about iCloud Keychain working across all your devices … but that’s true if you use only products from Apple. With 1Password, your passwords are available on your Mac, iPhone, Windows PC, Android phone, and now they even have a native client for Linux. If you live in a cross-platform world, a dedicated password manager is a much better option than iCloud Keychain.
Sharing With Others
If you use iCloud Keychain and change a password, you have to remember to tell your partner, other family members, or roommates. With a dedicated password manager, you can share specific passwords so that if you change the password they get the change automatically.
1Password does this through what they call Shared Vaults. Steve and I have our own private vaults because I don’t need access to his Apple ID, and he doesn’t need to log into my podfeet.com admin account. But we share credit cards and bank accounts and even more critical things like our Netflix password. Those all go in a shared vault. If for some reason I need to change a password on a shared account, I don’t have to remember to tell him.
In the most recent versions of 1Password, they’ve made it super easy to move items in and out of shared vaults; you simply drag and drop between them. The last time I used LastPass they allowed you to share logins one-by-one, which in some cases has advantages over the vault concept.
Remember we can have two-factor authentication with 1Password. If the site you’re authenticating to is smart enough to use an authenticator instead of insecure SMS, then the two-factor authentication is available to you and your partner with 1Password.
Things You Can Store
Every year 1Password adds new things you can store in your vaults. We’ve been talking about logins to online services but it’s so much more than that. 1Password has categories for the different types of data you may want to store in your vaults. Categories are very useful because they are tailored to prompt you to store exactly the right information for that piece of data.
For example, if you choose to add a Wireless router, it will ask you the base station name and password, but it will also give you fields for the IP address, the type of security and any attached storage passwords.
It took me a long time to trust 1Password with my credit cards, but it’s glorious to have them autofill for me after I authenticate into 1Password. Like you can with macOS and iOS natively with iCloud Keychain, 1Password can also store identity information so you can have your address, phone number, and birthday auto-filled. It was interesting to me that iCloud Keychain doesn’t store the CVV number from the card, but 1Password definitely will save it for you.
1Password recently added bank accounts as a specific category. I created my entries before this category existed, but they’re so much easier because it has dedicated fields for things like the routing number.
I won’t go through every type of account, but 1Password has categories for databases, driver licenses, email accounts, medical records, memberships, passports, reward programs, servers, and social security numbers.
They also have plain old garden variety secure notes. If you don’t use a password manager, and you need to write a secure note for yourself, you can easily use Apple Notes. It’s not a bad solution and the protection there is very good, but now you’ve got two places where you’ve stored information, iCloud Keychain and Notes.
One of the most valuable things 1Password can store is software licenses. While they don’t require the high security of a password manager, it is delightful to have them all collected in one place. It even picks up the pretty icon of the application so it’s easy to scan to look for the app license you need. I use this all the time.
I mentioned passports earlier and we actually used this feature of 1Password. When Steve and I were in Peru, someone stole his backpack at the airport in Cusco as we were leaving to go to Lima to then fly home. It had a lot of electronics in it, but more importantly, the backpack contained Steve’s passport. In order to get a new one, you need to know your old passport number. We had scanned in our passports to 1Password years before so we were able to not only give the number to the passport office, we were able to make a printout of it. I’m not sure it made a big difference but it did seem to help smooth out the process.
Finding Problems
All of us have the goal of having accounts that are impenetrable. The threats to our accounts can come from so many different places, that I count on 1Password to watch for them for me.
They tell you if you’ve used a weak password and especially if you’ve reused a password. I’m pretty sure iCloud Keychain doesn’t tell you this. Remember, if you reuse a password, and one of the sites gets hacked, your other site is easy pickings.
I think that the reused password section in 1Password could be improved. Not because it won’t show me where I’ve duplicated a password but because it shows me duplicates that I can’t do anything about. There are at least a dozen services and websites that have two ways for me to get into them, so I have two entries with the same username and password combination. I guess it’s better that they don’t miss any but I’d sure like to be able to see a clean bill of health someday.
They also have a section for vulnerable passwords. They take the hash of your password, which is where they run your password through the algorithm that disguises it, and then they compare the disguised version to an online database of security exploits provided by haveibeenpwned.com.
I want to emphasize that your plain-text password is never exposed through this process, but if your hashed password is in this database, then it means the bad guys can recognize your hashed password when they attack other sites. You really truly do not want to use a password that’s in this database. This vulnerable password check is another service you get with 1Password that you don’t get with iCloud Keychain. You can always check every password of yours one by one at haveibeenpwned, but that’s pretty tedious!
1Password will also reveal to you if any of the websites for which you have a login have been compromised since you last changed your password. It then prompts you to log into the site and create a new one.
A recent addition in the last few years is that 1Password will show any logins you’ve stored that point to unsecured websites. If you’ve been at this for a long time, it’s highly likely that you’ve stored a lot of logins using the HTTP version of the web service. With 1Password, you can ask it to check all of your insecure sites to see if HTTPS is available. I’ve been fixing these as I use them but I really should spend some quality time fixing them all.
Another cool feature of 1Password is that it will tell you in a bright red banner if two-factor authentication is available but you haven’t yet set it up. I tend to fix these as I go too but I really should buckle down and do them all.
Notification of the availability of the option for two-factor authentication is yet another thing iCloud Keychain doesn’t give you.
Managing a Family
As the nerds-in-residence, most of us are also in charge of keeping our family members safe on the Internet. I’m sure your partner has very fine qualities, but maybe taking security seriously isn’t their top priority. With 1Password for Families, you can help manage the passwords of your family members. You can even reset their 1Password if they ever forget it which could be really handy.
Bottom Line
The bottom line is that iCloud Keychain is a great service and I think it has helped many people to become much more secure in their digital life. But it’s pretty obvious that 1Password and other password managers offer a lot more than iCloud Keychain does to keep you safe online. I highly recommend you go check out 1Password at 1password.com. It’s $3/month for individuals and $5/month for families. If I had to narrow down my subscriptions to just one, the last one standing would probably be 1Password. That, or maybe TextExpander…
… and I’m betting 1Password and TextExpander are the first two apps you load after a nuke & pave.
This was an excellent article. I am waiting (and I’m sure it’s soon) for Apple to do a “ Eat your Lunch” revamp of keychain that will completely kill 3Rd party apps like 1password. Until then I use 1 password for all the reasons you so nicely outlined.
What is ur answer to this article ? https://markellisreviews.com/im-switching-to-1password-heres-why/amp/
@Josef there’s not much to say about it. This is a guy who used 1P, quit 1P for Keychain, and now is going to try 1P but hasn’t actually started to use it yet. What would there be to say about it before he’s even used it?
Thank you for this post – I’m glad that Keychain is a secure option because it works very well for me. One thing, you said “They tell you if you’ve used a weak password and especially if you’ve reused a password. I’m pretty sure iCloud Keychain doesn’t tell you this.” Actually, it does. In July 2020, with the release of iOS 14, “Security Recommendations” became a feature on iCloud Keychain. On iPhone, it can be accessed from Settings – Passwords – Security Recommendations. It tells you if your password was found in a data breach, if it’s easily guessed or if you’ve reused it.
Thanks for pointing out that Keychain now tells you if you have a password that is in a data breach, Vivian. However, remember that the Keychain is only as secure as your login password for your phone and for your Mac. My Mac login password is not very long and not terribly complex, while my 1Password login is 20 characters long with numbers, upper and lower case letters, and special characters. It isn’t a hassle to type once in a while because 90% of the time I’m using Face ID or Touch ID to open 1Password. If you have a really long, complex password on all of your Apple devices, then I’d call Keychain secure. If not, then I don’t think it’s a good option.
It seems that 1-password has two things going for it in your mind: a) password complexity is higher in your 1-password set up, b) windows and android compatibility. c) sharing of passwords
For argument b) I can see that another option makes sense if you use android and/or windows.
For argument c) there is the inheritance option, and you can see what sites exist in an iCloud Keychain, when you go to the passwords list. Admittedly to share select passwords whilst keeping others private is clunkier, as you need duplicates.
Another user has already pointed out that password security checks, including haveIbeenpwned are included in iCloud Keychain now
For argument a) I’m not sure that I agree with the “My Mac login password is not very long and not terribly complex”. That’s such an easy fix. Make your device passwords longer and more complex. You can use fingerprint or faceid for most normal logins, and you’ll still be prompted periodically… to help you remember your password. You’re way, you’re having to remember both your simple apple device passwords AND your complex 1-password password.
Well actually, I end up typing both the password to my Mac and my iPhone really often. I do use Face ID and Touch ID whenever possible but it’s very common to type one or the other of them at least once a day for random reasons. 1Password is available on all of my devices (as is iCloud Keychain) but it’s also available via the web.
On sharing passwords by duplicating them, that sounds like a terrible idea. If you need to change a password for a site or service, you have to remember to do it as many times as you’ve replicated it.
And don’t forget all of the other things you can store in 1Password, such as Driver’s licenses and passports.
If you’re happy with iCloud Keychain and you’ve made sure to protect your devices with long, complex passwords, that’s great.
Recently an acquaintance of mine was robbed at gunpoint on the street on her way home from work. The robbers took her iPhone and by holding a gun to her head forced her to unlock it. When she unlocked it, they immediately changed the passcode of that iPhone. So, now they got access to her iPhone and to all the logins and passwords in her Keychain. In a matter of hours all her bank accounts were emptied, her credit cards maxed out, her logins changed on many websites, etc.
Had she used a separate (third-party) password manager that should not had happened. Even if the muggers got access to her iPhone they would have need a separate password to her third-party password manager. One could argue that they could make he unlock that password manager too. But can you imagine they standing there, taking their time and going through all her apps on he iPhone, trying to figure out which app is what, and risking being caught?
So, this is an example of the advantage of having and using a third-party password manager over the Apple’s built-in iCloud Keychain.