{"id":23725,"date":"2021-06-04T07:01:38","date_gmt":"2021-06-04T14:01:38","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23725"},"modified":"2021-06-04T07:19:51","modified_gmt":"2021-06-04T14:19:51","slug":"icloud-keychain-vs-1password","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/06\/icloud-keychain-vs-1password\/","title":{"rendered":"Why Do I Need a Password Manager if I Have iCloud Keychain?"},"content":{"rendered":"<figure style=\"float: right; margin-left: 5px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/iCloud-Keychain-Offers-to-Save-Password.png\" alt=\"ICloud Keychain Offers to Save Password\" title=\"#title#\" width=\"254 \" height=\"353\"><figcaption style=\"text-align:center\">ICloud Keychain Offers to Save Password<\/figcaption><\/figure>\n<p>Recently in one of our community channels we were chatting about the announcement that <a href=\"https:\/\/blog.1password.com\/welcoming-linux-to-the-1password-family\/\" target=\"_blank\" rel=\"noopener\">1Password is now available for Linux<\/a>, and someone said that they use iCloud Keychain and that it\u2019s good enough for them.  I\u2019ve heard this before, and I never sat down to really outline what a password manager gives you that iCloud Keychain does not.<\/p>\n<p>I wanted to understand what people are missing if they only rely on iCloud Keychain and there&#8217;s no better way to learn than to try to explain it. After listening to my arguments, you may still feel that iCloud Keychain gives you what you need, but maybe you\u2019ll learn something that would be valuable to you in a password manager.<\/p>\n<p>My recent experience is all with 1Password, but I used to use LastPass years ago.  They\u2019re both terrific services and have many of the same features. The names of the functions may be different, but I think if I use 1Password as an example you\u2019ll get the point of the advantage of using a password manager.<\/p>\n<h2>iCloud Keychain<\/h2>\n<p>Let\u2019s start by understanding what iCloud Keychain does for you because it really is a terrific service.<\/p>\n<p>According to Apple\u2019s support article <a href=\"https:\/\/support.apple.com\/en-us\/HT204085\">HT204085<\/a>:<\/p>\n<blockquote><p>\n  iCloud Keychain stores credit card numbers and expiration dates\u2014without storing or autofilling the security code\u2014and passwords and usernames, Wi-Fi passwords, Internet accounts, and more.\n<\/p><\/blockquote>\n<p>Obviously, this is the kind of data we want to protect.  Apple explains that iCloud protects your information with end-to-end encryption.  They protect it in transit and at rest.  This is all terrific. Even Apple can\u2019t get to your data.<\/p>\n<p>However, this data is protected on your device only by your login password\/passcode.  How many digits long is your Mac login? Do you have numbers and letters and special characters in it?  I have to admit that while my login password is probably better than average, it\u2019s definitely not worthy of protecting my bank login.  How about your iPhone\u2019s login password\/passcode? I wouldn&#8217;t trust my family jewels to mine!<\/p>\n<p>Bad actors won&#8217;t get to your data stored in iCloud Keychain on the Internet because Apple is protecting it really well, but there&#8217;s still a huge vulnerability in your own device passwords.<\/p>\n<h3>Passwords<\/h3>\n<figure style=\"float: right; margin-left: 5px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/iCloud-Keychain-Auto-Generated-Password.png\" alt=\"iCloud Keychain Auto Generated Password\" title=\"#title#\" width=\"585 \" height=\"255\"><figcaption style=\"text-align:center\">iCloud Keychain Auto Generated Password<\/figcaption><\/figure>\n<p>The weakest link in passwords is us. Humans are not good at thinking up long, complex, random passwords. It\u2019s not our fault, we\u2019re simply not designed to do it.  The non-complex passwords we think up are naturally repeated across websites because it\u2019s just too hard to do anything else.<\/p>\n<p>One of the great things about iCloud Keychain is that it suggests long, complex passwords for you when you first need to create one. If you allow iCloud Keychain to create your passwords and store them, you will be leaps and bounds ahead of everyone else.  And this really is a game of being ahead of the pack.<\/p>\n<p>The passwords that iCloud Keychain creates are long and complex as I said, but they\u2019re also difficult to type and impossible to remember. They\u2019re a random glop of numbers and letters and special characters. This is normally just fine because the goal is not to try to remember your passwords (you can\u2019t), it\u2019s to trust the systems, either iCloud Keychain or a password manager. Unfortunately, sometimes you do have to type them in and it will be quite the chore if you use iCloud Keychain to create your passwords.<\/p>\n<h3>Syncing<\/h3>\n<p>The only way that these great passwords will be any help is if they\u2019re always there for you.  The fact that iCloud Keychain syncs across your iPhone, Mac, and iPad means that you\u2019ve got them at your fingertips. If you know you can trust that iCloud Keychain will have your passwords when you need them, you\u2019re more likely to let it choose your passwords for you, which is a good thing.<\/p>\n<p>But what if you have a Mac with an Android phone? Or maybe you\u2019re an iPhone user but you use a Windows PC.  iCloud Keychain won\u2019t be there for you. If you don\u2019t have the passwords when you need them, you won\u2019t trust iCloud Keychain and you\u2019ll go back to using less-secure and reused passwords.<\/p>\n<p>And what about passwords to accounts you share with others? Maybe you and your partner have a shared bank account or credit card; what happens if you have to change the password for some reason? How do you let your partner know?  Maybe your memory is perfection itself but the rest of us have about a 50% success rate.<\/p>\n<p>If something were to happen to you, I would assume that at least one person you love has access to your phone or Mac or iPad.  They could log into your accounts because of iCloud Keychain which is great.  But how do they know what accounts exist?  If you take care of the phone bill, do they know what website to go to? How would they figure that out from iCloud Keychain?<\/p>\n<h2>Password Managers<\/h2>\n<p>Let\u2019s switch gears and compare iCloud Keychain to using a password manager.  Like iCloud Keychain, 1Password information is encrypted in transit and at rest with AES 256-bit encryption. If you lose your 1Password login, they simply cannot retrieve it for you (<a href=\"https:\/\/1password.com\/security\/\" target=\"%5Fblank\" rel=\"noopener\">1password.com\/&#8230;<\/a>).<\/p>\n<p>Let&#8217;s go through some of the features and advantages you get with 1Password.<\/p>\n<h3>One Long Complex Password<\/h3>\n<p>I explained that iCloud Keychain protects your passwords with your Mac or iPhone\u2019s login, and it\u2019s highly likely that you have fairly simple passwords on both.  With a password manager, you create one wicked long password with numbers and letters and special characters and a goat in it.  You make it this complex because it is literally the key to the kingdom.<\/p>\n<p>You will have to type it in from time to time but in most cases, you won\u2019t.<\/p>\n<ul>\n<li>Touch ID or Face ID on your iPhone and iPad can unlock 1Password<\/li>\n<li>If you have a MacBook with Touch ID, you can open 1Password with your fingerprint<\/li>\n<li>If you have a Mac with a T2 security chip, you can even use your Apple Watch to authenticate to 1Password.  <\/li>\n<\/ul>\n<p>1Password will ask you to type in the full password from time to time just to make sure you never forget it.  With a password manager, this is the <em>only<\/em> password you have to remember.<\/p>\n<h3>Generated Passwords<\/h3>\n<figure style=\"float: right; margin-left: 5px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/1Password-Auto-Generated-Memorable-Password.png\" alt=\"1Password Auto Generated Memorable Password\" title=\"#title#\" width=\"295 \" height=\"269\"><figcaption style=\"text-align:center\">1Password Auto Generated Memorable Password<\/figcaption><\/figure>\n<p>1Password will suggest passwords for you just like iCloud Keychain when you\u2019re first setting up an account. With 1Password you can choose an unmemorable pile of glop password just like iCloud Keychain, or you can use a setting in 1Password to have it offer to you a memorable password. Memorable passwords include a series of human-readable words with separators between them.<\/p>\n<p>You can use a slider to set how many words you want, whether to intermingle words with all caps and what kind of separator it should use.  This is <em>almost<\/em> as good as <a href=\"https:\/\/xkpasswd.net\" target=\"_blank\" rel=\"noopener\">Bart\u2019s XKPasswd.net service<\/a>.  Of course, Bart has a lot more options but if you\u2019re in a hurry, 1Password has your back.<\/p>\n<p>I want to emphasize that there\u2019s nothing wrong with iCloud Keychain\u2019s passwords from a security standpoint, but if you ever have to type them in, you\u2019ll wish you had 1Password.<\/p>\n<h3>Two-Factor Authentication<\/h3>\n<p>Many accounts these days allow you or even make you have two-factor authentication with an authenticator code. They often refer to it as Google Authenticator, but you can create these same authenticator codes with 1Password.  It\u2019s a bit buried, but <a href=\"https:\/\/support.1password.com\/two-factor-authentication\/\" target=\"_blank\" rel=\"noopener\">once you know where it is and how to turn it on, it&#8217;s really easy<\/a>.<\/p>\n<p>If you use iCloud Keychain, you&#8217;d have to use a secondary app (like Google Authenticator) in order to protect your most important accounts with two-factor authentication. With 1Password, it&#8217;s built right in.<\/p>\n<h3>Cross Platform<\/h3>\n<p>We talked about iCloud Keychain working across all your devices \u2026 but that\u2019s true if you use only products from Apple. With 1Password, your passwords are available on your Mac, iPhone, Windows PC, Android phone, and now they even have a native client for Linux.  If you live in a cross-platform world, a dedicated password manager is a much better option than iCloud Keychain.<\/p>\n<h3>Sharing With Others<\/h3>\n<p>If you use iCloud Keychain and change a password, you have to remember to tell your partner, other family members, or roommates.  With a dedicated password manager, you can share specific passwords so that if you change the password they get the change automatically.<\/p>\n<p>1Password does this through what they call Shared Vaults.  Steve and I have our own private vaults because I don\u2019t need access to his Apple ID, and he doesn\u2019t need to log into my podfeet.com admin account. But we share credit cards and bank accounts and even more critical things like our Netflix password.  Those all go in a shared vault.  If for some reason I need to change a password on a shared account, I don\u2019t have to remember to tell him.<\/p>\n<p>In the most recent versions of 1Password, they&#8217;ve made it super easy to move items in and out of shared vaults; you simply drag and drop between them. The last time I used LastPass they allowed you to share logins one-by-one, which in some cases has advantages over the vault concept.<\/p>\n<p>Remember we can have two-factor authentication with 1Password. If the site you\u2019re authenticating to is smart enough to use an authenticator instead of insecure SMS, then the two-factor authentication is available to you and your partner with 1Password.<\/p>\n<h3>Things You Can Store<\/h3>\n<figure style=\"float: right; margin-left: 5px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/1Password-Categories.png\" alt=\"1Password Categories\" title=\"#title#\" width=\"214 \" height=\"600\"><figcaption style=\"text-align:center\">1Password Categories<\/figcaption><\/figure>\n<p>Every year 1Password adds new things you can store in your vaults.  We\u2019ve been talking about logins to online services but it\u2019s so much more than that. 1Password has categories for the different types of data you may want to store in your vaults.  Categories are very useful because they are tailored to prompt you to store exactly the right information for that piece of data.<\/p>\n<p>For example, if you choose to add a Wireless router, it will ask you the base station name and password, but it will also give you fields for the IP address, the type of security and any attached storage passwords.<\/p>\n<p>It took me a long time to trust 1Password with my credit cards, but it\u2019s glorious to have them autofill for me after I authenticate into 1Password.  Like you can with macOS and iOS natively with iCloud Keychain, 1Password can also store identity information so you can have your address, phone number, and birthday auto-filled. It was interesting to me that iCloud Keychain doesn&#8217;t store the CVV number from the card, but 1Password definitely will save it for you.<\/p>\n<p>1Password recently added bank accounts as a specific category. I created my entries before this category existed, but they&#8217;re so much easier because it has dedicated fields for things like the routing number.<\/p>\n<p>I won\u2019t go through every type of account, but 1Password has categories for databases, driver licenses, email accounts, medical records, memberships, passports, reward programs, servers, and social security numbers.<\/p>\n<p>They also have plain old garden variety secure notes.  If you don\u2019t use a password manager, and you need to write a secure note for yourself, you can easily use Apple Notes. It\u2019s not a bad solution and the protection there is very good, but now you\u2019ve got two places where you\u2019ve stored information, iCloud Keychain and Notes.<\/p>\n<p>One of the most valuable things 1Password can store is software licenses. While they don\u2019t require the high security of a password manager, it is delightful to have them all collected in one place.  It even picks up the pretty icon of the application so it\u2019s easy to scan to look for the app license you need.  I use this all the time.<\/p>\n<p>I mentioned passports earlier and we actually used this feature of 1Password. When Steve and I were in Peru, someone stole his backpack at the airport in Cusco as we were leaving to go to Lima to then fly home.  It had a lot of electronics in it, but more importantly, the backpack contained Steve\u2019s passport. In order to get a new one, you need to know your old passport number.  We had scanned in our passports to 1Password years before so we were able to not only give the number to the passport office, we were able to make a printout of it.  I\u2019m not sure it made a big difference but it did seem to help smooth out the process.<\/p>\n<h3>Finding Problems<\/h3>\n<figure style=\"float: right; margin-left: 5px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/1Password-Enable-Vulnerable-Passwords.png\" alt=\"1Password Enable Vulnerable Passwords\" title=\"#title#\" width=\"375 \" height=\"256\"><figcaption style=\"text-align:center\">1Password Enable Vulnerable Passwords<\/figcaption><\/figure>\n<p>All of us have the goal of having accounts that are impenetrable.  The threats to our accounts can come from so many different places, that I count on 1Password to watch for them for me.<\/p>\n<p>They tell you if you\u2019ve used a weak password and especially if you\u2019ve reused a password.  I\u2019m pretty sure iCloud Keychain doesn\u2019t tell you this. Remember, if you reuse a password, and one of the sites gets hacked, your other site is easy pickings.<\/p>\n<p>I think that the reused password section in 1Password could be improved. Not because it won\u2019t show me where I\u2019ve duplicated a password but because it shows me duplicates that I can\u2019t do anything about.  There are at least a dozen services and websites that have two ways for me to get into them, so I have two entries with the same username and password combination. I guess it\u2019s better that they don\u2019t miss any but I\u2019d sure like to be able to see a clean bill of health someday.<\/p>\n<p>They also have a section for vulnerable passwords.  They take the hash of your password, which is where they run your password through the algorithm that disguises it, and then they compare the disguised version to an online database of security exploits provided by <a href=\"https:\/\/haveibeenpwned.com\" target=\"_blank\" rel=\"noopener\">haveibeenpwned.com<\/a>.<\/p>\n<p>I want to emphasize that your plain-text password is never exposed through this process, but if your hashed password is in this database, then it means the bad guys can recognize your hashed password when they attack other sites. You really truly do not want to use a password that\u2019s in this database.  This vulnerable password check is another service you get with 1Password that you don\u2019t get with iCloud Keychain. You can always check every password of yours one by one at haveibeenpwned, but that&#8217;s pretty tedious!<\/p>\n<p>1Password will also reveal to you if any of the websites for which you have a login have been compromised since you last changed your password. It then prompts you to log into the site and create a new one.<\/p>\n<figure style=\"float: right; margin-left: 5px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/1Password-Check-for-https.png\" alt=\"1Password Check for HTTPS\" title=\"#title#\" width=\"260 \" height=\"311\"><figcaption style=\"text-align:center\">1Password Check for HTTPS<\/figcaption><\/figure>\n<p>A recent addition in the last few years is that 1Password will show any logins you&#8217;ve stored that point to unsecured websites. If you&#8217;ve been at this for a long time, it&#8217;s highly likely that you&#8217;ve stored a lot of logins using the HTTP version of the web service.  With 1Password, you can ask it to check all of your insecure sites to see if HTTPS is available. I&#8217;ve been fixing these as I use them but I really should spend some quality time fixing them all.<\/p>\n<p>Another cool feature of 1Password is that it will tell you in a bright red banner if two-factor authentication is available but you haven\u2019t yet set it up.  I tend to fix these as I go too but I really should buckle down and do them all.<\/p>\n<p>Notification of the availability of the option for two-factor authentication is yet another thing iCloud Keychain doesn\u2019t give you.<\/p>\n<h3>Managing a Family<\/h3>\n<p>As the nerds-in-residence, most of us are also in charge of keeping our family members safe on the Internet. I\u2019m sure your partner has very fine qualities, but maybe taking security seriously isn\u2019t their top priority.  With 1Password for Families, you can help manage the passwords of your family members.  You can even reset their 1Password if they ever forget it which could be really handy.<\/p>\n<h2>Bottom Line<\/h2>\n<p>The bottom line is that iCloud Keychain is a great service and I think it has helped many people to become much more secure in their digital life.  But it&#8217;s pretty obvious that 1Password and other password managers offer a lot more than iCloud Keychain does to keep you safe online. I highly recommend you go check out 1Password at <a href=\"https:\/\/1password.com\" target=\"_blank\" rel=\"noopener\">1password.com<\/a>. It&#8217;s $3\/month for individuals and $5\/month for families. If I had to narrow down my subscriptions to just one, the last one standing would probably be 1Password.  That, or maybe TextExpander&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ICloud Keychain Offers to Save Password Recently in one of our community channels we were chatting about the announcement that 1Password is now available for Linux, and someone said that they use iCloud Keychain and that it\u2019s good enough for them. I\u2019ve heard this before, and I never sat down to really outline what a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":23727,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147],"tags":[305,4615,4614,4616,2395,134,135],"class_list":["post-23725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","tag-1password","tag-bank-accounts","tag-icloud-keychain","tag-logins","tag-passports","tag-password","tag-passwords"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/06\/Keychain-and-1Password-Icons.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23725"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23725\/revisions"}],"predecessor-version":[{"id":23729,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23725\/revisions\/23729"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/23727"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}