With the advent of macOS Sequoia and iOS 18, Apple upgraded its method of saving user passwords from the arcane Keychain Access to a fledgling full-fledged password manager. Because Apple likes to name its products so they\u2019re impossible to search online, the app is called Passwords.<\/p>\n
I am a huge proponent of password managers, with my current favorite being 1Password. Steve and I converted his parents to use 1Password. While his father does require a wee bit of assistance now and then when a bank or other service changes things, overall they\u2019re both dedicated users and believers in 1Password. Steve’s dad did a testimonial about 1Password<\/a> 9 years ago for the show and he’s even more enthusiastic today. They both have wicked-long, complex master passwords (created with the wonderful tool by Bart Busschots: XKPasswd<\/a>.)<\/p>\n I remember ages ago talking to Melissa Davis (aka @TheMacMommy) about convincing people to use password managers and our various strategies. Melissa helps a lot of elderly people set up 1Password, and I remember being shocked when she told me that she lets them use a short, easy-to-type, and easy-to-remember password. We got into a debate about it and she (patiently) explained to me that it was that, or they wouldn\u2019t use a password manager at all. Ever since that discussion, I\u2019ve stuck to my opinion that she should just try harder to convince them to use a good master password.<\/p>\n When Apple introduced the Password app, I began to ring the alarm bell on podcasts far and wide (including a recent episode of the Clockwise Podcast<\/a>) about how I think it\u2019s dangerous.<\/p>\n My problem with Apple Passwords is that I think it will give a false sense of security. I don\u2019t think people realize that all of their passwords are protected only<\/em> by the strength of the passcode they have on their phone or the password they have on their Mac. Unlike users of independent password managers, there is no master password for the app.<\/p>\n You may say, \u201cBut Allison, you can<\/em> have a long, complex password on your phone and Mac!\u201d Sure\u2026but how many people do? My Mac\u2019s password is on the complex side but it\u2019s not terribly long, and the password on my phone isn\u2019t very complex or long since I have to type it so often.<\/p>\n I know Apple started enforcing a 6-digit passcode on iPhones when you do a password reset. That’s way better, but it\u2019s possible to maintain the 4-digit passcode if you never ask to set up a new passcode.<\/p>\n That\u2019s why I\u2019ve been sounding the alarm. I’m not wrong, but I have come around to thinking that Melissa wasn’t wrong, and it folds into the new Passwords app narrative. Here’s why I have changed my mind.<\/p>\n I have a friend who is brilliant but doesn\u2019t really use tech particularly well. She and her husband are such low-tech users that just a few years ago I was visiting her and tried to look something up on my Mac and discovered that her husband had \u201cturned the Internet off.\u201d When I asked him why, he said, “We always do when we aren’t using it.” You get my drift of what I’m dealing with here now, right?<\/p>\n Every year, my friend invites me over to help her print out address labels for her Christmas cards. A hundred years ago I created a tutorial for her on how to do this directly from Apple Contacts and posted it on podfeet.com<\/a>. The tutorial is so old that the interface on OSX was still Aqua and Contacts was called Address Book. Surprisingly, the steps haven\u2019t changed substantially since then so I’ve left it up for reference.<\/p>\n My friend is getting pretty good at the process by now (we\u2019ve been doing it for around 10 years), but she still likes my handholding through the steps. Her husband teases her that by now she should be able to do it on her own, but she explains that it\u2019s the one time a year we get together to catch up. Every year when I help her put a little baby reindeer covered in Christmas lights on her labels and she squeals with delight, I know why we do this together. As a tip she gives me a bottle of wine and a bag of chocolates for Steve. Win-win all around, right?<\/p>\n Starting probably five years ago I started lecturing her about how she should be using a password manager. I used the classic scare tactic of explaining that someone could steal all her money and remove access to her precious photos. I tried using the carrot too by explaining how much easier life is with a password manager and not having to remember your passwords. I gave her the phone number of my good friend Pat Dengler who is a Certified Apple Consultant and assured her that Pat would make the transition to 1Password as easy as it can be. I\u2019m a good friend, but it\u2019s not worth any amount of wine and chocolate for me to help her do it myself, so she’d have to pay Pat for her services.<\/p>\n Every year when I go back to do the labels with her, I find that she still hadn\u2019t taken my advice. Every year she\u2019d promise she\u2019d do it, but never did. The only good news is that she has started to use long, complex passwords. The bad news is that she saves the passwords in plain text in Contacts. Look up the name of her bank in her Contacts and you would find her password.<\/p>\n Let\u2019s fast forward to this year\u2019s Christmas Card labels playdate. When we were done making the labels, I asked her yet again about getting a password manager. She said, \u201cI knew you were going to ask me again, so I downloaded LastPass\u2026\u201d. Sigh. I explained to her that LastPass wasn\u2019t to be trusted any longer and that she should download 1Password instead.<\/p>\n And then I had a thought. If after this long she hadn\u2019t embraced the idea of 1Password, maybe I was never going to succeed. With the new Passwords app on iOS 18, I wondered if that would be a more frictionless path. Her phone was still on iOS 17, so I had her start the update to iOS 18. We had very recently replaced her failed MacBook Air with a new 15\u201d M2 MacBook Air, so it was already on Sequoia.<\/p>\n While the iPhone was being updated, I had her open the Passwords app on the Mac. When we opened it, we discovered that she had already been letting Safari save passwords, so there were around 30 of them already in Passwords. We looked at the list and chose one of them to test out. I had her navigate to the website as she normally does and showed her how to use Passwords to auto-fill her username and password. The squeal of delight wasn\u2019t quite as good as the one for the tiny Christmas reindeer, but it was pretty close.<\/p>\n She pulled up contacts, found the same entry in her phone, and showed me the password in the plain text field. She looked at me and said, \u201cI should delete it from Contacts, shouldn\u2019t I?\u201d I beamed with happiness.<\/p>\n Then she asked if she could do another one. She tested 3 or 4 of them while I was there and she dutifully erased the passwords for each one from Contacts. Even better, she said, \u201cThis is fun!\u201d and told me she\u2019d do the rest of them that very night.<\/p>\n I also showed her how to let the Passwords app create passwords for her and she liked that very much. Once her iPhone was up to date on iOS 18, we opened Passwords on the phone and she was able to confirm she could use it from there as well.<\/p>\n I told her that she had one more task. She simply had to change her passcode on her phone from the current four-digit one to six digits. Surprisingly, she immediately agreed. I\u2019m sure glad she did because I found out the passcode she had been using was her birthday. She suggested several six-digit codes, all of which were as easily guessable as her birthday. Eventually, she settled on one that was obscure but memorable to her.<\/p>\n The bottom line is that I think Melissa was right. It’s better that with a shorter less complex password they at least use a password manager (with different passwords for every account). The danger of an online attack is probably higher than the danger of someone breaking into their password manager.<\/p>\n Apple did a good thing making the Passwords app easily accessible and understandable by the less technical people. While I\u2019m still nervous about the passcode\/password on peoples\u2019 iPhones and iPads and Macs, the bigger threat to the security of their accounts is password reuse. I think this step to a dedicated app will get more people to raise their password security and that\u2019s a very good thing.<\/p>\n Ken Ray (aka MacOS Ken) asked me to come on the security podcast he hosts called The Checklist to talk about this very topic. If you’d like to hear that discussion go to www.securemac.com\/…<\/a> or look for The Checklist in your podcatcher of choice.<\/p>\nBottom Line<\/h2>\n
The Checklist #399<\/h2>\n
One More Thing<\/h2>\n