Note for regular readers, the already tech savvy, and IT professionals: this series is designed as a resource you can share with those you are helping or for those looking to become tech savvy on their own.
In our previous article we took a look at how to get started with password management using 1Password. Today we’ll look at using Apple’s iCloud Keychain, and answering some of your common password management concerns.
Background, Expectations, & Best Practices
One of the more common questions we have been asked with our password management series thus far is using iCloud Keychain. For the uninitiated, iCloud Keychain is a system of syncing your Safari website usernames and passwords, credit card data, and network information. Apple introduced the tool with iOS 7.0.3 and OS X Mavericks 10.9 and has been making slow improvements ever since.
If you’ve ever seen Safari suggest to generate a new password when registering an account, or to save your credit card information, then it was most likely using iCloud Keychain. One of the biggest advantages iCloud Keychain brings is that it’s connected with all your Apple products. A password or credit card saved on Safari from your Mac is also saved on your iPhone and vice-versa. This is a solid first step into password management!
Getting Started with iCloud Keychain
Let’s take a look at getting started with iCloud Keychain. More likely than not, you may already have iCloud Keychain enabled on your Mac or iPhone, but let’s go ahead and double-check.
On iOS, head to Settings > iCloud. Scroll down to the bottom, select Keychain, and toggle it on.
On macOS, head to the Apple () menu at the top left of your screen, and select System Preferences. From here, select iCloud and scroll down in the list of items to find Keychain. Toggle it on if it’s not already enabled.
Now that you’ve enabled iCloud Keychain on both systems, Safari will ask to save your passwords when logging into a website where the credentials were not previously saved. If you chose to save them, the next time you go to login, Safari will have the fields pre-populated with your credentials.
If you’re signing up for a new account on a website, Safari will even suggest a password for you. If you choose to use that suggested password, Safari will autosave it into your iCloud Keychain and use that to pre-populate the username and password fields next time you login!
One of the other concerns with iCloud Keychain is that once you’ve saved these credentials, where do you go to view them? On macOS, launch Safari and head to its preferences (Safari > Preferences). In the pane that opens, select Passwords and type in your system’s password (or use Touch ID if you have it). Once unlocked, the pane will show you all the URLs with saved username and passwords in your iCloud Keychain. To view what the individual password for each item is, simply select that URL in the list and the password will be revealed.
To view your iCloud Keychain passwords on iOS, head to Settings > Safari > Passwords and input your device PIN or use Touch ID. The list of saved credentials are shown, allowing you to select any item in the list to reveal its password.
From both of these sections you can even add new credentials, or remove them if you’d like.
Common Password Management Question and Concerns
1. Why use a password manager over iCloud Keychain?
While password managers may be a much more involved process, they usually contain more options than iCloud Keychain. For example in 1Password you can store software licenses, driver licenses, website password, database passwords, and plenty more. Each of those categories are neatly organized within 1Password to making finding what you need faster.
Password managers also work across various systems. iCloud Keychain only works within the Apple ecosystem. Even though you may use Google Chrome on your Mac, you won’t be able to use your iCloud Keychain in that browser. If you use Google Chrome as your default web browser, saving your user credentials there will most likely default to its password manager (unless you have a third party one configured). Because of this, your credentials aren’t saved into Apple’s iCloud Keychain and thus won’t sync over to your other devices like your iPhone and iPad. It can be potentially confusing when you go to your phone and realize none of your iCloud Keychain passwords are there as expected.
2. Isn’t using a password manager just “putting all your eggs into one basket”?
Short answer: Yes. This is a challenge with maintaining large sets of sensitive data. While you are putting all your eggs in one basket, you’ve also got to make sure that basket is rock-solid, secure, and is less likely to be hacked. Michael discussed some ideologies behind password management a few weeks back.
A concerns some have shared is that you should just remember all of your passwords for increased security, but the simple fact is that for some people the convenience a password manager brings is unparalleled. Personally, I have over 600+ pieces of information saved within 1Password. While I could try to remember all of them, I decided that the convenience 1Password brought was well worth it. To increase my security while keeping all my eggs in this proverbial basket, I also went ahead and started with a strong Master Password.
3. If someone steals my password manager’s password won’t I lose everything?
Short answer: not necessarily.
Different password managers use different ways of separating your password manager’s password and the information contained within. In the case of 1Password, if someone were to guess your Master Password they still wouldn’t be able to get into your password vault without your Account Key as well. That doesn’t mean you shouldn’t with a secure password already. If someone were to take your computer system’s password and iCloud password, they would be able to get into your iCloud Keychain as well. No matter what you do with your passwords, you need to start securely.
Don’t make the front door to your password management your weakest link.
Some have shared that they use an encrypted spreadsheet to store all their passwords, while the idea is good it falls flat quickly. Microsoft Excel and other spreadsheet software have been vulnerable to password cracking attempts due to rolling insecurities. (Wikipedia has a small post with some good information here.) More often than not a strong password manager will use a combination of encryption schemes similar to banks.
4. Can someone hack into these password managers?
Short answer: Yes. Long answer: The time they do spend trying to do so is often used attempting to hack you in other areas.
Software, even on macOS, is vulnerable to malware and hacking attempts daily. Updating your software can help increase it’s security.
In the case of hacking into your password manager with all your passwords (“all your eggs in one basket”), it is possible and has happened. LastPass was hacked in 2015, but because of the multiple levels of security they use they don’t believe that customer’s data was actually compromised.
Password management and password managers are a topic of discussion that can span for several posts. It is a topsy-turvy and twisted web of security that we’re all just trying to get a grasp on. At the end of the day it only matters if you’ve gotten to method where you feel comfortable with the way your information is stored and secured.
I definitely recommend re-reading our previous posts on the topics (Part 1, and Part 2) and checking out the reader comments below! Everyone has been helpful in sharing different ideas and experiences they have with different solutions. All that’s left for you to do now is to start!
Note: The topic of security is something we’ll definitely be further exploring in the future, so if you have any comments or questions with that please leave them below!