Hacker News new | past | comments | ask | show | jobs | submit login
Apple passwords deserve an app (cabel.com)
1260 points by ttepasse on March 27, 2023 | hide | past | favorite | 402 comments



I tried going all-in on using iCloud Keychain (correct term?) for my passwords from having previously used LastPass.

In short.

1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.

2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

I think those were my big complaints. If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.


> 1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.

Like a lot of other Apple stuff, I'm only able to use it because I don't use anything non-Apple for anything "serious" that involves a GUI. Windows is for gaming, Linux is my file storage and docker-service-running server that I only interact with over SSH and Web. Ditto Notes, all their Office-type programs, et c. I'd probably be on a lot more Google shit if I needed more cross-platform access to that stuff.

> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.

> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

IDGAF about clicks because I search my way to everything in Apple's settings—what does bother me is that they've made search worse in the last couple versions of iOS, and that if I type "pass" in search, "Passwords" isn't even visible on the list yet. I can get all the way to "password" and it's still the fourth entry. The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case! Even fully typing "passwords" still leaves it as the second entry (of three) on my device. WTF.


> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.

Other browsers used to be able to use it. I do think it’s a really thorny issue—“allow this application to access all saved passwords?” is a pretty damn scary permission to include. Up there with the “allow this application to control your computer” permission that is used for accessibility apps (which apps can abuse to read passwords, if I understand correctly).

Apple’s tradition. Make the platform more secure, add an exception for first-party apps, and let the other browsers fuck off.


Safari Passwords and 3rd party apps can and do use the Apple Keychain on macOS/iOS to store sensitive data. Though 3rd parties can't integrate with Safari's password manager.

If you use Chrome Sync with passwords on macOS, Chrome actually stores the decryption key in the macOS keychain. Just open Keychain.app (/Applications/Utilities/Keychain Access.app) and search for "Chrome Safe Storage" to find it. That's the decryption key for the actual encrypted password/sync data stored elsewhere. (So not possible to access Chrome passwords from the Keychain directly)

Safari Passwords (Apple's password manager) also stores passwords in the Keychain as individual entries and you can access them via Keychain.app. Unfortunately, since they’re part of the iCloud Keychain not the local login Keychain, they appear to be inaccessible with the `security` CLI tool which fails in an obtuse way.


Obviously the browser doesn't need to have unfettered access.

It just needs to tell the password "hey there's a password on wellsfargo.com" and then the password manager asks the user if they want to use the password. And maybe give access to all passwords.

IDK, what does safari do?


Safari pops up a little box attached to the login text field asking you if you want to use the password for wellsfargo, so it seems like it’s asking keychain “do you have a password associated with this url?”. At least on modern MacBooks they also figured out a good UX flow, when that box is on screen you put your finger on the Touch ID button and it authenticates you, puts in the password, and goes to the next field or hits submit.


Yeah, I a think other browsers want to be able to test whether there is a saved password or not, and get the corresponding username, which is quite a big permission to give away. For actually filling in the password they could maybe offer a pop up where the user must authorise the app using biometrics or some other OS-level action. That’s already the experience with safari.


Something could pop up saying "Fill password for HSBC Bank?" or similar and you click one button.


> allow this application to access all saved passwords

I'd like to see finer granularity, perhaps multiple web password vaults and a mechanism to allow certain browsers to use certain vaults.

It might also be nice to specify which passwords could be accessed with which kind of authentication. Unfortunately the current system password dialog is easily spoofable - it really looks like a questionable javascript popup.


What would that look like? Do you expect a prompt for every website you visit (Would you like to allow permission for Firefox/Chrome/whatever to view/store your password for "abcd.example.com"?) Would the permission be tied to the name of the app or the hash of the app? How do you securely identify the browser? Signed apps? Signed via a developer key -- trust the developer so that you can use Chrome as well as Chrome Beta?

The above is not a critique but certainly a list of things that lead to the possibility of a repeat of the infamous Windows popup for every single action you want to do out of the box. This leads to either decision fatigue or a pre-programmed "yes, just do it" response from the vast majority of users.

I personally think it should be an all-or-nothing type of allowance for this reason. Maybe the better way would be tracking access to passwords in Keychain. ie: Chrome+Safari+Firefox have all accessed your credentials for google.com but only Safari has seen your iCloud credentials and only Chrome has seen your HN credentials.


> Do you expect a prompt for every website you visit (Would you like to allow permission for Firefox/Chrome/whatever to view/store your password for "abcd.example.com"?)

This is pretty much exactly how macOS Safari prompts, and has for several years, at least in Touch ID scenarios. It shows a suggested username/identity with a Touch ID icon next to it, presented just like a normal autofill suggestion otherwise.

The per-site prompt and the inclusion of username/identity are really good signals, and feel like they reinforce the opposite of Windows UAC. They definitely gate access in a similarly repetitive way which encourages repetitive acceptance. But they demonstrate prior authorization that would have to be manual at least once at some point before the prompt, and you won’t be promoted the same way for sites you didn’t manually authorize first.

It’s a good enough signal that I generally use it as my first line of defense against phishing/domain spoofing. If I don’t get promoted for credentials for a service I expect to have an account with, I’m immediately suspicious. That doesn’t mean I automatically trust or distrust on that alone, but it’s a pretty decent sniff test.


It's not unheard of - iOS already provides granular permission capabilities for photos. You don't have to give all-or-nothing permission to apps to access photos anymore; you can now choose precisely which photos the app has access to.

I'm looking forward to iOS doing the same for contacts; there's no reason why WhatsApp/Telegram/etc need access to my entire address book if I just want to call Steve.


>What would that look like? Do you expect a prompt for every website you visit

Why not? It works fine for Little Snitch.

And here it would be even less prompts, as it would just be every website I visit && have an login account at.


Isn't this the exact thing that got MS in trouble with anti-trust for Explorer? How is apple getting away with it?


No. Microsoft got in trouble because they were coercing OEMs to not include competing browsers.

Apple has no such problem since they don’t have other OEMs.

Same deal with why Google got in trouble with the play store.


>> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope

No it's not. I don't want some exotic product connect to a domain I have passwords in and prompting me for access. The password should be tied to the product you used to login with.

This is a misunderstanding of keychain vs. lastpass. One is designed to remember "safari passwords" or any swift/cocoa application implementing keychain. One key feature is: once stored in Keychain this information is only available to your app, other apps can't see it.

Lastpass and other similar products are designed as a data warehouse / vault for you security items. From there, plugins in browsers etc. can take over.

I will totally agree with the fact that the GUI is frustrating at best.


But on iOS I can use keychain from apps to find login information that is stored from Safari?


> The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case!

Weird. "pas" and it was top of the list for me.


In Spotlight, I need “passw” to see it. In the actual Settings search, I also need “passw”, and that only gets it to #5 in the list.

Also, Spotlight is bizarrely slow finding even local apps and things like Passwords. WTF


Did you tell it to ignore most local files?


Wow! Just discovered the Spotlight customization and it is so much faster and more useful when you remove certain locations and turn off definitions and Siri suggestions.


That sounds delightful. Sadly, while Apple documents “Suggestions in Search”, and I can even see that option when I search Settings for Siri, the option itself is missing from the Siri & Search page.


When I type just "p" it's the second top most result. When I type "pa" it's already the first result.


Bizarre. That's on iOS for me, searching in the settings app itself. I have to type most of "passwords" just to get it to show up at all, and some of the ones that are showing up instead have only the most tenuous connection to the search term "password".

It used to show up for me after a couple letters, in the settings app, until a few iOS versions ago, IIRC.


It "learns" from previous searches.

Which is unfortunate, because it's not very good at it.


Anecdata: `pas` worked for me in Spotlight, Settings (both 13.3 Beta (22E5246b)) and Alfred (4.8 [1312]).


I get the same result as the parent. Search in Settings has gotten a lot worse with time.


I use windows almost only for gaming (and CAD) too, and I've found that recently that the webapps, especially music and notes are good enough, and icloud drive and photos integration to windows actually work well.

But yes, passwords is annoying. You can use them on chrome on windows but not on MacOS, and on Windows it doesn't work on anything but chrome. Speaking of gaming, game launchers on windows can't get passwords from Apple and also seem to log me out all the time, so I have to revert to using my phone to see my password and manually type it in.


Step 63 of Mac setup is optimizing Spotlight by excluding a bunch of stuff from being indexed - kind of annoying but that's the solution


>Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.

It probably very much is. But Google would never add Keychain integration when they want to push you to their own password manager within Chrome


Yeah, I'm also a heavy user Spotlight Search and it's still impossible to get to Keychain settings. I suppose my higher level point was that it's damn near impossible to efficiently get to the keychain settings.


Not impossible at all. For me, ⌘-space, then typing pass is enough for Spotlight Search to suggest the Passwords section in System Settings.


Alfred?


I can never tell if Apple is trying to kill macOS, but it’s things like this that make me wonder.


> If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.

I think Apple would consider this "working as designed."


> I think Apple would consider this "working as designed."

Incoming iTunes Password Manager, next event :P


With passkeys, now every platform can enjoy this level of lock in!


I hope not. I'm patiently waiting on 1Password to release their implementation of passkeys so I can have it work on all my devices, Apple or not.


Just use Passkeys. Any account that allows 2FA allows multiple second factors. You should be setting up backup second factors anyway if you don't want to risk getting permanently locked out of all of your accounts.

Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor. If you're using strong passwords with 1Password, your second factor is basically only defending against a leak of your password database. If you're storing your second factor in that same password database, what are you gaining?


I’m super curious what a backup second factor is for the average user who has only one device: a phone, that sometimes gets lost or is stolen.

Feels like these things are designed by Californians with no idea of how the world is.


Reminds of the occasional comment threads on here about homeless people permanently locked out of new accounts every few months because of stolen devices and the growing corporate obsession with forced 2FA, and all the replies that amount to "if they didn't want to fuck off and die they shouldn't have been poor".


If you're in this category, your alternative to Passkeys at all is SMS or no 2FA whatsoever. Enabling Passkeys does at least ensure that you have a minimum of two separate devices so you already do effectively have some form of backup of your second factor.

My comment is targeted at someone who is savvy enough to: a) care about having "real" 2FA, and b) is concerned about lock-in, and c) is extremely sensitive to being locked out. For someone like that, you're already buying YubiKeys or some equivalent. And if you don't already have some, you're never prevented from using them later.


> Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor.

Not quite! 1password itself counts as two factors: something you know (the master password), and something you have (the additional secret key).

Passkeys in 1password would eliminate phishing as a problem.


Well, with the exception of AWS, unless something has changed recently — they notoriously only support one second factor (i.e. if you use YubiKeys or similar, you can only use one).


You can add multiple MFA devices since November of last year:

> Now, you can add multiple MFA devices to AWS account root users and AWS Identity and Access Management (IAM) users in your AWS accounts. This helps you to raise the security bar in your accounts and limit access management to highly privileged principals, such as root users. Previously, you could only have one MFA device associated with root users or IAM users, but now you can associate up to eight MFA devices of the currently supported types with root users and IAM users.

https://aws.amazon.com/blogs/security/you-can-now-assign-mul...


Yeah, AWS is the only exception I've encountered :)

But if you have backup second factors (you have backup second factors, right?) and you're worried about Passkey lock-in for whatever reason… just use that other second factor for AWS or any other account which supports only one.


Isn’t the whole point of Passkeys that you can’t ever lose them, since they’re tied to your biometrics..


They're not tied to your biometrics. They're stored inside the TPM of your device, which is unlocked by some form of biometrics.

But if you lose all the devices with your passkeys on them, they are gone for good.


passkeys isn't supported on linux desktop, at all. and if you know how to make it work, please let me know. I have to switch to a Windows machine to login with them.


Yep, same with BitWarden. That would be fantastic.


Yeah, that's why I'd never touch passkeys. It feels like you're basically locking yourself into a weird ecosystem that you'll never be able to escape from.


This is kind of silly.

If you're using hardware 2FA, you should absolutely have backups. I've used YubiKeys for years and have one in my laptop, one on a keychain, and one in a safety deposit box.

Passkeys are just another instance of this. I have added Passkeys to all of my accounts with 2FA and it's somewhat more convenient (significantly more convenient for mobile devices). But every account also has all my YubiKeys attached as second factors.

There is no lock-in. And while it's inconvenient and annoying to have to add multiple keys to every account, that is already the reality if you're responsibly using hardware second factors.


This would be less annoying if we could get actual federated identity that big players would actually accept, as it stands having to fetch a key from a safe deposit box every time I register a new account is a huge amount of friction.


It absolutely is. But that’s a separate problem entirely from “will Passkeys lock me in to the Apple ecosystem”, to which the answer is an unqualified no.


Microsoft is a big player and here you go: https://learn.microsoft.com/en-us/windows-server/identity/ad...

I currently have a Microsoft (Work) account that I'm SSO logged on.


To be clear, I was referring to one federated identity that everyone would accept, as it stands there isn't a single, federated identity provider that Apple, Facebook, Google, Microsoft, Amazon, Bank of America, my power company, etc and so on will all accept. I'd like to secure one spot on the internet as an identity, a digital passport of sorts, and secure that heavily then have it log me in to everything. The closest thing we have currently to a digital identity is an email account, but we should really move past that.


> I think Apple would consider this "working as designed."

Punishing us geeks who like using multiple different kinds of OS on their phones and computers. :(


Funny situation, there's another thread I was replying to someone who wanted to shift back to native apps instead of cross plat electron apps (for performance reasons).

Well, Apple Passwords on Windows is a good example of how that turns out in reality. I believe it's using WinUI. While the performance is nice, the experience is entirely unlike what you get on Mac and winds up making you wish you were using another service entirely.


This has been the story of Apple apps outside MacOS forever: they appear to always do the absolute minimum to claim support, and you end up with a super clunky windows app that is terrible.

I doubt they’d do much better using electron: I think their development model is that if it isn’t on one of their platforms, they pump out a minimum-effort, low quality app. I’d guess that electron ones would be just as clunky, except with a significantly higher memory and CPU footprint.


That hasn't really been true. Apple supported iTunes and Safari which were great options on Windows. Not just "I'm already an Apple fan so I have to use it", but actively deciding to use them.

The root of the problem for Apple is that they cannot get away with doing what they used to in the past, they already have a plethora of platforms within their own umbrella to support, adding Windows native to the mix seems to result in maybe a handful of developers taking on enormous burdens by trying to catch up to their expected Mac apps.

If Apple were to seriously put its weight behind a cross-platform toolkit, this might change, especially as they want their services to grow. It's the very reason why their main service competitors can even compete.

But I agree that if they were to suddenly switch to Electron without a care it wouldn't turn out well, but likely have a better end user experience than their current reveals.


> Apple supported iTunes and Safari which were great options on Windows. Not just "I'm already an Apple fan so I have to use it", but actively deciding to use them.

No they weren't. They were notoriously awful. Apple resorted to bundling Safari with QuickTime to try to get you to use it but everyone still hated it.


Nonsense, iTunes was great and got stick just for being iTunes.

300GB library around that time with no issue at all. Smart Playlists made all other players obsolete for me.


So SwiftUI for Windows?


For QuickTime for Windows they ported a portion of the Classic Mac Toolbox to Windows to make it work.

For Safari Windows they ported a portion of Cocoa.

Having an internal Windows version of SwiftUI would not be unthinkable!


Would be very interesting!


> Apple Passwords on Windows is a good example [...] the experience is entirely unlike what you get on Mac

If you were a Windows user, why would you want an app that acts like a Mac app? Surely the benefit of having a dedicated Windows app is that the experience should be like other Windows apps.


You're not really thinking about it as a "mac app", but rather "the service". You expect it to act like the service you use on other platforms with all the features you rely on.

If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI", I immediately know where the genre categories are because I've already used it on android or linux and expect it to be there. I know exactly how to add a song to my library, to shift around playlists, to manage folders, everything is as I learned it on [other platform].

Design development becomes this duplicated burden where every feature now has to go through the ringer twice (or more) to fit native components for their respective platforms. When you hit limitations on those native components, you're now having to make the decision to either hold back the feature entirely, or create fragile workarounds.

In an alternate timeline native components would have had far greater appeal, where people actually hate and boycott apps designed otherwise. But we don't. Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components. The situation is even worse on windows past 7, where the idea of a "windows app" is so jumbled there is nothing to "expect" from the experience - which is actually part of why I think these unified app designs have really taken off.


> If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI"

We're either very different people or we have different use cases :) It immediately feels jarring to me to be using macOS and suddenly presented with a non-native UI. But I only ever use macOS on the desktop, so I don't have this cross-platform issue. What I find strange is, I would have thought that was the 99% common case — it seems strange to me to optimise for individuals using multiple OSes rather than multiple apps on one OS.

> Design development becomes this duplicated burden

That sounds like an OS flaw if true. Of course, I accept that some design will be necessary, even with the finest SDKs available to humanity, but it should be so burdensome that going non-native is seen as the solution.

> Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components.

You're totally right. Every now and again, I say to myself "I really must use Safari for the 'more native' experience", but I always come running straight back to Chrome again.

> The situation is even worse on windows

This was one of the things I liked best about macOS when I first migrated — everything was so consistent, things didn't visually clash, etc. I still get the impression it's better on macOS, but heck, it's definitely not as good as it used to be.


>I say to myself "I really must use Safari for the 'more native' experience", but I always come running straight back to Chrome again.

Have you given Arc Browser a shot yet? It feels pretty great. Feels designed for Mac and has its own design language at the same time.


Not that I disagree with you, but have you seen the new Windows app for Apple Music? It definitely feels Windows 11-ey, with the animations you'd expect. A notable departure from the Mac design, in favor of Windows design, is the placement of the back button at the top left corner of the window, instead of slightly to the right of the top left on Mac.


Apple had (has?) Cocoa ported on Windows actually, so whatever they could so on macOS, they could do on Windows as well. Cocoa as such is cross-platform.


It was a product briefly. OPENSTEP Enterprise. There was talk of selling licenses to distribute but that never happened


Any link to the port of Cooca to Windows?


Looking at the Apple Music app for Windows quickly, it does appear Apple has done some porting of their APIs to Windows.

https://i.imgur.com/tdr6XTO.png



Apart from the already mentioned OPENSTEP for Enterprise, see also here:

https://www.stone.com/dev/StonesThrow2/OneFoxTwoFox.html

Basically, it was called Yellowbox, but it didn’t officially survive the release of Mac OS X IIRC. But Apple was at least still using parts of it for some Windows ports back then I believe.


My biggest complaint is that it doesn’t keep a history! One misclicked “remember password” at the wrong moment (safari plugin often guesses password fields wrong) and you’ve just locked yourself out of your bank account. Literally happened to me.


> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

On Mac, at any time, type: command-space passw <return>

On iOS tap <search> on any home screen, type passw, tap suggested result


On iOS, my only password manager I've ever used is the built-in Apple one.

I just tapped the "search" field on the home screen, and typed "passw".

"Top Hit": A store link to the LastPass password manager (which I do not and have never used—the button has the text "get", it's not installed and doesn't have the cloud-icon for previously-installed apps)

From there, it's three suggested Siri web searches: "passwords", "password manager", and "password generator"

Then two safari-iconed links (I assume these would search with my default search engine in safari?): "passwords on iphone" and "passew"

Searching inside the "settings" app is only marginally better. It's all much, much worse than it was a few iOS releases ago.


I learned from this thread that you can actually disable all that. I did so and my spotlight searching sped up 10-fold and now I only get app results. So much better.


Better yet, using the Shortcuts app for iOS, create a shortcut that opens a URL with `prefs:root=PASSWORDS` in Safari.

For macOS, you can make the same shortcut open `/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/PreferencePanes/Passwords.prefPane`.

A single shortcut can be used to accomplish this, using the OS check and an `if` condition.

Then add the shortcut to the home screen as an icon and it’ll also show up in Spotlight search.


I mean, thank you. Buttttttttt this is an asinine level of effort to achieve a workaround for a stock feature on the Apple platform. I'd just assume not use it before implementing this.



Rebuilding Spotlight index...


These are great tips for power users, I love it!

That said, this also proves that for non-power users: it needs an app and it needs integration with other browsers if it wants to be as easy to use (for most people) as the popular password managers.


Is this you arguing that it‘s not buried?

Having to access something via a search incantation (or, alternatively, a ton of clicks) is not at all easily accessible. It’s buried alright.

Obviously you can find pretty much anything on macOS and iOS via search. That‘s how it‘s should be. But that doesn’t make things accessible or even just visible.


No results for “passw”


I write "keychain" usually, it appears after "key" already.


I've pinned Keychain Access in my tool bar. Finder, System settings, Keychain - right at the top.


> I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

Chrome used to be tied into Keychain but they went their own way a long time ago, which is a damn shame.


I believe Apple only lets you use certain APIs (like Keychain) if you distribute only through the App Store.

That policy has really killed a lot of functionality on macOS. I suspect it will cause fiction on iOS when the EU forces them to allow alternative install sources.

Personally, it grates me when Apple cripples functionality this way to try to keep us stuck in their platform. Can't use Firefox with Keychain. You can only view your current Apple Card balance on an iOS device -- not even a macOS device. At the end of the day, I hate being manipulated so much that it actually pushes me away from the platform to see this scummy behavior.


I will always regret being just slightly too late to enjoy Apple's golden era. When, yes, using an iPod meant locking into iTunes, but at least you didn't have Tim Cook nagging his captured audience into signing up for Apple Music Subscription Plus - Now for Families!


> You can only view your current Apple Card balance on an iOS device -- not even a macOS device.

That sounds especially annoying. An iPad next to you can auto-config itself as the umpteenth monitor of a Mac, but macOS can't pull Apple Card balance from your nearby iPhone?


You can use a standard web browser and login: https://card.apple.com


Is there a reason Chrome, Edge, and Firefox aren't on the Mac app store? I know the yearly dev account costs can be an issue for small developers but Google, Microsoft, and Mozilla are already paying that as they release apps on the iOS App Store.


I assume it's annoying to jump through hoops and code review for every release.

Most macOS users don't use the app store. So directing folks there can be annoying for users, or even cause problems if they aren't signed into iCloud.

They'd likely end up with either an old version on the app store at all times, or with a massive, unpredictable day-or-week-long delay waiting for Apple's reviews before every release. Small wonder they don't bother.


If I had to guess, the review process would just be a hindrance to them for nearly no benefit (is there anything besides the keychain API that would entice them?).


I guess they want compatibility/password sharing between Chrome on Mac, Windows and Linux, which I can understand.


Apple makes a iCloud Passwords chrome extension: https://chrome.google.com/webstore/detail/icloud-passwords/p...


Windows only! It doesn't work on Mac!

I honestly didn't know that was possible before that extension.


Chrome on mac should by default be able to work with the Apple password keychain


Meaning it ought to, but doesn't, right?


No, Google has not implemented support for Keychain in Chrome. AFAIK neither has Firefox.


They actually removed support for Keychain, Chrome on macOS used to support it in the past.


And this annoys me greatly. I want cookies, bookmarks, and passwords to be owned by the system. That way I can switch between browsers with ease, and that would also lower the bar for new browsers to come out.


I absolutely do not want this.


Agreed. This sounds like a nice user-friendly feature until you realize what a colossal privacy disaster this would be for any malicious app that the user grants these permissions to.

"DerpCo Derpolizer would like to access your stored cookies. This allows us to automatically log into your DerpCo account!" and then bam, they hoover up your login data in an instant and send it off as part of their telemetry.

Much better to have a system like (for example) sign in with Apple where you can easily click a button to have the system authenticate you, but no one gets access to anything without specifically asking for it.


I switch between systems more than I switch between browsers.


Maybe if you're only using devices from one type of brand. But what if you wanna access those things on a Mac and Google Pixel and an Amazon Kindle. Sure, might not be that much of a mix, but I imagine a decent amount of people have at least one device from a different brand.


interestingly, Chrome on iOS offers me passwords from both the iOS Keychain and Chrome password stores.


Maybe this was it...IIRC the user must also have iCloud For Windows installed? It's been several months since I tried this setup. For my personal user experience it was unacceptable.


And it’s slow two star garbage.


The reviews are brutal.


Agree on most of this but Keychain Access IS a standalone app on the mac so slightly confused about the comment about it being buried in System settings. Its still a pain to go to the app and copy a password for non-Safari browsers though.


I just do cmd+space -> type "pass" -> Return -> fingerprint. That gets me to my iCloud Keychain. I used to use Keychain Access but like the UI of the Passwords tab of Settings more.


I use 1password. cmd + shift + space opens a spotlight-like dialog for 1password. First access requires a fingerprint.

It also works on Windows!


That app is not at all a password manager.

It‘s a view and editor for all kinds of stored keys. I don’t think its target audience ever were intended to be some random macOS users. That’s just not the target group. It‘s about power users that need to access or store all kinds of keys.


I ended up writing an AppleScript to open the Safari passwords dialog because I got sick of hunting for the proper dialog. If you save it as passwords.command and make it executable it'll open the window right up. But yeah, it's a kludge.

  #!/usr/bin/osascript
  tell application "Safari"
    activate
  end tell
  tell application "System Events"
    keystroke "," using {command down}
    set pass_button to (button "Passwords" of toolbar 1 of window 1 of application process "Safari")
    click pass_button
  end tell


4. New passwords overwrite old ones. Easy to accidentally lose passwords in slightly odd situations like logging into an account whose password you just reset.

But I like it overall. Even though I use multiple browsers, I don't mind treating Keychain as the master DB and occasionally copying passwords out of it. Part of this is because I use Safari exclusively for the extra important things like my bank.


I use chrome to manage passwords on all my devices, it works well except for apps. When I'm trying to get a password for an app in iOS, I just switch to chrome to get the password. Same if my password was from registering from an app and I'm in Chrome. Rinse and repeat and now my passwords are in both password managers.

As for TOTP, if I lose my phone I don't know what will happen.


Settings > Passwords > Password Options > AutoFill Passwords + Allow Filling From Chrome

Most apps can use passwords from Chrome just fine, and you can also quickly open the native passwords window when encountering a password field using the key icon.

For TOTP, use apps like Authy which can be installed and used from multiple devices.


Awesome - thanks for sharing!


> The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

I do: Cmd+space > "keychain" > Enter. Still not ideal but it's the fastest method I know. What do you mean, i.e. how do you access the GUI from the system settings? I tried finding keychain there but couldn't figure out where it is.


It's available as "Passwords" in the system settings. I think they added it recently to align it with iOS and iPadOS, where there is no mention of it being Keychain at all.


That's way nicer than what I've been using (i.e. Keychain Access). I'll likely switch to Passwords. Thanks!


2. Dont know what you are talking about, I use brave and get my passwords filled in from keychain. 3. Cmd-space keychain opens up keychain


Thank you for sharing that. I was not aware. I will try this tonight!


Sounds like vendor lockin is the aim here, not being fully cross-platform without any hassle.


There seems to be a Google Chrome extension called "iCloud Passwords" but it only has two stars, so I don't think you'll be positively surprised.

Also, on iPhone it's ok-ish but on Mac the experience is a subpar too: Keychain, the app you use to view your passwords, feels like a 90s Visual Basic application. Plus you can't organize your accounts, and even if you prefix them to "sort by name", the special name you give is lost after using it.

On the other hand, I already have other Apple cloud stuff and kinda trust them, so I suffer through it. And other password managers aren't anything to write home about either to make me change :/


Note that macOS now has three “apps” to view your passwords, three different UIs for the same database. There’s Keychain Access, there’s the Passwords section of System Settings, and there’s the Passwords section of Safari preferences (which is the same UI as the pre-Ventura System Preferences app’s Passwords section).

The other two have even less organization functionality than Keychain Access, so this probably doesn’t help you, but the blog post was talking about the System Settings version so I wanted to point it out.


> Keychain, the app you use to view your passwords

Huh, I never realised Keychain showed iCloud Passwords. I always just use Safari (which is inconvenient in its own way admittedly).


+1 to subpar on Mac. iPhone is about the only surface where its seamless/smooth. The rest leaves me constantly frustrated.


What's wrong with Keychain Access? It hasn't changed its appearance since more than a decade. That's a good thing for familiarity. Early Mac OS X apps have incredibly good design that doesn't waste space.


But it does waste a lot of space... there's a lot of duplication of keys (which are deduplicated in the iPhone app), and with other information (somehow I have hundreds of "com.apple.cloudd.deviceIdentifier.Production" in there). And I already mentioned organization fails. Plus it's kinda insecure as it enumerates your accounts exhaustively without asking for a password like iPhone/Safari (granted, not a problem specific to this app). And the interface to view the passwords is terrible. Old and familiar is not synonyms with "good".

However now that comex pointed me to the Password in the "System Settings" app, I at least can use it and it's fine if Keychain is left as is.


Guess which app is ripe for a Swift UI redesign soon!


You just run the Keychain Access app on a Mac.


"If you are 100% Mac then it's a good product."

I use 100% ma except for gaming. However, I use other browsers as well, so the coupling to Safari is a deal breaker.


> If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.

This has been the Apple way since the 1980's


I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

No, it's not. I alternate between Safari, Firefox, and Duck. If a password I use in Safari isn't stored in Firefox, I copy it from the Keychain program and paste it into Firefox. Firefox then asks to save it. No problem.

The GUI is buried in System Settings.

It has its own program. /Applications/Utilities/Keychain Access


> I copy it from the Keychain program and paste it into Firefox

Woah that's the same way I used password managers 10 years ago. Even back then it was considered barbaric. I had no idea people still lived like that.


I never stated that it was good.

The previous commenter said passwords were "unavailable" outside of Safari. I merely demonstrated that his statement was false.


Your workflow is significantly worse than the experience I get with 1password.


It's not just a good product if you're 100% Apple, it's only a good product if you're 100% Apple and are willing to accept a great deal of friction if Apple's direction no longer suits you in the future. It's a version of what some people call "high time preference".

Personally, I was taught to care about the future.


They have an export-to-CSV feature. That takes a lot of the worry out of hypothetical futures.


Still adds a great deal of friction and makes it harder to, say, experiment with an Android phone or a Linux desktop for a month. Compare that to 1password which just works.


Last pass had a major incident recently iirc.


I moved to Bitwarden right after it, and I can't believe how much better it is in terms of UX \o/. I whish I had made the move years earlier.


Have there been any known incidents with Bitwarden?


OP is suggesting it's a terrible UI on iOS and Mac too, and one of their principle complaints is your #3.

So OP disagree that it's even a good product if you are 100% Mac, but are suggesting the functionality is all there, it just needs an actually designed UI/UX.

And/But your #2 sounds pretty terrible to me too!

It does not sound like a good product at all.


I’m all in for personal web browsing. Safari is a great browser basically 99% of the time and having free synced passwords (and really any critical data!) between my desktop, phone and tablet, I get tremendous value.

For work, I use chrome and chrome password management because my company uses gmail.


> 1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.

Ditto. Why do I have to replace my Windows login password with a "PIN" code that's the same as the iCloud Keychain PIN !? That's super weird!


I use this Menubar short cut for Passwords, so it's only 2 clicks and fingerprint away.

https://www.icloud.com/shortcuts/22133925f3e34579b22951d6593...


> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

I just learned that this GUI exists. I have been using /System/Applications/Utilities/Keychain Access.app for years to deal with passwords.


Same. And now I'm trying to figure out if there's any advantage to using the UI in System Settings instead of the app I already know.


Me too. Now to try and figure out if I can create a Macro to launch this.


> > 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

On iOS you can ask Siri "show my passwords". Doesn't seem to work on MacOS though.


> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

Safari > Preferences > Passwords

Would love to have iCloud Keychain in other browsers, though.


On 3, at least: Apple assumes you'll use search on device. If so, it's: 1) Swipe down 2) Type "p" 3) tap autocomplete result in "settings" group.


But if you search on Mac using spotlight you need to type "keychain" smfh my head


Serious question but what do you use Windows for? I don't know alot of people that use Windows anymore so just wondering is it a work requirement?


Went the other route, sold my iPad and went with a Surface instead...

the short of it: It's inelegant, there's bugs, the UI is half-assed and some aspects are straight hostile (default widgets etc.). But it's an actual generic computer. Most task you assume you could do with a computer, there will be a way to do it.

It might take some efforts to get to a decent setup, but the walled garden was also a PITA, so all in all, I felt my time is better invested in making windows a nice place than the endless fighting of Apple on iOS.

As a halo effect, I'm kinda thinking about moving to Windows on my main computer as well on the next refresh cycle...not fully decided, but that feels like a viable option.


It's still widely used for gaming


A limited GUI is also available within Safari on desktop. It is a tab under Preferences. It makes working in Chrome bearable.

Agree the UI is terrible in iOS.


I was about to say the same thing: Apple has a password manager? I’d consider Apple Passwords to be less than half a password manager.


Don’t use System Settings to find passwords, open Keychain Access instead, it’s much more direct for searching.


That's all by design. They want you 100% on Apple products to get the full experience.


The full experience for their shareholders you mean :P


It's not great, but the app you are looking for on macOS is Keychain Access


Apple has to tread lightly on not have too robust of capabilities, especially for non-Apple ecosystem, since it might be consider anti-competitive.

(e.g. Netscape vs Microsoft Internet Explorer)

EDIT: why the downvotes without a reply? If you don't agree, why not just respond why so that a health dialogue can occur.


As stated by another poster, Netscape vs MSFT was about coercing OEMs not to include competing browsers to be pre-installed on new systems. Apple could create and give away a cross platform password manager without much fear of ramifications, unless they exclude all other password managers.


You can make a shortcut that opens passwords.


Also, if your phone is stolen / lost and someone can guess your 6 digit passcode, then all your passwords are exposed.

That was biggest deal killer for me.


The main limitation of Apple's passwords implementation for me is lack of sharing. For accounts that my wife and I both need access to, we can have them in a shared location in bitwarden, but there's no comparable feature with Apple's. I'll probably even start paying for bitwarden so that I can share with more than one other person when my kids are old enough to need access to them


Yeah, this is a bugbear. FWIW my wife and I "share" keychain items by airdropping them to one another as required. It works, but nowhere near as nice as having a common record we can both maintain.


My wife and I do the same and it actually works better than sharing because my wife understands how to do it without me trying to teach her.


I'm using self hosted Vaultwarden (open source implementation of the backend) and the password sharing feature is very nice to have.


Am I the only person on Earth that needs sharing of passwords among my family? Any time folks bring up password solutions, they are always missing this requirement for me.

1Password is a life-saver in this regards. All my kids have their own vaults but for the little ones I have them use a shared vault between my wife and me so we have access to their passwords. I can also easily share passwords for services like Netflix so the kids don’t have to bug me.

It has been great for teaching kids about password hygiene (what makes for a good password) and management (don’t reuse passwords!).

And it being cross-platform is great for my older kids with gaming PCs.


Bitwarden lets you do this with an 'Organization'. Free to share things between two accounts, looks like $40/yr to share between up to 6 users.


Free if hosting Vaultwarden yourself.


But then your family rely on you for problems, so if anything happens to you, they potentially lose access to their passwords.

Self-hosting is great, for as long as you're around to provide support.


> Am I the only person on Earth that needs sharing of passwords among my family

No, and the article specifically discusses that use case and the fact that iCloud keychain doesn't support it.


A 1pass team w/ my wife was a huge level-up.


Same, anytime the family creates a new account that everyone else should have access to (utilities, streaming services, bank information, pass codes, etc) we just create it in the shared vault. It’s a game changer.


Yep, same here. Honestly can't imagine living without it. [Wrings hands as he thinks about 1password's venture funding]


Our company utilizes 1Password, which means all of our employees have family accounts. As you said, it is SUCH a huge game changer for my wife and me. Honestly don't know how / why I didn't pursue such a solution before hand. It was always 'let me send you a one time password' or 'I can export that key'. What a mess.

Shared vault FTW!


>Am I the only person on Earth that needs sharing of passwords among my family?

I needed to share my Netflix password back in the day. My random alphanumerical 32-character password with special characters drove my family up the wall though. But in general, passwords are for personal use only.


I've been using bitwarden for that, the vaultwarden server is selfhosted which is what I do, or you can buy their fairly cheap premium version.


Same. Bitwarden (with self-hosted vaultwarden) so far seems to be a great solution. I had ben using `pass` for many years, but the lack of sharing functionality is what finally got me looking at other options.


That’s interesting. I don’t share any passwords with family and have taught my kids to share passwords with no one (written in a sealed envelope as backup).

I don’t like shared passwords although if I really had to, I would just enter it once and let iCloud save it to their account. Stinks if I have to change the password, but I almost never change passwords.


I definitely appreciate the 'security forward' approach... but what about end of life planning or general 'dad's in a comma and XYZ needs to happen'?

1Password with a 'parents vault' that my wife and I share has been a life changer for coordinating family access to important accounts AND ensuring solid passwords are being used.


I have a piece of paper with my passwords sealed in an envelope stored in a safe place. A few trusted individuals know where that is.

This is much more reliable and durable than having 1Password still be around when I need it.


I don’t share passwords with family, they all know good password hygiene though and use generated passwords for all their services. For end-of-life scenario apple does have digital legacy https://digital-legacy.apple.com/


Speaking as someone who has lost six family members and managed four of those estates since 2019, these digital legacy features are generally incomplete or developed with little view toward reality. Edit: they’re often also not setup by the user or if they are, they’re not reliably updated.

Apple’s implementation, for example, starts a timer that will eventually nuke the account, and it doesn’t provide access to end-to-end encrypted data. That data specifically includes iCloud Keychain, which many people use to store their credentials.

I understand the privacy reasons for that, but when we die we are leaving behind increasingly large or complicated estates of accounts, services, apps, and devices with various and sometimes unpredictable safeguards. Having a loved ones actual credentials has been invaluable every time I’ve managed an estate.

I absolutely understand what you’re saying and I don’t necessarily disagree with it. But break glass access to credentials has proven important in my experience. Especially where continuity of that access is relied upon by others.


What about Netflix or Hulu ?


My iCloud is set up for end of life (Legacy I think they call it?). The recipients would then get iCloud passwords and my 1Password vault.


Coma is not "end of life". So your family must either euthanise you or wait for you to wake up to access the passwords?


I mean if you want family to have access to your accounts when you’re in a coma then you need to set up power of attorney beforehand. Or they can get a conservatorship.

My password file is not really a big concern if I’m in a coma as they’ll need other legal powers my passwords can’t help with. Even with passwords, they aren’t legally allowed to spend funds without power of attorney. And if they have power of attorney they can get passwords.


I agree that is one of the big issues with keychain. You can share keychain items with people but it is awkward.


Are you referring to Airdrop password and passkey sharing?[1] That’s the only way I can find other than manual copy/paste.

Also, I very much doubt if I later change the password I shared via Airdrop that it will update on the other person’s device… which is half the point.

[1]: https://support.apple.com/guide/iphone/share-passkeys-passwo...


Yeah, that’s how I share with my wife. I don’t anticipate that it would stay in sync if I updated it, but I can’t say that I’ve tried. Do you regularly rotate passwords?


No, but it does happen that passwords get updated, and the beauty of 1P is that you just save it, and then whoever has it gets the updated one. I share passwords with as many as 4 people, so it’s practically impossible to keep everybody in sync manually.


> Am I the only person on Earth that needs sharing of passwords among my family?

No, and it's equally bizarre to me that I can't share selected Contacts with my Family account. It would make keeping track of, say, the details of my kids' friends' parents.


Not at all. Bring on the shared family iCloud Note. lol


You can share folders in Notes


Yes, I think the joke is that they don’t make a very secure “vault” for sharing passwords.


1Password with son, wife, father and mother... life saver.


> And it all syncs across your devices, for free?!

Really? My Linux devices? Android? Windows? I don't think so.

I recommend considering one of the most important features of a password manager is that it doesn't force you to use a single manufacturer's products forever. Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future. 1Password, Bitwarden, and others allow me to switch PC manufacturer, phone manufacturer, browser, and so on.

I can't tell you how many people used to think "Internet Explorer is popular, it'll always be the one and only browser". That did not end well.


This. Wouldn’t matter if they had the best UX, and I have both an iPhone and a MacBook. First, I want to be able to use my Linux and Windows machines like they are first class citizens. But more importantly, if I lose my devices I don’t want to be locked out.

Apple is, to this day, largely unable to recognize that there is a world outside their beautiful dystopian garden. I’m sure they’re drooling about making the MacBooks run iOS so you can’t use any software that hasn’t been scanned and approved. When that day comes, I’m out for good.


This is as good as comment as any to hang my off-topic thoughts on...

I use Chrome's built-in password manager. I always set up website security questions with gibberish answers. I wish Chrome would give me a field to store those answers. Or, better yet, treat them like password fields and autofill them.


> Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future.

Changing my mind is easy enough: I can export my iCloud passwords to a csv file, and I've done this to transfer a bunch of passwords to Firefox Linux desktop.

I'll tell you something though: If Bitwarden leaked passwords nothing would happen because America has very weak consumer protections, but if Google or Apple leaked passwords, they'd be hit in every EU member state for GDPR.

Some of these things are outside of my control, and using a password manager is too useful that I think it's worth a little risk, but I can't justify trusting any company unless they've got some skin in the game, and Bitwarden specifically wants to disclaim all liabilities? AgileBits thankfully is in Canada and you can at least sue them for what you've paid them in six months, but I personally have passwords more important than that. Surely there's someone else you could recommend?


LastPass' entire business model was about protecting passwords, and passwords still got leaked. Most prople want security, not "ability to sue" which is not at all the same thing.


I don't want something just because "most people" want that thing.

And I disagree: I think everyone who has been harmed by another wants the ability to have their story heard by a judge and jury and be cured by the law. Maybe they would prefer to not be hurt in the first place, but as you point out with LastPass, they may not have that option.

What we can choose is the jurisdiction in which we trade, and I would recommend people spend less time navel-gazing and more time thinking about what they can be doing to make things better for themselves.


Self-host vaultwarden at the cloud provider of your choice?


What is the point of this? Isn't it easier/simpler/better to just sync a file with the passwords rather than keep a server running?


How do you propose to sync a file without a server? What do you do about conflicts? Sure you can do this, but IMO the experience sucks in comparison.


I use a syncthing. I'm not yet sure how it handles conflicts, but I think it'll ask me?

Even if one needed a server for syncing files, should each application that needs synching require its own server?


Should they is arguable.

But I think in this case it's pretty much required for good UX with the way file syncing works on mobile and in the browser, especially dealing with conflicts. I've done it both ways and there is a lot less friction with vaultwarden than my old 'synced KeePass file' approach.

It was just a suggestion, there are other ways to skin the cat.


I follow Ricky Mondello, who works on the Apple password keeper functionality — they post interesting tidbits pretty regularly.

https://twitter.com/rmondello

https://hachyderm.io/@rmondello


+1 Ricky is the best. They also made a very useful Shortcut [1] that offers quick access to the Passwords on your Home Screen or Mac menubar.

[1]: https://rmondello.com/passwords-shortcut/


clicking this link throws a bunch of warnings in my browser, and my university internet blocks me from seeing the actual website :(



Thanks for that! My work machine blocks this too ironically, which is weird since Ricky is my friend and I know they are trustworthy. I’ll let them know.


I met Ricky at a WWDC years ago when I was in the password manager field. What a wonderfully intelligent person. Actually, several members of the Safari team were present at that meeting and it was such a great set of people. I kind of miss that part of that job...


That iOS supports multiple password sources from other apps already largely solves the case of using a cross-platform app to provide or store passwords.


I have been using the Apple manager since LastPass got hacked recently.

Hot take , but … I like the lack of integration in other operating systems/ browsers.

I see my phone as a Secure Enclave, and my passwords should be disconnected from potentially insecure systems. I see the phone as those keychain one time passwords where you have to press a physical button to get a key.

Is it inconvenient to get a password, yes. But it offers the piece of mind that I only have to worry about iPhone/Apple exploits, instead of chrome+firefox+windows+Linux+Apple+iphone.

I don’t think in this case Apple is not doing the integration because of this security feature, but I think it is a feature non the less. Of course you can always choose not to install the extensions even if they existed, but the point is that if they existed it would lower security.


This was precisely what drove me off Apple password manager. If your iPhone were compromised, such as in those iPhone unlocking scams[1] (something quite common here in Brazil at least since 2021), it's game over for your entire password database.

I've been using KeePass apps (MacPass on macOS, KeePassium no iOS), with a different, unique master password, unlogged by default on iPhone, plus DB locks automatically after 10 minutes of inactivity.

Maybe I'm way off, but it seems safer to me.

[1] https://www.wsj.com/articles/apple-iphone-security-theft-pas...


Absolutely. Given these reports, Apple's security model isn't close to being sophisticated enough to warrant trusting them with passwords or (even more critically, arguably) WebAuthN passkeys.

I recently saw it with my own eyes as a family member was able to reset their iCloud password and gain full access to their account on a new device, including iCloud Keychain, using nothing but their iPad and the corresponding unlocking code. No iCloud password, no SMS-2FA (not that it would help much in the case of a stolen iPhone), nothing else.


Incidentally this is the method my 6 year old nephew used to reset his mom’s Apple ID password so he could make in-app purchases. He figured it out on his own and then spent $3000 in a couple days. His mom had been very careful with her password but when he wanted a code on his iPad she thought it was harmless—she certainly never expected that he could get all the way to changing her password with nothing more than the lock code! Took her months to sort it out.


Can you explain how this hack would work ?

Would someone need to steal two of your devices ?

I was under the assumption that you need to be logged in with touchid/faceid/pin code to get the unlock code


The attack in this case would be somebody shoulder-surfing your PIN and grabbing your device.

They then have everything they need to take over your iCloud account (kicking you out of it in the process by resetting all other devices capable of resetting it) and can see all your passwords stored in it, as well as use all of your WebAuthN passkeys.

I'm not sure if having a recovery code would improve that situation, but I'd guess that many people don't.


Ah ok, yes the shoulder surfing is definitely a problem.

Hard to mitigate somebody looking over your shoulder, this is the case with most password managers, but I understand why this is a more likely scenario.


In a semi-safe situation (e.g. on busy public transit or in a crowded place with people behind me), I do sometimes unlock my password manager using Face ID to access a website, but I'd never enter my passphrase if the biometric unlock fails.

If somebody watches me enter my passcode and then rips the device out of my hands and runs off with it (assuming the password manager is not open), they now have access to most of the content on my phone, but importantly not the parts protected by Face ID, which includes the password manager.

If I had used Apple's password manager instead, they'd be able to recover all passwords (using the tactics described above or simply enrolling their own face in Face ID, which is possible using only the passcode).


I have an iPhone and while I understand that Face ID probably has fewer false positives than fingerprint recognition, I really miss the physical rear sensor on my Pixel 2. I don't know what the collision rate is, or how easy it would be to break if someone stole the phone, but it was a really great user experience: haptic feedback is good, it was/is incredibly reliable at unlocking and it was useful because you could pass your phone to a partner/passenger in a car and unlock without looking (i.e. no more unsafe than changing the cabin temp) and no need to share your pin if with a stranger. I think the only time it failed was after climbing with chalky fingers.


If you reset/create an alternate appearance for faceid does that force a manual login for the services that use it? Because your device passcode lets you change all the faceid stuff… too lazy to mess around with it myself


Apps can choose [1] to tie have keys to the current set of enrolled biometric credentials (i.e. faces or fingers), and at least my password manager does that, as far as I remember from some testing.

Some apps don't, and some even react really poorly to a change of the biometric set (i.e. crashing at every Face ID use with no way to reset other than reinstalling), so I'm also not too keen on testing this on my main device.

One thing that surprised me during my limited testing was that Apple apparently doesn't make use of this capability for storing the "encrypted notes" passphrase, which effectively also reduces the security of that to that of the device passcode.

[1] https://developer.apple.com/documentation/security/secaccess...


I saw advice here a while back about using Screen Time to block PIN and Account updates. This gives you a separate PIN to protect those, so theoretically if someone shoulder surfs your phone PIN they can’t take over your iCloud account.


I use this trick. It's an added layer of security, although a weak one — Screen Time PIN is four digit-mandatory — and a workaround — as in: not made for security purposes.


Thing is, even within these constraints it has rough edges.

If you have two accounts (let's say a personal one and work/family/org one), getting passwords for the second account will just be a PITA.

Same issue of course if you need someone else's password (e.g. your spouse's hotel reservation account's password)

Trying to work this around means you'll either be asking people's passwords other the phone or other means, or you'll often switch between accounts and will want lower security on the account themselves as the identification process get old very quick. Basically, these limitations are not without impact on security and how people will deal with them.


don't lose or break your phone....


I have my old iPhone with no sim that I mostly take to the gym to protect the new one.


How do you access your passwords on your new iPhone from your old iPhone?

Oh, they're stored online? There goes your entire "secure enclave" argument ;-)


>I have my old iPhone with no sim that I mostly take to the gym to protect the new one.

What is the other one doing in the gym, unprotected?


One at home, one with me for Spotify in my pocket.


iCloud solves that.


Unless Apple ever starts following Google's lead to ban accounts for any infraction and you don't store backups...

Not saying Apple is doing that now, but I imagine it's not outside the realm of possibility.


We can use the same argument for any other cloud password manager. If google/Apple blocks my access, well it’s those services I am trying to log into in the first place so the point is moot.

Also I have recovery keys for the more important accounts printed and stored in a safe box.


I agree, perhaps I should have emphasized that my point of view is that anyone should back up anything stored on the cloud.

Which I'm glad to know you can at least do with Keychain [1], although I use Bitwarden myself.

[1] https://support.apple.com/guide/keychain-access/import-and-e...


Except password managers that YOU need to take care your vault, like KeePassXC.


I used keePass before LastPass, but the issue was with keeping the file synced. I had it in Dropbox and I was able to open it no problem from the phone, but making updates from phone was a challenge. Maybe I was not using a good app but it was a hassle to keep it synchronized.

But anyway, somebody could cut off your access to Dropbox, but it’s less of an issues since you have a backup.


I simply don’t sync my vault. I don’t add or change passwords very often, so I treat the vault in my computer as a “main copy” and once a week, during my backup routine, I copy the current vault to my phone. Never had an issue.


Not really, you need another device to share icloud keychain


Nope. Buy a new iPhone, sign in, it’s all back.

It’s useful even in non-multi-device scenarios.


So, it is not encrypted? nice


My best guess is that Apple won't do it because their plan is to phase out passwords entirely. That's what that whole FIDO Alliance (https://fidoalliance.org) is all about.

And 1Password is part of that too: https://blog.1password.com/1password-is-joining-the-fido-all...

I think that ultimately a password tool needs to be available on multiple platforms, like 1Password. Having it just be on Apple stuff just isn't gonna work for the many Windows and Linux machines I begrudgingly have to interact with.


1Password knows that it will take centuries for passwords to disappear even if a password-less future is already here.


1Password has embraced it: https://blog.1password.com/passkeys-are-coming-to-1password/

While I'm not sure how they've integrated it so far, I imagine browsers will either implement a plugin API for extensions to handle passkeys, or 1p can override the webauthn api and fallback to the browser when a website is authenticating.


Passwordless future definitely wasn't here just 1-2 years ago. The management of WebAuthn Discoverable Credentials / Resident Keys was so fucking awful on every platform I tested them on.

You want to clear your Resident Key for a website on Windows? Command-line.


I really like Apple's implementation of passwords, passkeys, etc. But...I had a hard time explaining this to my mom.

She uses it to generate her passwords and fill-in within Safari which is great!

But there's no "Passwords" app, and she didn't know to go into Settings to reference a password when Safari doesn't recognize a password field (probably the website's fault).

2FA is also a confusing experience, but 2FA is also just confusing enough for her where Apple isn't really the problem here.


Someone linked this on the top

https://rmondello.com/passwords-shortcut/

You should be add this to home-screen like an app. Should make it a bit easier open passwords.


But there's no "Passwords" app

It's called Keychain Access.


The problem is Keychain Access doesn't pass the "mom test" (would you average consumer - e.g. your mom - actually use it)


Keychain Access doesn't pass the "me" test and I have a PhD in CS.


Since I use it quite a bit for secure notes, I've got it pinned in my toolbar. From the top down I've got Finder, System settings, Keychain Access, HomeKit, Launchpad, Safari... and then other things.

The thing is, its the 3rd one down.


No password manager passes that as far as I'm concerned.


They don't even know why it's called that


Because you can store non-passwords in there too.

Secure notes, your own signing certificates, keys, root CAs, and specific self signed certs you've accepted for SSL.


Still, none of that means anything to the average user. Searching for "passwords" in Spotlight should also take you to your passwords


Make an alias to Keychain access. Name it "Passwords" and have that a directory that is indexed by Spotlight (the Utilities directory under Applications where Keychain Access is found works fine).

This will then show up in the launchpad. https://i.imgur.com/IRPOMC5.png

Searching for 'pass' in Spotlight does bring up Keychain access - as that's in the apps list of Keywords... however the list of apps is way down on the scrolling https://i.imgur.com/KFUC0G0.png - it found 'password' as a string in 100 python files that I had to scroll through first.


> Make an alias to Keychain access.

Sorry, but that also doesn't mean anything to the average user. If anything it's made it more complicated for them—they will remember to type in "key" before they learn how to make an alias

That I don't have an issue with the word "keychain" doesn't mean it's not bad UX for the average Mac OS user


Specifically, what functionality would you like?

If you do control-space (to bring up spotlight) and type in password, what do you want it to do and what is missing?


If I type in "password" I get a bunch of results that aren't what I need

My wife asks me weekly "honey, what's that word I gotta type to see my passwords again?"


Are you talking about that utility that looks straight out of Windows 98? Surely it could use some love in 2023. I don’t think I’ve ever seen it updated, it’s not an acceptable UI for consumers.


Isn't Keychain Access MacOS only? It's not available on iPhone.


iOS does not have "Keychain Access" as a named setting or app.

MacOS has both Keychain Access as a standalone app, and Passwords as a section in your settings. The latter is dedicated to purely passwords that you, as the user, make. Keychain Access also contains passwords for Wi-Fi and other systems.


If Apple password manager is anywhere as well thought out as their 2FA for Apple TV then I don't want to come next to it within 10 light years.

Every time it asked me to either "confirm on your iPad" (I have 3 of those around the house) or "confirm on your iPhone" (I have 0 of those) I was ready to hurl shit. SMS option buried in some dark pattern, of course.

If these companies want to encroach in the secrets management space they really need to hire more qa and test more than a single happy path. The number of failure modes in these systems is astonishing for the billions of dollars these companies can throw at the problem.


I think there’s a setting for that in setup. Is your problem that Apple thinks you have a iPhone or that you have to interact with the tv on a second device?

As with all things apple when you buy in you get the best experience. That feature on AppleTV works really well with an Apple Watch.


Which really sucks and puts you off from getting more Apple devices if you're a person who slowly buys into the ecosystem rather than go all-in without testing things.

Personally, I was a fan of Apple laptops between something like 2010 - 2015, but after that I just couldn't deal with it anymore, as I had a Android phone and nothing else Apple.

Fast forward to 2019, Apple finally releases a phone that fits in my tiny hands, so I get a iPhone 12 Mini, thinking that the CarPlay experience will be loads better than Android Auto on a measly Moto G.

But holy smokes if I wasn't wrong, CarPlay is a UX disaster and I can't wait for the iPhone to break somehow or get too slow because of OS upgrades, so I can justify buying a new phone again.

Just the simple fact that a phone calls covers the entire screen (which I use for GPS) seems like such a simple use case that they somehow missed, that I just wanna bin the entire system and I'll never buy Apple hardware for daily use again.

I still have to use Apple laptops for software I release, but every time, I'm reminded how great the UX used to be, but how far they have fallen. Really sad to see. Windows is no better either, each version gets worse and worse...


I suggest you move to Ross 248, which is a mere 10.3 light-years away. However, 32000 years from now it will be the closest star to our sun at 3.024 light-years so keep that in mind!


Even if macOS and iOS are my primary work (and personal) platforms these days, I still like a solution that works great on Windows, Linux, and Android as well.

I'm pretty happy with 1Password - it does all of the things mentioned in this article with more platform support


I considered 1Password when shopping around for a new password manager, but the pricing of the subscription and the fact that it was an Electron app killed it for me.

Currently test-driving a smaller alternative with a one-time payment.


My passwords are split between iCloud on my Apple stuff and 1Password doing cross-platform duty.

I've been paying for 1Password for a while, but boy that electron app they rolled out with v8 is a clunker… will probably keep paying so long as 1Password 7 works but after that I'm gonna have to figure something else out.


I find 1Password to be sort of a pain when signing up for new accounts on my iphone – the generate secure password & autofill doesn't always work for me – on the web it's great though


Exactly, this is why many of the Apple services are useless unless you are 110% in their ecosystem. At least Apple Music is the one app they somehow made available on Android and Windows.


There's a feature on the AirPods that allows you to enroll them in your iCloud account enabling Find My.

All you need to do is connect the AirPods to an iCloud-enrolled Apple device, and it will automatically connect to that iCloud account.

Oh, but it's not any iCloud-enrolled device, it must be an iOS device. Connecting them to my MacBook didn't do anything.

I went into the Apple Store to ask for a solution to that problem. They legitimately asked me why I'm buying AirPods if I don't have an iPhone -- they're called Air Pods after all... Anyway, their proposed solution was for me to buy a refurbished iPad for $450 to connect the AirPods to my iCloud.


Apple Music started its life as Beats IIRC, so a good cross-plat UX was part of the acquisition. See also Shazam.


What the actual flying fuck, the apple password thing supports TOTP! That's great! (And a sad testament to how poorly the discoverability is on some ios features)


Not just that, they will detect QR code images to work around sites which assume that TOTP is only available by scanning your desktop screen from your phone.


Step Two[1] also does this, which is one of the reasons I've been using it for TOTP for the past few years. Nice to see that the built-in TOTP support can do that now too.

[1]: https://steptwo.app


Can you provide an example website that uses this technology? Not sure I've ever encountered one.


Uh, basically all of them? They all show a QR code and never show you the secret which you could copy in to your password manager.


Isn't it considered not great to do TOTP and password storage in the same place?


I get the impression Apple doesn't want a dedicated app for passwords because they don't want people to think about passwords.

It shouldn't be something people manage, hassle, or worry over. They likely want people to just be able to open their phones and have it uniquely identify them seamlessly across a variety of sites.

Unfortunately, they're not quite there yet.


> I get the impression Apple doesn't want a dedicated app for passwords because they don't want people to think about passwords.

I think you're right. Ventura's Passwords Settings shows that they're in transition away from the archaic Keychain app to something. My guess is that they're skating to where the puck will be in 2025 when Passkeys are universally supported, and for most use cases auth will be automatic.


Good point, the end goal is probably some sort of biometric MFA solution.


internally, apple used to have a pretty big 1Password contract - https://appleinsider.com/articles/18/07/10/apple-looking-to-...

Maybe they don’t want to promote their own too heavily, to allow 1Password to take on the organizational risk of running a password manager? (For context, think about your current view of lastpass vs how you felt about it a year before their leak). Maybe the internal password management functionality is better suited to orgs which restrict third party apps?


1password has features that are useful in a large corporation that keychain does not have, particularly around sharing passwords and password vaults.

I haven't noticed even minimal credential sharing facilities in keychain.


WRT credential sharing, you can airdrop credentials to people on your contacts list.

But multiple vaults and vault sharing - no such luck. I don't think they want to deal with the UX confusion of it, especially since that confusion could lead to someone getting locked out of things.


I'd never use a password manager built by Apple for the same reason I don't use Chrome's password manager or Firefox's password manager. All these passwords managers have strong incentives for "working best on <platform>™". I want a password manager independent from any platform like Bitwarden or 1Password, because it's actually valuable for THEM to target all the platforms they can.


I don't understand. Chrome and Firefox don't have platforms. Which means they run pretty much everywhere they're allowed to.

Apple is the only one of those three that restricts their software to hardware that only they sell. So in that case I do understand your position.


A browser is a platform. I have no easy way to use passwords saved in Chrome in Safari for example.

It matters to me because I use Firefox and Chrome on my work desktop, Safari and Firefox on my personal desktop, and Safari on my phone. And I want the ability to switch browser easily.

Same goes for Apple passwords, I still use Windows for some games, and I want to access my passwords easily.


> they run pretty much everywhere they're allowed to.

Yep, they’re allowed to run on Chrome, that’s Google’s platform.

Good luck using your Chrome/Google passwords outside Chrome/Google apps.

Firefox at least does (or used to) offer a Lockbox app to use the password on your phone.


The problem is that the integrated managers really do work best on platform, i.e. alternatives aren’t nearly as well-integrated.

So here I am using Safari on my computer and phone.


Tangentially related, something that has slightly inconvenienced me a few times: Can someone point me to a setting to get Siri to show me my passwords again, on iOS 16?

Before, I could ask on an unlocked phone to “show me my password for GitHub” and Siri would open the settings app with the password list and show the GH credentials. Now (since iOS 16?) Siri just refuses to do any request that contains ‘password’.


You mean Shortcuts? You can have it open this URL:

prefs:root=PASSWORDS

You'll want to set up Siri separately as part of it, but you can definitely do that with Shortcuts.


Interesting, thanks!

What I described didn’t need a shortcut before. It was a vanilla iOS feature. I assume it went away for privacy reasons with one of the OS updates. And hoped there’d be a setting to get it back.


Tangential but I hate that Mozilla abandoned their password manager app that uses the sync service they still maintain, instead of adding a TOTP/OATH feature and giving people a better and more open option than Duo and skeezy password managers.


Fully in agreement here, getting people used to Apple Passwords can be a task purely because it's stuffed into settings.

Would like to see them in the process of transitioning it away from settings, also include the ability to change the name of the entries. Multiple URLs per login would be great too (or even a linking of separate entries). Think these are the biggest things keeping many general users still relying on the likes of 1Password/Bitwarden, which is where I disagree with the writer here, I think third party password tools should be replaced by sane defaults as soon as possible outside of niche cases.


Apple needs to fix iCloud (or anything where a sync/etc is required) to something that’s at least reliable and transparent from the 2023 standards! Period. As of now it’s so poor if not downright broken.

Because without that everything on the software side by Apple will just remain glorified things that the fans keep bleating about - “just works”, “is perfect”, “just what I need”.

For heaven’s sake Apple does a shoddy job of syncing et cetera and obscures it from the user in the guise of usability and that “Apple knows what users need to do”, not what they want.


I recommend https://strongboxsafe.com/ as a better open source alternative

Works with touchID on my MacBook, uses KeePass so it's easy to migrate if needed, and the killer feature for me was being able to sync it to iCloud so you can use it across devices. Even better if you enable E2E encryption on your iCloud https://support.apple.com/en-au/HT212520


It's a good piece of software for what it is, but the tool is .kbdx based and like all such solutions tends to handle shared secrets rather poorly. It also handles adding new secrets for new accounts less elegantly than Apple's own built-in password manager which has a nice flow for adding anonymous forwarding email addresses and contact details for new accounts so long as you commit to the cult of iCloud.

Still if you need a multi-platform password manager that performs well on Apple devices there's nothing I can recommend since you can just use .kdbx tools on other platforms and strongbox itself has highly reliable multi-cloud sync, extremely fast input of secrets, a better security model than keychain itself has, and even has MacOS Chrome support (abliet hacky support) if you feel like trusting the plugin. It makes Bitwarden and other Keepass clients feel clunky in comparison.


I think a few problems imho:

1)they don’t do cross platform software well so they would never make a windows app, chrome extension, android integration etc. It’s either all or nothing which I would never buy into (even as an iPhone and mbp user)

2) there are actually a ton of use cases here that make the software actually very complex and high stakes. I’d wager the pros don’t outweigh the cons. Also apple isn’t known for complex software with niche use cases. Honestly their current safari/iphone password manager is trash

They do a few things well and rely on lock-in and ecosystem


I think icloud is pretty decent as a solution, but one thing I think is kind of worrying is that it unlocks with the same "key" as your phone.

So if someone sees your PIN code, they can not only unlock your phone, they can get all of your passwords and change those passwords very quickly.

I enjoy 1Password being separate in that regard, and I would really like it if the iOS keychain would let you set a separate password in that respect.


The password managers ("Passwords" and "Keychain Access") seem deliberately limited. A few issues that I noticed:

The discrepancy between the "Passwords" and "Keychain Access" app. Passwords manages 2FA codes whereas Keychain doesn't. Keychain allows you to add another URL for a password whereas Passwords doesn't. The latter issue often leads to headaches dealing with passwords when the URL of the login page is not the same as the URL for the second part of the 2FA.

An example that became unnecessarily frustrating. Heroku makes you login to dashboard.heroku.com but the 2FA code needs to be filled in at a salesforce URL. Since I can't add this salesforce URL to the existing password (+ 2FA code) I have to manually copy the code. The shortest routine I found for that is:

1. CMD+Space. 2. Enter "passw". 3. Click on the search bar. 4. Enter "Heroku". 5. Click on the password. 6. Go back to the web page to enter the displayed code.

Simply having the option to add another URL (which was possible in Keychain Access) would solve this entire issue...


>(And it all syncs across your devices, for free?!)

IMO the worst part about apple keychain is they can't be used with Chrome (the most common browser for mac!)


I too find this frustrating, but I’m curious about the claim that Chrome is the most common browser on Mac. I sometimes see this claim, but I struggle to find any data to back it up.

The US government web analytics (https://analytics.usa.gov/data/), which seems like a reasonable source for general usage in the US, show Safari substantially ahead of Chrome on Mac.

Have you seen any sources that show Chrome ahead of Safari on Mac for a general audience?


I believe this is as much on the Chrome side as it is on the Apple side: https://bugs.chromium.org/p/chromium/issues/detail?id=312105

Chrome could access those natively on Mac, or use the keychain as the native backing store, from what I can tell.


You can, Apple has an extension for iCloud Keychain.

https://chrome.google.com/webstore/detail/icloud-passwords/p...


> iCloud Passwords is a Chrome extension for Windows users…


Windows only


I might argue instead that simply having Passwords as another item inside Settings is appropriate for what functionality it exposes.

It's a feature, not a product, doesn't do everything that Keychain Access does in macOS, and doesn't need (or deserve) to be in your face all the time.

Do keyboards/wallpaper/voip apps/whatever really need to have their own app icon on your homescreen? Probably not, but Apple's conditioned us over the course of 15 years that all apps have icons you can see - a view at odds with things like Fantastical and SwitchGlass, which are really "apps that run in your menubar" and can be used without a Dock icon at all.

iOS doesn't have the concept of "Utilities" within "/Applications" like macOS does, but maybe it needs to in order to address this class of app which has such a specific focus.

After 15 years, are we at a point where some of the early affordances aren't neccessary anymore?


Do you really need to go back to your car, open your trunk, get the wallet just to show your ID?

Passwords are my ID, sometimes I have to enter them onto another computer or app or just share them with someone; I shouldn’t need to hunt my ID in the trunk of my car.

Keychain Access did this right decades ago, so there’s some logic behind it. The issue is that the app is not built for this decade and its UI is lacking.


I wish you could add a second password or different passcode on top of iCloud Keychain / apple passwords.

I get nervous at how easy it is to compromise all passwords:

1. Give someone your phone passcode, they can change apple account password. P0wned

2. Have iCloud Keychain on laptop… other user account resets password on account. (Or use it on work computer without realizing)

3.


Turn on screentime and prevent account changes with a 2nd PIN

Might also limit password changes but unsure.


I'm all for this, a better cross-platform Keychain app would be awesome.

To get my Credit Card details, I need to go Settings > Safari > AutoFill > Saved Credit Cards.

To get 2FA / Password details, I need to go Settings > Passwords.

In a lot of cases, they auto-fill without issue. But to manage these is a bit of a flimsy process.


I really want to use Keychain for all of my password management. But nothing works.

Like I'm in serious need of a highly secure cross browser/cross platform password solution.

On my phone, everything is fine. But I use Chrome on MacOS and my Windows desktop. Chrome used to use Keychain on MacOS, but some years back Google changed the product to tie into their own user accounts. I refuse to sign into a browser itself just to use the web.

The iCloud password extension for Windows (chrome/edge) absolutely DOES NOT WORK. I have tried getting it to work for the better part of a year. Finally gave up and removed the useless thing.

I probably dumbly still trust Apple's security policies and would prefer to use Keychain as my fits-all-sizes security tool, but the combo of product incompatibilities and non-working Apple authored software makes it impossible.


You should see the horror that is changing your country and phone number. I spent weeks hunting around the phone to stop weird things from happening. You would think Apple were smart enough to say “it looks like you’ve changed details. Can I update the plethora of places I use your number?”


One problem with that is if a person has a non-Apple product, Apple won't build the app cross-platform, so they are even further locked into Apple hardware then.

Might not affect that many people. But it would surely limit choice for those who don't even know about the lock-in later in their lives.


Any attempted lock-in is guaranteed to attract attention of EU regulators.

This is what Apple probably wants to avoid. They won't be allowed to play a "Safari" this time (i.e. all password managers are allowed, as long as they are a frontend to our own password manager).

Also, having the password manager as a separate app, it is likely they will be asked to provide a standalone password migration API for third party password managers. This would make switching to another ecosystem trivial for moms & pops, who currently need to deal with CSV import & export* if they want to move their passwords out of iCloud.

* Not sure what the situation is ATM, but a few years back exporting passwords from iCloud was not directly supported. I had to run a third-party AppleScript script to generate a CSV to import in another password manager.


I did a new mac setup recently and just discovered, after many years of use, that I cannot use 1 Password 7 anymore :( The app works it’s just they’re phasing out the browser “classic” extension with the excuse(?) it won’t work with the new manifest v3, so a migration to 1 password 8 is required. I hate their subscription model and I think I’ll self host bitwarden, but was also considering the system password manager, or the one builtin into Firefox. Problem is passwords won’t leave the browser ecosystem in this way and it’s more often than not that today you need to move password cross platform and cross device. So I don’t see an apple password manager as the best solution, they usually stay inside their walled garden


For your preferences, I’d propose Keepass. Maybe you’ve already looked into it.


Setting up TOTP on an iPhone. I had no idea it could do this.

https://support.apple.com/en-ca/guide/iphone/ipha6173c19f/io...


I tried to use Apple passwords.

1. It really hates storing anything but website passwords. I have servers with ssh login/passwords. I have bank cards with cvv and pins. I have phones with pins. WiFi passwords. And other things not fitting to website/username/password.

2. Not enough fields. I'm ascetic when it comes to storing passwords, but it doesn't even have "notes" field.

So experience is subpar. It's possible to emulate some things, but in the end I decided to go with StrongBox. It's not ideal, I don't like UI, but it has all the functions I need. I also like KeePassium, but it's missing sync and mac app.

I know that Apple KeyChain has secure notes, but those are not accessible on iPhone, AFAIK.


It does have a notes field now. I’m not sure when that was added.


The nice thing is: the way they implemented this it looks like you could pretty easily write a 1passwordish mac client as an interface to the system infrastructure. I say "1passwordish" because one of the tedious part of a program like that is the browser parsing to handle all the weird authentication cases devs write.

Unfortunately I'm not an ios dev and wonder if it might even be possible to do the same on ios? I believe there is an API so you can write a password manager (1password et al use that) but can you get to the secure system services?

Edit: I now see who wrote this blog post. Were it straightforward on ios he probably would have said so.


I am not an expert macOS/iOS developer but I unsuccessfully played around with the API a couple of times.

You can’t access passwords stored by another app (app identifiers appeared to be globally unique, e.g. com.apple.Safari). There was an additional hurdle to access/store items in the iCloud keychain, though I forget what exactly.

This restriction makes sense.


It took effort but I finally got my dad to use 1Password regularly, but my mom would be a lot easier to convince if Apple just made its own password tools easier to use, especially cross-platform, including maybe putting a nice app face on it.

> PPS: I dream of a future where Passkeys could make the password manager extinct. But it’ll take time…

Passkeys even more so need more of a "curated app experience" to work right, cross platform. Ironically, it is my impression that preparing for Passkeys is why Apple finally added that password explorer to Windows' weird iCloud "control panel". (For a long time, the only way to use iCloud passwords on Windows was the awful Edge/Chrome integration.)


Perhaps this is one of the “user requested features” Apple is going to implement in iOS 17 and its cousins? As per a recent and vague rumor, Apple is going to add more user requested features and is adding them late in the development cycle. [1]

It would be great to have a nice UI for managing passwords, 2FA codes, etc. Add password sharing over iCloud and it could be a game changer!

[1]: https://www.macrumors.com/2023/03/26/ios-17-to-provide-sever...


While we're on the subject, other Apple things that deserve an app:

Dashboard/status

- I have a smart lock, and they have their own app, where all it really does is show the current status of the lock and let me toggle it. There are quite a few apps like this. It'd be nice if they could all be condensed into a dashboard/status app that could just tweak values and show current status. Apple Home attempts to do some of this.

Notifications

- It'd be nice if there was a notifications app, and I could set most of my apps to deliver their notifications to that app, instead of me directly. This would reduce notification overload and distraction.


Have you tried Notification Summaries yet? That's sort of like a "deliver notifications to a separate app".

In the notifications settings you create at least one Scheduled Notification Summary. I've currently got ones setup roughly every four hours during "core daylight hours" for me, plus I enable the "preview option" to read the next summary early if I need to. Then you add as many apps as you want to the Notification Summaries. All of the notifications for those apps during each time period get rolled up into a single Summary object in your notifications, only give a notification alert once for the entire group of them (at the scheduled time), and don't cause Watch notifications (if that's a distraction/overload you especially juggle as I do).

At this point I've even got all my email notifications going into Summaries (which is why I turned on the preview for the next summary if I feel like I need a quick glance at recent email subject lines without opening my email app up).

It is such a useful tool and not a lot of iOS users discover it in the settings. May also be an indicator that it could use its own app because discovery in the Settings app itself is hard. Maybe the Settings app is just doing too many things now and needs some sort of reorg or something.


Isn't that first one Home/iHome/HomeKit whatever you wanna call it? If your lock doesn't support HomeKit there's a good chance Homebridge does.


I've been using Keychain since 2003. Only now am I aware that it does TOTP. I've been avoiding TOTP like the plague this whole time because I don't trust the other apps not to somehow get me locked out.


(Especially Google Authenticator, especially the original version where they said it's WAI that you can't transfer codes across phones. Keep that nerd stuff away from me.)


Keep a “Notes” field where you can add extra data, like 2FA backup codes, for each password!

I'm not sure if the reference here is to Keychain's "Secure Notes" or the "comments" field associated with password items. If the latter, I've found (at least on older versions of OS X/macOS) that when Safari updates the value of a changed password, it deletes the comments! I used the comment field to add the (random) answers to security questions, and got burned on a couple of sites when I've needed to do an account reset and lost those answers.


> that when Safari updates the value of a changed password, it deletes the comments!

It doesn't change a password, it creates a new one.

This means if you somehow mangle saving the password (you thought you updated it, but didn't) the older password is still in your keychain with the older note and it can still be retrieved.


It's incredible how Apple make it's users happy to lock-in in their eco-system. I don't really know Apple eco-system but it seems weird to migrate from tierce app (already well integrated) like Bitwarden to keychain. I've lost count of the people who have switched from their Music App to Apple Music for no reason other than "it's Apple". Apple make good hardware and their eco-system seem amazing too, but people should see the advantages to be not entirely depedent from a company.


> but people should see the advantages to be not entirely depedent from a company

I think you're overestimating how much the average person thinks or cares about their computing platforms. They want something that works and gets out of the way, and to that end having everything come from one company is a feature, not a bug.

I mean I consider myself a power user and I still use iCloud Keychain purely because I was already using Safari when it launched, so it already had all my passwords. I recognise the advantages of third-party offerings, but to me they're not enough to bother moving all my stuff over.

Similarly I still use a third-party 2FA app because I was using it before Apple added it into iCloud Keychain (and also because the third-party app has an Apple Watch app and I've grown accustomed to reading the codes off my wrist).


I don’t personally care much whether Passwords is in Settings or a separate app. But I do have one problem with it. As far as I can tell, you must save a password for a site in order to use the TOTP 2FA feature. I don’t want my device filling in passwords for me because it defeats the purpose of a password being “something I know”. The 2FA code is more like “something I have” and I’m okay with the device filling that in, but not the password.

There doesn’t currently seem to be a way to set up only the 2FA code for a site.


The “something you know” is your devices pincode/passcode/iCloud password, not the password to the website. If you know the password to a website it means you’re reusing passwords or using a pattern to generate passwords, both of which are less secure than randomly generated passwords (especially the former).

Of course, nothing is stopping you from saving a bogus password either.


I don’t buy it. Complex, random passwords are great against brute force attacks but that’s not usually how these things play out.

Many password breaches are caused by technical lapses on the part of a platform, where password complexity often becomes irrelevant. Your password gets hovered up along with everyone else’s and eventually gets decrypted, and tried en masse against other platforms. In this scenario, even a simple pattern for passwords is probably enough to prevent the problem from spreading, as long as it’s not too obvious.

The other way passwords often get compromised is from someone looking over your shoulder or key logging, infrared on PIN pads, etc. In this scenario, your system is WAY, WAY worse, since one password unlocks the kingdom, and that password is frequently being used.

As it stands, if someone peeks over my shoulder and discovers my phone password, then steals my phone, it’s damaging but not game over. They can’t access any websites.

If I allow my phone password to be the only gatekeeper to access everything, IMO that’s lousy security.


I will tell my family to use iCloud Keychain the day when it works across all major browsers and OSes. Or at least that they provide an API to sync with other password managers.


This is unnecessary because it's a problem that's already solved.

- BitWarden - for personal use, stores 2FAs and acts as an iOS password source. (The claimed attacks were mitigated)

- Keeper - for enterprise use, stores 2FAs and acts as an iOS password source

- Duo - for 2FA for enterprise use with backup text mechanisms. Edit: Duo's primary app mechanism is similar to Google Gmail app's mechanism of a yes/no popup to approve a 2FA request

^ The above are cross-platform and extend beyond Apple.


Regardless of how great they might make an interface for it, passwords are the last thing I haven't given to Apple. If I lost control of my Apple ID, it would be a disaster, but at least it wouldn't expose everything else as well. I have a hard time getting over this mental hurdle, so it's 1Password for the foreseeable future for me, no matter what they do here.


Gimme something to make family passwords easy (eliminate passwords!) Enable Apple ID logins for kids. Throw your weight around to move safety settings into some sort of open web standard. I’ve got 1Password but the daily pain of managing a family of users with various accounts is just too much right now and I would pay almost any amount of money to have a simple solution that I never had to think about.



They don't make it clear on iOS which password manager you're using, which hurts both them and other password managers I think. The worst experience is not knowing where your password is or which account it's using. I had to turn off all apple password management in preferences, I've thought about going all-in on apple passwords but don't think it has all the features I want.


I guess everyone is over the anti-"self-preferencing" policy push over the past few years and is back to normal. Sherlocking is in fact good.


I switched to Apple's password manager after being burned by Twilio Authy's inability to retrieve the 2FA setup codes. I wish they had made this lock-in more clear.

Overall I'm happy with my decision. I'm now even using Safari over Chrome full-time because it has the benefits 2FA autofill.

Only thing missing is a dedicated app, but I have Apple Shortcut that works well enough in the meantime.


It seems apparent that Apple are investing in Passkeys as the future and passwords are legacy infrastructure in a sense.

https://developer.apple.com/documentation/authenticationserv...


I agree (and its not often I agree with folk on Hacker News), Apple provide a far superior password service inside a far inferior UI. The handling of authentication codes is particularly great in the Apple ecosystem, but very poorly promoted.

For a company that markets itself as secure these are retrograde steps.


The worst thing is when I register a new password to a website on my Mac on Firefox and then want to login to the site on my iPhone. I literally have to type the (complicated) password again so that it gets saved in Keychain.

Why wont Keychain allow Firefox sync? This seems like an extremely common use case.


Until Apple’s keychain works reliably across all platforms, I’ll continue to use Dashlane Password manager.


One core feature that will keep lot of people from using Apple Password manager is family setup. Anyone with Apple family knows how bad it can be when you have dozens or hundreds of shared passwords between you, your spouse and / or kids.


Yep. 1Password has my business indefinitely because of this requirement. Apple may be building a nice solution for single people (and perhaps many non-parents), but it's useless for family use.


Not sure we want to ask Apple to build more software when they can't even get the quality of their existing software up to par. I would be strongly inclined to stick with something less tied to the platform/ecosystem, like 1Password


I think the reason Apple hasn't prioritized this is that with their login with Apple implementations and passkeys, the utility of copying/pasting or looking up a password is dropping over time.


Every time I see a question like "Why doesn't Apple build $THIS?" I assume the answer is "because they'll make more money selling 3rd-party $THIS in the app store".


> I assume the answer is "because they'll make more money selling 3rd-party $THIS in the app store"

Apple has a long and storied history of doing almost exactly the opposite - any sufficiently popular third-party utility either gets bought and integrated (eg Workflow, Dark Sky) or Sherlocked (eg f.lux, Watson).

Apple takes a very long-term view of revenue generation, and the App Store commissions from $random_app are way less valuable to Apple than the LTV of a customer who’s locked into buying Macs and iPads because of Apple’s proprietary version of $random_app.


100% - the current method of access (via settings) is so nu-intuitve. A real sign of the state of Apple over the last few years. Customer UX needs to become front-and-centre again.


I agree it could be more polished but there is an app called Keychain Access that does give reasonable access/search/management of icloud passwords


I've always used Keychain Access to view/manage passwords. If they cleaned up the UI a bit it'd do pretty much exactly what Cabel is talking about here.


They already have an app, Keychain Access, but for weird reasons they integrated the new features into System Setting instead of expanding the existing app.


I'm okay to move my photos to Apple. I'm okay to move my music.

But I'm not ready to move my passwords and tie them to the Apple ecosystem.

1password for the win.


The article is informative but failed to describe where to find Apples password settings / feature while complaining about how hard is is to find…


I resisted using 1Password for a long time but then once I got into the 1P world, it was better than all the alternatives. LastPass is unsafe, Dashlane has subpar experience, and all the proprietary ones are missing tons of features.

Chrome, Firefox, Apple, I'm sure Windows too, have all their own password managers and all of them are hard to use and expect you to only have devices in their ecosystem.

1Password is worth every penny for how well they've kept up with updating their apps and their prevalence on all platforms. And the 2FA integration is great too!


You can make an iOS shortcut to make it appear as an "app" (launches keychain manager). I did this for some elderly folk, works great.


Apple would put 0 effort into making the app work across platforms and browsers and devices. They're not a good fit for this space.


I use Keychain Access app, but admittedly the UX there is terrible. I wish it was nicer, and also integrated with browsers other than Safari.


I appreciate Apple adding the ability to export your passwords, but it's ridiculous it took until 2021 for this to happen.


You can always make a Shortcut to open the Passwords section of System Settings. And put that in your dock or wherever.


my issue with apple passwords is that you literally cannot put a password on them. iPhone forces you to use biometrics as your key for them. whatever you think about passwords vs biometrics, the fact that I literally cannot choose is ridiculous and a massive oversight


Biometrics or your device passcode. My mom has a touchid phone (won't get the faceid due to paranoia) and she gives up on it during winter when her fingers get cracked due to the heating.

So when she logs into the device it always falls back to device passcode.

I am frustrated they won't allow you to do both bio+code, because that would prevent my kids from flashing my pilfered phone in my face to get it to unlock then running away.


Don't put all your eggs in one basket.

Don't put all your passwords into one single software provider.


There's bitwarden that does it all, cross-platform and completely free.


I still miss Mozilla Lockwise.


At least Firefox makes it easy to view your Firefox passwords. In Chrome it's nested in settings and the text box where it shows the password is tiny.


Passwords stink. I want to think about them less, not more.


At this point, the whole password based infrastructure needs a revamp.


> Passwords are productivity, not preferences.

Surely passwords are security?


what about https://authy.com/download? mobile/desktop/cloud sync, free...


i would prefer icloud keychain allows an alternative password - i refrain from adding some credentials to the keychain since my passcode is easy to steal?


Reading other comments in this thread and I feel like I am taking crazy pills. There was a big article that I thought a lot of people had read and would realize having passwords saved under an iCloud account is a recipe for disaster, since only a phone passcode is necessary to gain full control of an iCloud account.

https://news.ycombinator.com/item?id=34984821


Anyone know how to use Microsoft otp with another app?


That app is called Keychain Access on macOS.


Lots of apple “settings” deserve an app.


The goal is to go passwordless.


One word. Liability


Oh god please no


Edit: Removed initial comment, confused my iOS faults.

Keychain its current configuration is risky, given its coupled to your iPhone password which many people frequently enter in a public setting. One shoulder surf followed by a phone theft and they've unlocked everything - including your iCloud account (which you can change the password on using iPhone password only).


If I go to system settings > password on iOS, it then requires Face ID to get in. So I’m not sure what you’re talking about. Under Face ID & passcode you can also require Face ID for a password auto fill. So I don’t think any of this is correct.


Are you sure? I always have to scan Face ID, whether it's to open the "Passwords"-section in Settings or to have it automatically paste a password on a website/app. How do I access these things without additional authentication?


> you can access it when your phone is unlocked without any additional authentication.

No you can not. On my iPhone I have to authenticate with my finger print or pin code again for the passwords.


It needs biometrics or passcode to unlock?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: