417 comments

[ 3.2 ms ] story [ 382 ms ] thread
I really like Apple's implementation of passwords, passkeys, etc. But...I had a hard time explaining this to my mom.

She uses it to generate her passwords and fill-in within Safari which is great!

But there's no "Passwords" app, and she didn't know to go into Settings to reference a password when Safari doesn't recognize a password field (probably the website's fault).

2FA is also a confusing experience, but 2FA is also just confusing enough for her where Apple isn't really the problem here.

But there's no "Passwords" app

It's called Keychain Access.

The problem is Keychain Access doesn't pass the "mom test" (would you average consumer - e.g. your mom - actually use it)
They don't even know why it's called that
Because you can store non-passwords in there too.

Secure notes, your own signing certificates, keys, root CAs, and specific self signed certs you've accepted for SSL.

Still, none of that means anything to the average user. Searching for "passwords" in Spotlight should also take you to your passwords
Make an alias to Keychain access. Name it "Passwords" and have that a directory that is indexed by Spotlight (the Utilities directory under Applications where Keychain Access is found works fine).

This will then show up in the launchpad. https://i.imgur.com/IRPOMC5.png

Searching for 'pass' in Spotlight does bring up Keychain access - as that's in the apps list of Keywords... however the list of apps is way down on the scrolling https://i.imgur.com/KFUC0G0.png - it found 'password' as a string in 100 python files that I had to scroll through first.

> Make an alias to Keychain access.

Sorry, but that also doesn't mean anything to the average user. If anything it's made it more complicated for them—they will remember to type in "key" before they learn how to make an alias

That I don't have an issue with the word "keychain" doesn't mean it's not bad UX for the average Mac OS user

Specifically, what functionality would you like?

If you do control-space (to bring up spotlight) and type in password, what do you want it to do and what is missing?

If I type in "password" I get a bunch of results that aren't what I need

My wife asks me weekly "honey, what's that word I gotta type to see my passwords again?"

Keychain Access doesn't pass the "me" test and I have a PhD in CS.
Since I use it quite a bit for secure notes, I've got it pinned in my toolbar. From the top down I've got Finder, System settings, Keychain Access, HomeKit, Launchpad, Safari... and then other things.

The thing is, its the 3rd one down.

No password manager passes that as far as I'm concerned.
Isn't Keychain Access MacOS only? It's not available on iPhone.
iOS does not have "Keychain Access" as a named setting or app.

MacOS has both Keychain Access as a standalone app, and Passwords as a section in your settings. The latter is dedicated to purely passwords that you, as the user, make. Keychain Access also contains passwords for Wi-Fi and other systems.

Are you talking about that utility that looks straight out of Windows 98? Surely it could use some love in 2023. I don’t think I’ve ever seen it updated, it’s not an acceptable UI for consumers.
What the actual flying fuck, the apple password thing supports TOTP! That's great! (And a sad testament to how poorly the discoverability is on some ios features)
Not just that, they will detect QR code images to work around sites which assume that TOTP is only available by scanning your desktop screen from your phone.
Can you provide an example website that uses this technology? Not sure I've ever encountered one.
(comment deleted)
Uh, basically all of them? They all show a QR code and never show you the secret which you could copy in to your password manager.
Step Two[1] also does this, which is one of the reasons I've been using it for TOTP for the past few years. Nice to see that the built-in TOTP support can do that now too.

[1]: https://steptwo.app

Isn't it considered not great to do TOTP and password storage in the same place?
I tried going all-in on using iCloud Keychain (correct term?) for my passwords from having previously used LastPass.

In short.

1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.

2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

I think those were my big complaints. If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.

> If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.

I think Apple would consider this "working as designed."

With passkeys, now every platform can enjoy this level of lock in!
I hope not. I'm patiently waiting on 1Password to release their implementation of passkeys so I can have it work on all my devices, Apple or not.
Yep, same with BitWarden. That would be fantastic.
Just use Passkeys. Any account that allows 2FA allows multiple second factors. You should be setting up backup second factors anyway if you don't want to risk getting permanently locked out of all of your accounts.

Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor. If you're using strong passwords with 1Password, your second factor is basically only defending against a leak of your password database. If you're storing your second factor in that same password database, what are you gaining?

Well, with the exception of AWS, unless something has changed recently — they notoriously only support one second factor (i.e. if you use YubiKeys or similar, you can only use one).
Yeah, AWS is the only exception I've encountered :)

But if you have backup second factors (you have backup second factors, right?) and you're worried about Passkey lock-in for whatever reason… just use that other second factor for AWS or any other account which supports only one.

You can add multiple MFA devices since November of last year:

> Now, you can add multiple MFA devices to AWS account root users and AWS Identity and Access Management (IAM) users in your AWS accounts. This helps you to raise the security bar in your accounts and limit access management to highly privileged principals, such as root users. Previously, you could only have one MFA device associated with root users or IAM users, but now you can associate up to eight MFA devices of the currently supported types with root users and IAM users.

https://aws.amazon.com/blogs/security/you-can-now-assign-mul...

Isn’t the whole point of Passkeys that you can’t ever lose them, since they’re tied to your biometrics..
They're not tied to your biometrics. They're stored inside the TPM of your device, which is unlocked by some form of biometrics.

But if you lose all the devices with your passkeys on them, they are gone for good.

> Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor.

Not quite! 1password itself counts as two factors: something you know (the master password), and something you have (the additional secret key).

Passkeys in 1password would eliminate phishing as a problem.

I’m super curious what a backup second factor is for the average user who has only one device: a phone, that sometimes gets lost or is stolen.

Feels like these things are designed by Californians with no idea of how the world is.

If you're in this category, your alternative to Passkeys at all is SMS or no 2FA whatsoever. Enabling Passkeys does at least ensure that you have a minimum of two separate devices so you already do effectively have some form of backup of your second factor.

My comment is targeted at someone who is savvy enough to: a) care about having "real" 2FA, and b) is concerned about lock-in, and c) is extremely sensitive to being locked out. For someone like that, you're already buying YubiKeys or some equivalent. And if you don't already have some, you're never prevented from using them later.

Reminds of the occasional comment threads on here about homeless people permanently locked out of new accounts every few months because of stolen devices and the growing corporate obsession with forced 2FA, and all the replies that amount to "if they didn't want to fuck off and die they shouldn't have been poor".
passkeys isn't supported on linux desktop, at all. and if you know how to make it work, please let me know. I have to switch to a Windows machine to login with them.
Yeah, that's why I'd never touch passkeys. It feels like you're basically locking yourself into a weird ecosystem that you'll never be able to escape from.
This is kind of silly.

If you're using hardware 2FA, you should absolutely have backups. I've used YubiKeys for years and have one in my laptop, one on a keychain, and one in a safety deposit box.

Passkeys are just another instance of this. I have added Passkeys to all of my accounts with 2FA and it's somewhat more convenient (significantly more convenient for mobile devices). But every account also has all my YubiKeys attached as second factors.

There is no lock-in. And while it's inconvenient and annoying to have to add multiple keys to every account, that is already the reality if you're responsibly using hardware second factors.

This would be less annoying if we could get actual federated identity that big players would actually accept, as it stands having to fetch a key from a safe deposit box every time I register a new account is a huge amount of friction.
It absolutely is. But that’s a separate problem entirely from “will Passkeys lock me in to the Apple ecosystem”, to which the answer is an unqualified no.
Microsoft is a big player and here you go: https://learn.microsoft.com/en-us/windows-server/identity/ad...

I currently have a Microsoft (Work) account that I'm SSO logged on.

To be clear, I was referring to one federated identity that everyone would accept, as it stands there isn't a single, federated identity provider that Apple, Facebook, Google, Microsoft, Amazon, Bank of America, my power company, etc and so on will all accept. I'd like to secure one spot on the internet as an identity, a digital passport of sorts, and secure that heavily then have it log me in to everything. The closest thing we have currently to a digital identity is an email account, but we should really move past that.
> I think Apple would consider this "working as designed."

Incoming iTunes Password Manager, next event :P

> I think Apple would consider this "working as designed."

Punishing us geeks who like using multiple different kinds of OS on their phones and computers. :(

On 3, at least: Apple assumes you'll use search on device. If so, it's: 1) Swipe down 2) Type "p" 3) tap autocomplete result in "settings" group.
But if you search on Mac using spotlight you need to type "keychain" smfh my head
Agree on most of this but Keychain Access IS a standalone app on the mac so slightly confused about the comment about it being buried in System settings. Its still a pain to go to the app and copy a password for non-Safari browsers though.
I just do cmd+space -> type "pass" -> Return -> fingerprint. That gets me to my iCloud Keychain. I used to use Keychain Access but like the UI of the Passwords tab of Settings more.
I use 1password. cmd + shift + space opens a spotlight-like dialog for 1password. First access requires a fingerprint.

It also works on Windows!

That app is not at all a password manager.

It‘s a view and editor for all kinds of stored keys. I don’t think its target audience ever were intended to be some random macOS users. That’s just not the target group. It‘s about power users that need to access or store all kinds of keys.

> I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

Chrome used to be tied into Keychain but they went their own way a long time ago, which is a damn shame.

I guess they want compatibility/password sharing between Chrome on Mac, Windows and Linux, which I can understand.
I believe Apple only lets you use certain APIs (like Keychain) if you distribute only through the App Store.

That policy has really killed a lot of functionality on macOS. I suspect it will cause fiction on iOS when the EU forces them to allow alternative install sources.

Personally, it grates me when Apple cripples functionality this way to try to keep us stuck in their platform. Can't use Firefox with Keychain. You can only view your current Apple Card balance on an iOS device -- not even a macOS device. At the end of the day, I hate being manipulated so much that it actually pushes me away from the platform to see this scummy behavior.

Is there a reason Chrome, Edge, and Firefox aren't on the Mac app store? I know the yearly dev account costs can be an issue for small developers but Google, Microsoft, and Mozilla are already paying that as they release apps on the iOS App Store.
(comment deleted)
If I had to guess, the review process would just be a hindrance to them for nearly no benefit (is there anything besides the keychain API that would entice them?).
I assume it's annoying to jump through hoops and code review for every release.

Most macOS users don't use the app store. So directing folks there can be annoying for users, or even cause problems if they aren't signed into iCloud.

They'd likely end up with either an old version on the app store at all times, or with a massive, unpredictable day-or-week-long delay waiting for Apple's reviews before every release. Small wonder they don't bother.

I will always regret being just slightly too late to enjoy Apple's golden era. When, yes, using an iPod meant locking into iTunes, but at least you didn't have Tim Cook nagging his captured audience into signing up for Apple Music Subscription Plus - Now for Families!
> You can only view your current Apple Card balance on an iOS device -- not even a macOS device.

That sounds especially annoying. An iPad next to you can auto-config itself as the umpteenth monitor of a Mac, but macOS can't pull Apple Card balance from your nearby iPhone?

There seems to be a Google Chrome extension called "iCloud Passwords" but it only has two stars, so I don't think you'll be positively surprised.

Also, on iPhone it's ok-ish but on Mac the experience is a subpar too: Keychain, the app you use to view your passwords, feels like a 90s Visual Basic application. Plus you can't organize your accounts, and even if you prefix them to "sort by name", the special name you give is lost after using it.

On the other hand, I already have other Apple cloud stuff and kinda trust them, so I suffer through it. And other password managers aren't anything to write home about either to make me change :/

+1 to subpar on Mac. iPhone is about the only surface where its seamless/smooth. The rest leaves me constantly frustrated.
Note that macOS now has three “apps” to view your passwords, three different UIs for the same database. There’s Keychain Access, there’s the Passwords section of System Settings, and there’s the Passwords section of Safari preferences (which is the same UI as the pre-Ventura System Preferences app’s Passwords section).

The other two have even less organization functionality than Keychain Access, so this probably doesn’t help you, but the blog post was talking about the System Settings version so I wanted to point it out.

What's wrong with Keychain Access? It hasn't changed its appearance since more than a decade. That's a good thing for familiarity. Early Mac OS X apps have incredibly good design that doesn't waste space.
Guess which app is ripe for a Swift UI redesign soon!
But it does waste a lot of space... there's a lot of duplication of keys (which are deduplicated in the iPhone app), and with other information (somehow I have hundreds of "com.apple.cloudd.deviceIdentifier.Production" in there). And I already mentioned organization fails. Plus it's kinda insecure as it enumerates your accounts exhaustively without asking for a password like iPhone/Safari (granted, not a problem specific to this app). And the interface to view the passwords is terrible. Old and familiar is not synonyms with "good".

However now that comex pointed me to the Password in the "System Settings" app, I at least can use it and it's fine if Keychain is left as is.

> Keychain, the app you use to view your passwords

Huh, I never realised Keychain showed iCloud Passwords. I always just use Safari (which is inconvenient in its own way admittedly).

Apple makes a iCloud Passwords chrome extension: https://chrome.google.com/webstore/detail/icloud-passwords/p...
Maybe this was it...IIRC the user must also have iCloud For Windows installed? It's been several months since I tried this setup. For my personal user experience it was unacceptable.
Windows only! It doesn't work on Mac!

I honestly didn't know that was possible before that extension.

Chrome on mac should by default be able to work with the Apple password keychain
Meaning it ought to, but doesn't, right?
No, Google has not implemented support for Keychain in Chrome. AFAIK neither has Firefox.
And this annoys me greatly. I want cookies, bookmarks, and passwords to be owned by the system. That way I can switch between browsers with ease, and that would also lower the bar for new browsers to come out.
I absolutely do not want this.
Agreed. This sounds like a nice user-friendly feature until you realize what a colossal privacy disaster this would be for any malicious app that the user grants these permissions to.

"DerpCo Derpolizer would like to access your stored cookies. This allows us to automatically log into your DerpCo account!" and then bam, they hoover up your login data in an instant and send it off as part of their telemetry.

Much better to have a system like (for example) sign in with Apple where you can easily click a button to have the system authenticate you, but no one gets access to anything without specifically asking for it.

I switch between systems more than I switch between browsers.
Maybe if you're only using devices from one type of brand. But what if you wanna access those things on a Mac and Google Pixel and an Amazon Kindle. Sure, might not be that much of a mix, but I imagine a decent amount of people have at least one device from a different brand.
They actually removed support for Keychain, Chrome on macOS used to support it in the past.
interestingly, Chrome on iOS offers me passwords from both the iOS Keychain and Chrome password stores.
And it’s slow two star garbage.
Sounds like vendor lockin is the aim here, not being fully cross-platform without any hassle.
Funny situation, there's another thread I was replying to someone who wanted to shift back to native apps instead of cross plat electron apps (for performance reasons).

Well, Apple Passwords on Windows is a good example of how that turns out in reality. I believe it's using WinUI. While the performance is nice, the experience is entirely unlike what you get on Mac and winds up making you wish you were using another service entirely.

This has been the story of Apple apps outside MacOS forever: they appear to always do the absolute minimum to claim support, and you end up with a super clunky windows app that is terrible.

I doubt they’d do much better using electron: I think their development model is that if it isn’t on one of their platforms, they pump out a minimum-effort, low quality app. I’d guess that electron ones would be just as clunky, except with a significantly higher memory and CPU footprint.

That hasn't really been true. Apple supported iTunes and Safari which were great options on Windows. Not just "I'm already an Apple fan so I have to use it", but actively deciding to use them.

The root of the problem for Apple is that they cannot get away with doing what they used to in the past, they already have a plethora of platforms within their own umbrella to support, adding Windows native to the mix seems to result in maybe a handful of developers taking on enormous burdens by trying to catch up to their expected Mac apps.

If Apple were to seriously put its weight behind a cross-platform toolkit, this might change, especially as they want their services to grow. It's the very reason why their main service competitors can even compete.

But I agree that if they were to suddenly switch to Electron without a care it wouldn't turn out well, but likely have a better end user experience than their current reveals.

So SwiftUI for Windows?
For QuickTime for Windows they ported a portion of the Classic Mac Toolbox to Windows to make it work.

For Safari Windows they ported a portion of Cocoa.

Having an internal Windows version of SwiftUI would not be unthinkable!

> Apple supported iTunes and Safari which were great options on Windows. Not just "I'm already an Apple fan so I have to use it", but actively deciding to use them.

No they weren't. They were notoriously awful. Apple resorted to bundling Safari with QuickTime to try to get you to use it but everyone still hated it.

(comment deleted)
Nonsense, iTunes was great and got stick just for being iTunes.

300GB library around that time with no issue at all. Smart Playlists made all other players obsolete for me.

Apple had (has?) Cocoa ported on Windows actually, so whatever they could so on macOS, they could do on Windows as well. Cocoa as such is cross-platform.
It was a product briefly. OPENSTEP Enterprise. There was talk of selling licenses to distribute but that never happened
Any link to the port of Cooca to Windows?
Apart from the already mentioned OPENSTEP for Enterprise, see also here:

https://www.stone.com/dev/StonesThrow2/OneFoxTwoFox.html

Basically, it was called Yellowbox, but it didn’t officially survive the release of Mac OS X IIRC. But Apple was at least still using parts of it for some Windows ports back then I believe.

> Apple Passwords on Windows is a good example [...] the experience is entirely unlike what you get on Mac

If you were a Windows user, why would you want an app that acts like a Mac app? Surely the benefit of having a dedicated Windows app is that the experience should be like other Windows apps.

You're not really thinking about it as a "mac app", but rather "the service". You expect it to act like the service you use on other platforms with all the features you rely on.

If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI", I immediately know where the genre categories are because I've already used it on android or linux and expect it to be there. I know exactly how to add a song to my library, to shift around playlists, to manage folders, everything is as I learned it on [other platform].

Design development becomes this duplicated burden where every feature now has to go through the ringer twice (or more) to fit native components for their respective platforms. When you hit limitations on those native components, you're now having to make the decision to either hold back the feature entirely, or create fragile workarounds.

In an alternate timeline native components would have had far greater appeal, where people actually hate and boycott apps designed otherwise. But we don't. Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components. The situation is even worse on windows past 7, where the idea of a "windows app" is so jumbled there is nothing to "expect" from the experience - which is actually part of why I think these unified app designs have really taken off.

> If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI"

We're either very different people or we have different use cases :) It immediately feels jarring to me to be using macOS and suddenly presented with a non-native UI. But I only ever use macOS on the desktop, so I don't have this cross-platform issue. What I find strange is, I would have thought that was the 99% common case — it seems strange to me to optimise for individuals using multiple OSes rather than multiple apps on one OS.

> Design development becomes this duplicated burden

That sounds like an OS flaw if true. Of course, I accept that some design will be necessary, even with the finest SDKs available to humanity, but it should be so burdensome that going non-native is seen as the solution.

> Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components.

You're totally right. Every now and again, I say to myself "I really must use Safari for the 'more native' experience", but I always come running straight back to Chrome again.

> The situation is even worse on windows

This was one of the things I liked best about macOS when I first migrated — everything was so consistent, things didn't visually clash, etc. I still get the impression it's better on macOS, but heck, it's definitely not as good as it used to be.

>I say to myself "I really must use Safari for the 'more native' experience", but I always come running straight back to Chrome again.

Have you given Arc Browser a shot yet? It feels pretty great. Feels designed for Mac and has its own design language at the same time.

Not that I disagree with you, but have you seen the new Windows app for Apple Music? It definitely feels Windows 11-ey, with the animations you'd expect. A notable departure from the Mac design, in favor of Windows design, is the placement of the back button at the top left corner of the window, instead of slightly to the right of the top left on Mac.
I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

No, it's not. I alternate between Safari, Firefox, and Duck. If a password I use in Safari isn't stored in Firefox, I copy it from the Keychain program and paste it into Firefox. Firefox then asks to save it. No problem.

The GUI is buried in System Settings.

It has its own program. /Applications/Utilities/Keychain Access

Your workflow is significantly worse than the experience I get with 1password.
> I copy it from the Keychain program and paste it into Firefox

Woah that's the same way I used password managers 10 years ago. Even back then it was considered barbaric. I had no idea people still lived like that.

I never stated that it was good.

The previous commenter said passwords were "unavailable" outside of Safari. I merely demonstrated that his statement was false.

It's not just a good product if you're 100% Apple, it's only a good product if you're 100% Apple and are willing to accept a great deal of friction if Apple's direction no longer suits you in the future. It's a version of what some people call "high time preference".

Personally, I was taught to care about the future.

They have an export-to-CSV feature. That takes a lot of the worry out of hypothetical futures.
Still adds a great deal of friction and makes it harder to, say, experiment with an Android phone or a Linux desktop for a month. Compare that to 1password which just works.
2. Dont know what you are talking about, I use brave and get my passwords filled in from keychain. 3. Cmd-space keychain opens up keychain
Thank you for sharing that. I was not aware. I will try this tonight!
Apple has to tread lightly on not have too robust of capabilities, especially for non-Apple ecosystem, since it might be consider anti-competitive.

(e.g. Netscape vs Microsoft Internet Explorer)

EDIT: why the downvotes without a reply? If you don't agree, why not just respond why so that a health dialogue can occur.

As stated by another poster, Netscape vs MSFT was about coercing OEMs not to include competing browsers to be pre-installed on new systems. Apple could create and give away a cross platform password manager without much fear of ramifications, unless they exclude all other password managers.
> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

Safari > Preferences > Passwords

Would love to have iCloud Keychain in other browsers, though.

You just run the Keychain Access app on a Mac.
> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

On Mac, at any time, type: command-space passw <return>

On iOS tap <search> on any home screen, type passw, tap suggested result

No results for “passw”
I write "keychain" usually, it appears after "key" already.
I've pinned Keychain Access in my tool bar. Finder, System settings, Keychain - right at the top.
Rebuilding Spotlight index...
Better yet, using the Shortcuts app for iOS, create a shortcut that opens a URL with `prefs:root=PASSWORDS` in Safari.

For macOS, you can make the same shortcut open `/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/PreferencePanes/Passwords.prefPane`.

A single shortcut can be used to accomplish this, using the OS check and an `if` condition.

Then add the shortcut to the home screen as an icon and it’ll also show up in Spotlight search.

I mean, thank you. Buttttttttt this is an asinine level of effort to achieve a workaround for a stock feature on the Apple platform. I'd just assume not use it before implementing this.
These are great tips for power users, I love it!

That said, this also proves that for non-power users: it needs an app and it needs integration with other browsers if it wants to be as easy to use (for most people) as the popular password managers.

On iOS, my only password manager I've ever used is the built-in Apple one.

I just tapped the "search" field on the home screen, and typed "passw".

"Top Hit": A store link to the LastPass password manager (which I do not and have never used—the button has the text "get", it's not installed and doesn't have the cloud-icon for previously-installed apps)

From there, it's three suggested Siri web searches: "passwords", "password manager", and "password generator"

Then two safari-iconed links (I assume these would search with my default search engine in safari?): "passwords on iphone" and "passew"

Searching inside the "settings" app is only marginally better. It's all much, much worse than it was a few iOS releases ago.

(comment deleted)
I learned from this thread that you can actually disable all that. I did so and my spotlight searching sped up 10-fold and now I only get app results. So much better.
Is this you arguing that it‘s not buried?

Having to access something via a search incantation (or, alternatively, a ton of clicks) is not at all easily accessible. It’s buried alright.

Obviously you can find pretty much anything on macOS and iOS via search. That‘s how it‘s should be. But that doesn’t make things accessible or even just visible.

A limited GUI is also available within Safari on desktop. It is a tab under Preferences. It makes working in Chrome bearable.

Agree the UI is terrible in iOS.

(comment deleted)
I was about to say the same thing: Apple has a password manager? I’d consider Apple Passwords to be less than half a password manager.
I use chrome to manage passwords on all my devices, it works well except for apps. When I'm trying to get a password for an app in iOS, I just switch to chrome to get the password. Same if my password was from registering from an app and I'm in Chrome. Rinse and repeat and now my passwords are in both password managers.

As for TOTP, if I lose my phone I don't know what will happen.

Settings > Passwords > Password Options > AutoFill Passwords + Allow Filling From Chrome

Most apps can use passwords from Chrome just fine, and you can also quickly open the native passwords window when encountering a password field using the key icon.

For TOTP, use apps like Authy which can be installed and used from multiple devices.

(comment deleted)
My biggest complaint is that it doesn’t keep a history! One misclicked “remember password” at the wrong moment (safari plugin often guesses password fields wrong) and you’ve just locked yourself out of your bank account. Literally happened to me.
That's all by design. They want you 100% on Apple products to get the full experience.
The full experience for their shareholders you mean :P
> 1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.

Like a lot of other Apple stuff, I'm only able to use it because I don't use anything non-Apple for anything "serious" that involves a GUI. Windows is for gaming, Linux is my file storage and docker-service-running server that I only interact with over SSH and Web. Ditto Notes, all their Office-type programs, et c. I'd probably be on a lot more Google shit if I needed more cross-platform access to that stuff.

> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.

> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

IDGAF about clicks because I search my way to everything in Apple's settings—what does bother me is that they've made search worse in the last couple versions of iOS, and that if I type "pass" in search, "Passwords" isn't even visible on the list yet. I can get all the way to "password" and it's still the fourth entry. The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case! Even fully typing "passwords" still leaves it as the second entry (of three) on my device. WTF.

> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.

Other browsers used to be able to use it. I do think it’s a really thorny issue—“allow this application to access all saved passwords?” is a pretty damn scary permission to include. Up there with the “allow this application to control your computer” permission that is used for accessibility apps (which apps can abuse to read passwords, if I understand correctly).

Apple’s tradition. Make the platform more secure, add an exception for first-party apps, and let the other browsers fuck off.

Something could pop up saying "Fill password for HSBC Bank?" or similar and you click one button.
Yeah, I a think other browsers want to be able to test whether there is a saved password or not, and get the corresponding username, which is quite a big permission to give away. For actually filling in the password they could maybe offer a pop up where the user must authorise the app using biometrics or some other OS-level action. That’s already the experience with safari.
> allow this application to access all saved passwords

I'd like to see finer granularity, perhaps multiple web password vaults and a mechanism to allow certain browsers to use certain vaults.

It might also be nice to specify which passwords could be accessed with which kind of authentication. Unfortunately the current system password dialog is easily spoofable - it really looks like a questionable javascript popup.

What would that look like? Do you expect a prompt for every website you visit (Would you like to allow permission for Firefox/Chrome/whatever to view/store your password for "abcd.example.com"?) Would the permission be tied to the name of the app or the hash of the app? How do you securely identify the browser? Signed apps? Signed via a developer key -- trust the developer so that you can use Chrome as well as Chrome Beta?

The above is not a critique but certainly a list of things that lead to the possibility of a repeat of the infamous Windows popup for every single action you want to do out of the box. This leads to either decision fatigue or a pre-programmed "yes, just do it" response from the vast majority of users.

I personally think it should be an all-or-nothing type of allowance for this reason. Maybe the better way would be tracking access to passwords in Keychain. ie: Chrome+Safari+Firefox have all accessed your credentials for google.com but only Safari has seen your iCloud credentials and only Chrome has seen your HN credentials.

It's not unheard of - iOS already provides granular permission capabilities for photos. You don't have to give all-or-nothing permission to apps to access photos anymore; you can now choose precisely which photos the app has access to.

I'm looking forward to iOS doing the same for contacts; there's no reason why WhatsApp/Telegram/etc need access to my entire address book if I just want to call Steve.

>What would that look like? Do you expect a prompt for every website you visit

Why not? It works fine for Little Snitch.

And here it would be even less prompts, as it would just be every website I visit && have an login account at.

> Do you expect a prompt for every website you visit (Would you like to allow permission for Firefox/Chrome/whatever to view/store your password for "abcd.example.com"?)

This is pretty much exactly how macOS Safari prompts, and has for several years, at least in Touch ID scenarios. It shows a suggested username/identity with a Touch ID icon next to it, presented just like a normal autofill suggestion otherwise.

The per-site prompt and the inclusion of username/identity are really good signals, and feel like they reinforce the opposite of Windows UAC. They definitely gate access in a similarly repetitive way which encourages repetitive acceptance. But they demonstrate prior authorization that would have to be manual at least once at some point before the prompt, and you won’t be promoted the same way for sites you didn’t manually authorize first.

It’s a good enough signal that I generally use it as my first line of defense against phishing/domain spoofing. If I don’t get promoted for credentials for a service I expect to have an account with, I’m immediately suspicious. That doesn’t mean I automatically trust or distrust on that alone, but it’s a pretty decent sniff test.

Obviously the browser doesn't need to have unfettered access.

It just needs to tell the password "hey there's a password on wellsfargo.com" and then the password manager asks the user if they want to use the password. And maybe give access to all passwords.

IDK, what does safari do?

Safari pops up a little box attached to the login text field asking you if you want to use the password for wellsfargo, so it seems like it’s asking keychain “do you have a password associated with this url?”. At least on modern MacBooks they also figured out a good UX flow, when that box is on screen you put your finger on the Touch ID button and it authenticates you, puts in the password, and goes to the next field or hits submit.
Safari Passwords and 3rd party apps can and do use the Apple Keychain on macOS/iOS to store sensitive data. Though 3rd parties can't integrate with Safari's password manager.

If you use Chrome Sync with passwords on macOS, Chrome actually stores the decryption key in the macOS keychain. Just open Keychain.app (/Applications/Utilities/Keychain Access.app) and search for "Chrome Safe Storage" to find it. That's the decryption key for the actual encrypted password/sync data stored elsewhere. (So not possible to access Chrome passwords from the Keychain directly)

Safari Passwords (Apple's password manager) also stores passwords in the Keychain as individual entries and you can access them via Keychain.app. Unfortunately, since they’re part of the iCloud Keychain not the local login Keychain, they appear to be inaccessible with the `security` CLI tool which fails in an obtuse way.

Isn't this the exact thing that got MS in trouble with anti-trust for Explorer? How is apple getting away with it?
No. Microsoft got in trouble because they were coercing OEMs to not include competing browsers.

Apple has no such problem since they don’t have other OEMs.

Same deal with why Google got in trouble with the play store.

> The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case!

Weird. "pas" and it was top of the list for me.

In Spotlight, I need “passw” to see it. In the actual Settings search, I also need “passw”, and that only gets it to #5 in the list.

Also, Spotlight is bizarrely slow finding even local apps and things like Passwords. WTF

Did you tell it to ignore most local files?
Wow! Just discovered the Spotlight customization and it is so much faster and more useful when you remove certain locations and turn off definitions and Siri suggestions.
That sounds delightful. Sadly, while Apple documents “Suggestions in Search”, and I can even see that option when I search Settings for Siri, the option itself is missing from the Siri & Search page.
I get the same result as the parent. Search in Settings has gotten a lot worse with time.
When I type just "p" it's the second top most result. When I type "pa" it's already the first result.
Bizarre. That's on iOS for me, searching in the settings app itself. I have to type most of "passwords" just to get it to show up at all, and some of the ones that are showing up instead have only the most tenuous connection to the search term "password".

It used to show up for me after a couple letters, in the settings app, until a few iOS versions ago, IIRC.

It "learns" from previous searches.

Which is unfortunate, because it's not very good at it.

Anecdata: `pas` worked for me in Spotlight, Settings (both 13.3 Beta (22E5246b)) and Alfred (4.8 [1312]).
I use windows almost only for gaming (and CAD) too, and I've found that recently that the webapps, especially music and notes are good enough, and icloud drive and photos integration to windows actually work well.

But yes, passwords is annoying. You can use them on chrome on windows but not on MacOS, and on Windows it doesn't work on anything but chrome. Speaking of gaming, game launchers on windows can't get passwords from Apple and also seem to log me out all the time, so I have to revert to using my phone to see my password and manually type it in.

>> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.

> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope

No it's not. I don't want some exotic product connect to a domain I have passwords in and prompting me for access. The password should be tied to the product you used to login with.

This is a misunderstanding of keychain vs. lastpass. One is designed to remember "safari passwords" or any swift/cocoa application implementing keychain. One key feature is: once stored in Keychain this information is only available to your app, other apps can't see it.

Lastpass and other similar products are designed as a data warehouse / vault for you security items. From there, plugins in browsers etc. can take over.

I will totally agree with the fact that the GUI is frustrating at best.

But on iOS I can use keychain from apps to find login information that is stored from Safari?
Yeah, I'm also a heavy user Spotlight Search and it's still impossible to get to Keychain settings. I suppose my higher level point was that it's damn near impossible to efficiently get to the keychain settings.
Not impossible at all. For me, ⌘-space, then typing pass is enough for Spotlight Search to suggest the Passwords section in System Settings.
>Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.

It probably very much is. But Google would never add Keychain integration when they want to push you to their own password manager within Chrome

I can never tell if Apple is trying to kill macOS, but it’s things like this that make me wonder.
Step 63 of Mac setup is optimizing Spotlight by excluding a bunch of stuff from being indexed - kind of annoying but that's the solution
(comment deleted)
OP is suggesting it's a terrible UI on iOS and Mac too, and one of their principle complaints is your #3.

So OP disagree that it's even a good product if you are 100% Mac, but are suggesting the functionality is all there, it just needs an actually designed UI/UX.

And/But your #2 sounds pretty terrible to me too!

It does not sound like a good product at all.

I ended up writing an AppleScript to open the Safari passwords dialog because I got sick of hunting for the proper dialog. If you save it as passwords.command and make it executable it'll open the window right up. But yeah, it's a kludge.

  #!/usr/bin/osascript
  tell application "Safari"
    activate
  end tell
  tell application "System Events"
    keystroke "," using {command down}
    set pass_button to (button "Passwords" of toolbar 1 of window 1 of application process "Safari")
    click pass_button
  end tell
4. New passwords overwrite old ones. Easy to accidentally lose passwords in slightly odd situations like logging into an account whose password you just reset.

But I like it overall. Even though I use multiple browsers, I don't mind treating Keychain as the master DB and occasionally copying passwords out of it. Part of this is because I use Safari exclusively for the extra important things like my bank.

> If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.

This has been the Apple way since the 1980's

> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

I just learned that this GUI exists. I have been using /System/Applications/Utilities/Keychain Access.app for years to deal with passwords.

Me too. Now to try and figure out if I can create a Macro to launch this.
Same. And now I'm trying to figure out if there's any advantage to using the UI in System Settings instead of the app I already know.
It's not great, but the app you are looking for on macOS is Keychain Access
"If you are 100% Mac then it's a good product."

I use 100% ma except for gaming. However, I use other browsers as well, so the coupling to Safari is a deal breaker.

Last pass had a major incident recently iirc.
I moved to Bitwarden right after it, and I can't believe how much better it is in terms of UX \o/. I whish I had made the move years earlier.
Have there been any known incidents with Bitwarden?
Also, if your phone is stolen / lost and someone can guess your 6 digit passcode, then all your passwords are exposed.

That was biggest deal killer for me.

I’m all in for personal web browsing. Safari is a great browser basically 99% of the time and having free synced passwords (and really any critical data!) between my desktop, phone and tablet, I get tremendous value.

For work, I use chrome and chrome password management because my company uses gmail.

Don’t use System Settings to find passwords, open Keychain Access instead, it’s much more direct for searching.
The main limitation of Apple's passwords implementation for me is lack of sharing. For accounts that my wife and I both need access to, we can have them in a shared location in bitwarden, but there's no comparable feature with Apple's. I'll probably even start paying for bitwarden so that I can share with more than one other person when my kids are old enough to need access to them
Yeah, this is a bugbear. FWIW my wife and I "share" keychain items by airdropping them to one another as required. It works, but nowhere near as nice as having a common record we can both maintain.
My wife and I do the same and it actually works better than sharing because my wife understands how to do it without me trying to teach her.
I'm using self hosted Vaultwarden (open source implementation of the backend) and the password sharing feature is very nice to have.
> > 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

On iOS you can ask Siri "show my passwords". Doesn't seem to work on MacOS though.

> The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!

I do: Cmd+space > "keychain" > Enter. Still not ideal but it's the fastest method I know. What do you mean, i.e. how do you access the GUI from the system settings? I tried finding keychain there but couldn't figure out where it is.

It's available as "Passwords" in the system settings. I think they added it recently to align it with iOS and iPadOS, where there is no mention of it being Keychain at all.
That's way nicer than what I've been using (i.e. Keychain Access). I'll likely switch to Passwords. Thanks!
Serious question but what do you use Windows for? I don't know alot of people that use Windows anymore so just wondering is it a work requirement?
Went the other route, sold my iPad and went with a Surface instead...

the short of it: It's inelegant, there's bugs, the UI is half-assed and some aspects are straight hostile (default widgets etc.). But it's an actual generic computer. Most task you assume you could do with a computer, there will be a way to do it.

It might take some efforts to get to a decent setup, but the walled garden was also a PITA, so all in all, I felt my time is better invested in making windows a nice place than the endless fighting of Apple on iOS.

As a halo effect, I'm kinda thinking about moving to Windows on my main computer as well on the next refresh cycle...not fully decided, but that feels like a viable option.

> 1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.

Ditto. Why do I have to replace my Windows login password with a "PIN" code that's the same as the iCloud Keychain PIN !? That's super weird!

I guess everyone is over the anti-"self-preferencing" policy push over the past few years and is back to normal. Sherlocking is in fact good.
I still miss Mozilla Lockwise.
At least Firefox makes it easy to view your Firefox passwords. In Chrome it's nested in settings and the text box where it shows the password is tiny.
I've always used Keychain Access to view/manage passwords. If they cleaned up the UI a bit it'd do pretty much exactly what Cabel is talking about here.
I will tell my family to use iCloud Keychain the day when it works across all major browsers and OSes. Or at least that they provide an API to sync with other password managers.
They already have an app, Keychain Access, but for weird reasons they integrated the new features into System Setting instead of expanding the existing app.
Fully in agreement here, getting people used to Apple Passwords can be a task purely because it's stuffed into settings.

Would like to see them in the process of transitioning it away from settings, also include the ability to change the name of the entries. Multiple URLs per login would be great too (or even a linking of separate entries). Think these are the biggest things keeping many general users still relying on the likes of 1Password/Bitwarden, which is where I disagree with the writer here, I think third party password tools should be replaced by sane defaults as soon as possible outside of niche cases.

> And it all syncs across your devices, for free?!

Really? My Linux devices? Android? Windows? I don't think so.

I recommend considering one of the most important features of a password manager is that it doesn't force you to use a single manufacturer's products forever. Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future. 1Password, Bitwarden, and others allow me to switch PC manufacturer, phone manufacturer, browser, and so on.

I can't tell you how many people used to think "Internet Explorer is popular, it'll always be the one and only browser". That did not end well.

> Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future.

Changing my mind is easy enough: I can export my iCloud passwords to a csv file, and I've done this to transfer a bunch of passwords to Firefox Linux desktop.

I'll tell you something though: If Bitwarden leaked passwords nothing would happen because America has very weak consumer protections, but if Google or Apple leaked passwords, they'd be hit in every EU member state for GDPR.

Some of these things are outside of my control, and using a password manager is too useful that I think it's worth a little risk, but I can't justify trusting any company unless they've got some skin in the game, and Bitwarden specifically wants to disclaim all liabilities? AgileBits thankfully is in Canada and you can at least sue them for what you've paid them in six months, but I personally have passwords more important than that. Surely there's someone else you could recommend?

Self-host vaultwarden at the cloud provider of your choice?
What is the point of this? Isn't it easier/simpler/better to just sync a file with the passwords rather than keep a server running?
How do you propose to sync a file without a server? What do you do about conflicts? Sure you can do this, but IMO the experience sucks in comparison.
I use a syncthing. I'm not yet sure how it handles conflicts, but I think it'll ask me?

Even if one needed a server for syncing files, should each application that needs synching require its own server?

Should they is arguable.

But I think in this case it's pretty much required for good UX with the way file syncing works on mobile and in the browser, especially dealing with conflicts. I've done it both ways and there is a lot less friction with vaultwarden than my old 'synced KeePass file' approach.

It was just a suggestion, there are other ways to skin the cat.

LastPass' entire business model was about protecting passwords, and passwords still got leaked. Most prople want security, not "ability to sue" which is not at all the same thing.
I don't want something just because "most people" want that thing.

And I disagree: I think everyone who has been harmed by another wants the ability to have their story heard by a judge and jury and be cured by the law. Maybe they would prefer to not be hurt in the first place, but as you point out with LastPass, they may not have that option.

What we can choose is the jurisdiction in which we trade, and I would recommend people spend less time navel-gazing and more time thinking about what they can be doing to make things better for themselves.

This is as good as comment as any to hang my off-topic thoughts on...

I use Chrome's built-in password manager. I always set up website security questions with gibberish answers. I wish Chrome would give me a field to store those answers. Or, better yet, treat them like password fields and autofill them.

This. Wouldn’t matter if they had the best UX, and I have both an iPhone and a MacBook. First, I want to be able to use my Linux and Windows machines like they are first class citizens. But more importantly, if I lose my devices I don’t want to be locked out.

Apple is, to this day, largely unable to recognize that there is a world outside their beautiful dystopian garden. I’m sure they’re drooling about making the MacBooks run iOS so you can’t use any software that hasn’t been scanned and approved. When that day comes, I’m out for good.

I use Keychain Access app, but admittedly the UX there is terrible. I wish it was nicer, and also integrated with browsers other than Safari.
I think the reason Apple hasn't prioritized this is that with their login with Apple implementations and passkeys, the utility of copying/pasting or looking up a password is dropping over time.
You can make an iOS shortcut to make it appear as an "app" (launches keychain manager). I did this for some elderly folk, works great.
While we're on the subject, other Apple things that deserve an app:

Dashboard/status

- I have a smart lock, and they have their own app, where all it really does is show the current status of the lock and let me toggle it. There are quite a few apps like this. It'd be nice if they could all be condensed into a dashboard/status app that could just tweak values and show current status. Apple Home attempts to do some of this.

Notifications

- It'd be nice if there was a notifications app, and I could set most of my apps to deliver their notifications to that app, instead of me directly. This would reduce notification overload and distraction.

Isn't that first one Home/iHome/HomeKit whatever you wanna call it? If your lock doesn't support HomeKit there's a good chance Homebridge does.
Have you tried Notification Summaries yet? That's sort of like a "deliver notifications to a separate app".

In the notifications settings you create at least one Scheduled Notification Summary. I've currently got ones setup roughly every four hours during "core daylight hours" for me, plus I enable the "preview option" to read the next summary early if I need to. Then you add as many apps as you want to the Notification Summaries. All of the notifications for those apps during each time period get rolled up into a single Summary object in your notifications, only give a notification alert once for the entire group of them (at the scheduled time), and don't cause Watch notifications (if that's a distraction/overload you especially juggle as I do).

At this point I've even got all my email notifications going into Summaries (which is why I turned on the preview for the next summary if I feel like I need a quick glance at recent email subject lines without opening my email app up).

It is such a useful tool and not a lot of iOS users discover it in the settings. May also be an indicator that it could use its own app because discovery in the Settings app itself is hard. Maybe the Settings app is just doing too many things now and needs some sort of reorg or something.

I follow Ricky Mondello, who works on the Apple password keeper functionality — they post interesting tidbits pretty regularly.

https://twitter.com/rmondello

https://hachyderm.io/@rmondello

I met Ricky at a WWDC years ago when I was in the password manager field. What a wonderfully intelligent person. Actually, several members of the Safari team were present at that meeting and it was such a great set of people. I kind of miss that part of that job...
+1 Ricky is the best. They also made a very useful Shortcut [1] that offers quick access to the Passwords on your Home Screen or Mac menubar.

[1]: https://rmondello.com/passwords-shortcut/

That iOS supports multiple password sources from other apps already largely solves the case of using a cross-platform app to provide or store passwords.
It took effort but I finally got my dad to use 1Password regularly, but my mom would be a lot easier to convince if Apple just made its own password tools easier to use, especially cross-platform, including maybe putting a nice app face on it.

> PPS: I dream of a future where Passkeys could make the password manager extinct. But it’ll take time…

Passkeys even more so need more of a "curated app experience" to work right, cross platform. Ironically, it is my impression that preparing for Passkeys is why Apple finally added that password explorer to Windows' weird iCloud "control panel". (For a long time, the only way to use iCloud passwords on Windows was the awful Edge/Chrome integration.)

internally, apple used to have a pretty big 1Password contract - https://appleinsider.com/articles/18/07/10/apple-looking-to-...

Maybe they don’t want to promote their own too heavily, to allow 1Password to take on the organizational risk of running a password manager? (For context, think about your current view of lastpass vs how you felt about it a year before their leak). Maybe the internal password management functionality is better suited to orgs which restrict third party apps?

1password has features that are useful in a large corporation that keychain does not have, particularly around sharing passwords and password vaults.

I haven't noticed even minimal credential sharing facilities in keychain.

WRT credential sharing, you can airdrop credentials to people on your contacts list.

But multiple vaults and vault sharing - no such luck. I don't think they want to deal with the UX confusion of it, especially since that confusion could lead to someone getting locked out of things.

I have been using the Apple manager since LastPass got hacked recently.

Hot take , but … I like the lack of integration in other operating systems/ browsers.

I see my phone as a Secure Enclave, and my passwords should be disconnected from potentially insecure systems. I see the phone as those keychain one time passwords where you have to press a physical button to get a key.

Is it inconvenient to get a password, yes. But it offers the piece of mind that I only have to worry about iPhone/Apple exploits, instead of chrome+firefox+windows+Linux+Apple+iphone.

I don’t think in this case Apple is not doing the integration because of this security feature, but I think it is a feature non the less. Of course you can always choose not to install the extensions even if they existed, but the point is that if they existed it would lower security.

don't lose or break your phone....
iCloud solves that.
Unless Apple ever starts following Google's lead to ban accounts for any infraction and you don't store backups...

Not saying Apple is doing that now, but I imagine it's not outside the realm of possibility.

We can use the same argument for any other cloud password manager. If google/Apple blocks my access, well it’s those services I am trying to log into in the first place so the point is moot.

Also I have recovery keys for the more important accounts printed and stored in a safe box.

Except password managers that YOU need to take care your vault, like KeePassXC.
I used keePass before LastPass, but the issue was with keeping the file synced. I had it in Dropbox and I was able to open it no problem from the phone, but making updates from phone was a challenge. Maybe I was not using a good app but it was a hassle to keep it synchronized.

But anyway, somebody could cut off your access to Dropbox, but it’s less of an issues since you have a backup.

I simply don’t sync my vault. I don’t add or change passwords very often, so I treat the vault in my computer as a “main copy” and once a week, during my backup routine, I copy the current vault to my phone. Never had an issue.
Not really, you need another device to share icloud keychain
Nope. Buy a new iPhone, sign in, it’s all back.

It’s useful even in non-multi-device scenarios.

So, it is not encrypted? nice
I have my old iPhone with no sim that I mostly take to the gym to protect the new one.
>I have my old iPhone with no sim that I mostly take to the gym to protect the new one.

What is the other one doing in the gym, unprotected?

One at home, one with me for Spotify in my pocket.
How do you access your passwords on your new iPhone from your old iPhone?

Oh, they're stored online? There goes your entire "secure enclave" argument ;-)

This was precisely what drove me off Apple password manager. If your iPhone were compromised, such as in those iPhone unlocking scams[1] (something quite common here in Brazil at least since 2021), it's game over for your entire password database.

I've been using KeePass apps (MacPass on macOS, KeePassium no iOS), with a different, unique master password, unlogged by default on iPhone, plus DB locks automatically after 10 minutes of inactivity.

Maybe I'm way off, but it seems safer to me.

[1] https://www.wsj.com/articles/apple-iphone-security-theft-pas...

Absolutely. Given these reports, Apple's security model isn't close to being sophisticated enough to warrant trusting them with passwords or (even more critically, arguably) WebAuthN passkeys.

I recently saw it with my own eyes as a family member was able to reset their iCloud password and gain full access to their account on a new device, including iCloud Keychain, using nothing but their iPad and the corresponding unlocking code. No iCloud password, no SMS-2FA (not that it would help much in the case of a stolen iPhone), nothing else.

Can you explain how this hack would work ?

Would someone need to steal two of your devices ?

I was under the assumption that you need to be logged in with touchid/faceid/pin code to get the unlock code

The attack in this case would be somebody shoulder-surfing your PIN and grabbing your device.

They then have everything they need to take over your iCloud account (kicking you out of it in the process by resetting all other devices capable of resetting it) and can see all your passwords stored in it, as well as use all of your WebAuthN passkeys.

I'm not sure if having a recovery code would improve that situation, but I'd guess that many people don't.

Ah ok, yes the shoulder surfing is definitely a problem.

Hard to mitigate somebody looking over your shoulder, this is the case with most password managers, but I understand why this is a more likely scenario.

In a semi-safe situation (e.g. on busy public transit or in a crowded place with people behind me), I do sometimes unlock my password manager using Face ID to access a website, but I'd never enter my passphrase if the biometric unlock fails.

If somebody watches me enter my passcode and then rips the device out of my hands and runs off with it (assuming the password manager is not open), they now have access to most of the content on my phone, but importantly not the parts protected by Face ID, which includes the password manager.

If I had used Apple's password manager instead, they'd be able to recover all passwords (using the tactics described above or simply enrolling their own face in Face ID, which is possible using only the passcode).

If you reset/create an alternate appearance for faceid does that force a manual login for the services that use it? Because your device passcode lets you change all the faceid stuff… too lazy to mess around with it myself
Apps can choose [1] to tie have keys to the current set of enrolled biometric credentials (i.e. faces or fingers), and at least my password manager does that, as far as I remember from some testing.

Some apps don't, and some even react really poorly to a change of the biometric set (i.e. crashing at every Face ID use with no way to reset other than reinstalling), so I'm also not too keen on testing this on my main device.

One thing that surprised me during my limited testing was that Apple apparently doesn't make use of this capability for storing the "encrypted notes" passphrase, which effectively also reduces the security of that to that of the device passcode.

[1] https://developer.apple.com/documentation/security/secaccess...

I have an iPhone and while I understand that Face ID probably has fewer false positives than fingerprint recognition, I really miss the physical rear sensor on my Pixel 2. I don't know what the collision rate is, or how easy it would be to break if someone stole the phone, but it was a really great user experience: haptic feedback is good, it was/is incredibly reliable at unlocking and it was useful because you could pass your phone to a partner/passenger in a car and unlock without looking (i.e. no more unsafe than changing the cabin temp) and no need to share your pin if with a stranger. I think the only time it failed was after climbing with chalky fingers.
I saw advice here a while back about using Screen Time to block PIN and Account updates. This gives you a separate PIN to protect those, so theoretically if someone shoulder surfs your phone PIN they can’t take over your iCloud account.
I use this trick. It's an added layer of security, although a weak one — Screen Time PIN is four digit-mandatory — and a workaround — as in: not made for security purposes.
Incidentally this is the method my 6 year old nephew used to reset his mom’s Apple ID password so he could make in-app purchases. He figured it out on his own and then spent $3000 in a couple days. His mom had been very careful with her password but when he wanted a code on his iPad she thought it was harmless—she certainly never expected that he could get all the way to changing her password with nothing more than the lock code! Took her months to sort it out.
Thing is, even within these constraints it has rough edges.

If you have two accounts (let's say a personal one and work/family/org one), getting passwords for the second account will just be a PITA.

Same issue of course if you need someone else's password (e.g. your spouse's hotel reservation account's password)

Trying to work this around means you'll either be asking people's passwords other the phone or other means, or you'll often switch between accounts and will want lower security on the account themselves as the identification process get old very quick. Basically, these limitations are not without impact on security and how people will deal with them.

If Apple password manager is anywhere as well thought out as their 2FA for Apple TV then I don't want to come next to it within 10 light years.

Every time it asked me to either "confirm on your iPad" (I have 3 of those around the house) or "confirm on your iPhone" (I have 0 of those) I was ready to hurl shit. SMS option buried in some dark pattern, of course.

If these companies want to encroach in the secrets management space they really need to hire more qa and test more than a single happy path. The number of failure modes in these systems is astonishing for the billions of dollars these companies can throw at the problem.

I suggest you move to Ross 248, which is a mere 10.3 light-years away. However, 32000 years from now it will be the closest star to our sun at 3.024 light-years so keep that in mind!
I think there’s a setting for that in setup. Is your problem that Apple thinks you have a iPhone or that you have to interact with the tv on a second device?

As with all things apple when you buy in you get the best experience. That feature on AppleTV works really well with an Apple Watch.

Which really sucks and puts you off from getting more Apple devices if you're a person who slowly buys into the ecosystem rather than go all-in without testing things.

Personally, I was a fan of Apple laptops between something like 2010 - 2015, but after that I just couldn't deal with it anymore, as I had a Android phone and nothing else Apple.

Fast forward to 2019, Apple finally releases a phone that fits in my tiny hands, so I get a iPhone 12 Mini, thinking that the CarPlay experience will be loads better than Android Auto on a measly Moto G.

But holy smokes if I wasn't wrong, CarPlay is a UX disaster and I can't wait for the iPhone to break somehow or get too slow because of OS upgrades, so I can justify buying a new phone again.

Just the simple fact that a phone calls covers the entire screen (which I use for GPS) seems like such a simple use case that they somehow missed, that I just wanna bin the entire system and I'll never buy Apple hardware for daily use again.

I still have to use Apple laptops for software I release, but every time, I'm reminded how great the UX used to be, but how far they have fallen. Really sad to see. Windows is no better either, each version gets worse and worse...

Even if macOS and iOS are my primary work (and personal) platforms these days, I still like a solution that works great on Windows, Linux, and Android as well.

I'm pretty happy with 1Password - it does all of the things mentioned in this article with more platform support

Exactly, this is why many of the Apple services are useless unless you are 110% in their ecosystem. At least Apple Music is the one app they somehow made available on Android and Windows.
There's a feature on the AirPods that allows you to enroll them in your iCloud account enabling Find My.

All you need to do is connect the AirPods to an iCloud-enrolled Apple device, and it will automatically connect to that iCloud account.

Oh, but it's not any iCloud-enrolled device, it must be an iOS device. Connecting them to my MacBook didn't do anything.

I went into the Apple Store to ask for a solution to that problem. They legitimately asked me why I'm buying AirPods if I don't have an iPhone -- they're called Air Pods after all... Anyway, their proposed solution was for me to buy a refurbished iPad for $450 to connect the AirPods to my iCloud.

Apple Music started its life as Beats IIRC, so a good cross-plat UX was part of the acquisition. See also Shazam.
I find 1Password to be sort of a pain when signing up for new accounts on my iphone – the generate secure password & autofill doesn't always work for me – on the web it's great though
I considered 1Password when shopping around for a new password manager, but the pricing of the subscription and the fact that it was an Electron app killed it for me.

Currently test-driving a smaller alternative with a one-time payment.

My passwords are split between iCloud on my Apple stuff and 1Password doing cross-platform duty.

I've been paying for 1Password for a while, but boy that electron app they rolled out with v8 is a clunker… will probably keep paying so long as 1Password 7 works but after that I'm gonna have to figure something else out.

One problem with that is if a person has a non-Apple product, Apple won't build the app cross-platform, so they are even further locked into Apple hardware then.

Might not affect that many people. But it would surely limit choice for those who don't even know about the lock-in later in their lives.

Any attempted lock-in is guaranteed to attract attention of EU regulators.

This is what Apple probably wants to avoid. They won't be allowed to play a "Safari" this time (i.e. all password managers are allowed, as long as they are a frontend to our own password manager).

Also, having the password manager as a separate app, it is likely they will be asked to provide a standalone password migration API for third party password managers. This would make switching to another ecosystem trivial for moms & pops, who currently need to deal with CSV import & export* if they want to move their passwords out of iCloud.

* Not sure what the situation is ATM, but a few years back exporting passwords from iCloud was not directly supported. I had to run a third-party AppleScript script to generate a CSV to import in another password manager.

Keep a “Notes” field where you can add extra data, like 2FA backup codes, for each password!

I'm not sure if the reference here is to Keychain's "Secure Notes" or the "comments" field associated with password items. If the latter, I've found (at least on older versions of OS X/macOS) that when Safari updates the value of a changed password, it deletes the comments! I used the comment field to add the (random) answers to security questions, and got burned on a couple of sites when I've needed to do an account reset and lost those answers.

> that when Safari updates the value of a changed password, it deletes the comments!

It doesn't change a password, it creates a new one.

This means if you somehow mangle saving the password (you thought you updated it, but didn't) the older password is still in your keychain with the older note and it can still be retrieved.

Tangentially related, something that has slightly inconvenienced me a few times: Can someone point me to a setting to get Siri to show me my passwords again, on iOS 16?

Before, I could ask on an unlocked phone to “show me my password for GitHub” and Siri would open the settings app with the password list and show the GH credentials. Now (since iOS 16?) Siri just refuses to do any request that contains ‘password’.

You mean Shortcuts? You can have it open this URL:

prefs:root=PASSWORDS

You'll want to set up Siri separately as part of it, but you can definitely do that with Shortcuts.

Interesting, thanks!

What I described didn’t need a shortcut before. It was a vanilla iOS feature. I assume it went away for privacy reasons with one of the OS updates. And hoped there’d be a setting to get it back.