I really like Apple's implementation of passwords, passkeys, etc. But...I had a hard time explaining this to my mom.
She uses it to generate her passwords and fill-in within Safari which is great!
But there's no "Passwords" app, and she didn't know to go into Settings to reference a password when Safari doesn't recognize a password field (probably the website's fault).
2FA is also a confusing experience, but 2FA is also just confusing enough for her where Apple isn't really the problem here.
Make an alias to Keychain access. Name it "Passwords" and have that a directory that is indexed by Spotlight (the Utilities directory under Applications where Keychain Access is found works fine).
Searching for 'pass' in Spotlight does bring up Keychain access - as that's in the apps list of Keywords... however the list of apps is way down on the scrolling https://i.imgur.com/KFUC0G0.png - it found 'password' as a string in 100 python files that I had to scroll through first.
Sorry, but that also doesn't mean anything to the average user. If anything it's made it more complicated for them—they will remember to type in "key" before they learn how to make an alias
That I don't have an issue with the word "keychain" doesn't mean it's not bad UX for the average Mac OS user
Since I use it quite a bit for secure notes, I've got it pinned in my toolbar. From the top down I've got Finder, System settings, Keychain Access, HomeKit, Launchpad, Safari... and then other things.
iOS does not have "Keychain Access" as a named setting or app.
MacOS has both Keychain Access as a standalone app, and Passwords as a section in your settings. The latter is dedicated to purely passwords that you, as the user, make. Keychain Access also contains passwords for Wi-Fi and other systems.
Are you talking about that utility that looks straight out of Windows 98? Surely it could use some love in 2023. I don’t think I’ve ever seen it updated, it’s not an acceptable UI for consumers.
What the actual flying fuck, the apple password thing supports TOTP! That's great! (And a sad testament to how poorly the discoverability is on some ios features)
Not just that, they will detect QR code images to work around sites which assume that TOTP is only available by scanning your desktop screen from your phone.
Step Two[1] also does this, which is one of the reasons I've been using it for TOTP for the past few years. Nice to see that the built-in TOTP support can do that now too.
I tried going all-in on using iCloud Keychain (correct term?) for my passwords from having previously used LastPass.
In short.
1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.
2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.
3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!
I think those were my big complaints. If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.
Just use Passkeys. Any account that allows 2FA allows multiple second factors. You should be setting up backup second factors anyway if you don't want to risk getting permanently locked out of all of your accounts.
Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor. If you're using strong passwords with 1Password, your second factor is basically only defending against a leak of your password database. If you're storing your second factor in that same password database, what are you gaining?
Well, with the exception of AWS, unless something has changed recently — they notoriously only support one second factor (i.e. if you use YubiKeys or similar, you can only use one).
Yeah, AWS is the only exception I've encountered :)
But if you have backup second factors (you have backup second factors, right?) and you're worried about Passkey lock-in for whatever reason… just use that other second factor for AWS or any other account which supports only one.
You can add multiple MFA devices since November of last year:
> Now, you can add multiple MFA devices to AWS account root users and AWS Identity and Access Management (IAM) users in your AWS accounts. This helps you to raise the security bar in your accounts and limit access management to highly privileged principals, such as root users. Previously, you could only have one MFA device associated with root users or IAM users, but now you can associate up to eight MFA devices of the currently supported types with root users and IAM users.
> Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor.
Not quite! 1password itself counts as two factors: something you know (the master password), and something you have (the additional secret key).
Passkeys in 1password would eliminate phishing as a problem.
If you're in this category, your alternative to Passkeys at all is SMS or no 2FA whatsoever. Enabling Passkeys does at least ensure that you have a minimum of two separate devices so you already do effectively have some form of backup of your second factor.
My comment is targeted at someone who is savvy enough to: a) care about having "real" 2FA, and b) is concerned about lock-in, and c) is extremely sensitive to being locked out. For someone like that, you're already buying YubiKeys or some equivalent. And if you don't already have some, you're never prevented from using them later.
Reminds of the occasional comment threads on here about homeless people permanently locked out of new accounts every few months because of stolen devices and the growing corporate obsession with forced 2FA, and all the replies that amount to "if they didn't want to fuck off and die they shouldn't have been poor".
passkeys isn't supported on linux desktop, at all. and if you know how to make it work, please let me know. I have to switch to a Windows machine to login with them.
Yeah, that's why I'd never touch passkeys. It feels like you're basically locking yourself into a weird ecosystem that you'll never be able to escape from.
If you're using hardware 2FA, you should absolutely have backups. I've used YubiKeys for years and have one in my laptop, one on a keychain, and one in a safety deposit box.
Passkeys are just another instance of this. I have added Passkeys to all of my accounts with 2FA and it's somewhat more convenient (significantly more convenient for mobile devices). But every account also has all my YubiKeys attached as second factors.
There is no lock-in. And while it's inconvenient and annoying to have to add multiple keys to every account, that is already the reality if you're responsibly using hardware second factors.
This would be less annoying if we could get actual federated identity that big players would actually accept, as it stands having to fetch a key from a safe deposit box every time I register a new account is a huge amount of friction.
It absolutely is. But that’s a separate problem entirely from “will Passkeys lock me in to the Apple ecosystem”, to which the answer is an unqualified no.
To be clear, I was referring to one federated identity that everyone would accept, as it stands there isn't a single, federated identity provider that Apple, Facebook, Google, Microsoft, Amazon, Bank of America, my power company, etc and so on will all accept. I'd like to secure one spot on the internet as an identity, a digital passport of sorts, and secure that heavily then have it log me in to everything. The closest thing we have currently to a digital identity is an email account, but we should really move past that.
Agree on most of this but Keychain Access IS a standalone app on the mac so slightly confused about the comment about it being buried in System settings. Its still a pain to go to the app and copy a password for non-Safari browsers though.
I just do cmd+space -> type "pass" -> Return -> fingerprint. That gets me to my iCloud Keychain. I used to use Keychain Access but like the UI of the Passwords tab of Settings more.
It‘s a view and editor for all kinds of stored keys. I don’t think its target audience ever were intended to be some random macOS users. That’s just not the target group. It‘s about power users that need to access or store all kinds of keys.
I believe Apple only lets you use certain APIs (like Keychain) if you distribute only through the App Store.
That policy has really killed a lot of functionality on macOS. I suspect it will cause fiction on iOS when the EU forces them to allow alternative install sources.
Personally, it grates me when Apple cripples functionality this way to try to keep us stuck in their platform. Can't use Firefox with Keychain. You can only view your current Apple Card balance on an iOS device -- not even a macOS device. At the end of the day, I hate being manipulated so much that it actually pushes me away from the platform to see this scummy behavior.
Is there a reason Chrome, Edge, and Firefox aren't on the Mac app store? I know the yearly dev account costs can be an issue for small developers but Google, Microsoft, and Mozilla are already paying that as they release apps on the iOS App Store.
If I had to guess, the review process would just be a hindrance to them for nearly no benefit (is there anything besides the keychain API that would entice them?).
I assume it's annoying to jump through hoops and code review for every release.
Most macOS users don't use the app store. So directing folks there can be annoying for users, or even cause problems if they aren't signed into iCloud.
They'd likely end up with either an old version on the app store at all times, or with a massive, unpredictable day-or-week-long delay waiting for Apple's reviews before every release. Small wonder they don't bother.
I will always regret being just slightly too late to enjoy Apple's golden era. When, yes, using an iPod meant locking into iTunes, but at least you didn't have Tim Cook nagging his captured audience into signing up for Apple Music Subscription Plus - Now for Families!
> You can only view your current Apple Card balance on an iOS device -- not even a macOS device.
That sounds especially annoying. An iPad next to you can auto-config itself as the umpteenth monitor of a Mac, but macOS can't pull Apple Card balance from your nearby iPhone?
There seems to be a Google Chrome extension called "iCloud Passwords" but it only has two stars, so I don't think you'll be positively surprised.
Also, on iPhone it's ok-ish but on Mac the experience is a subpar too: Keychain, the app you use to view your passwords, feels like a 90s Visual Basic application. Plus you can't organize your accounts, and even if you prefix them to "sort by name", the special name you give is lost after using it.
On the other hand, I already have other Apple cloud stuff and kinda trust them, so I suffer through it. And other password managers aren't anything to write home about either to make me change :/
Note that macOS now has three “apps” to view your passwords, three different UIs for the same database. There’s Keychain Access, there’s the Passwords section of System Settings, and there’s the Passwords section of Safari preferences (which is the same UI as the pre-Ventura System Preferences app’s Passwords section).
The other two have even less organization functionality than Keychain Access, so this probably doesn’t help you, but the blog post was talking about the System Settings version so I wanted to point it out.
What's wrong with Keychain Access? It hasn't changed its appearance since more than a decade. That's a good thing for familiarity. Early Mac OS X apps have incredibly good design that doesn't waste space.
But it does waste a lot of space... there's a lot of duplication of keys (which are deduplicated in the iPhone app), and with other information (somehow I have hundreds of "com.apple.cloudd.deviceIdentifier.Production" in there). And I already mentioned organization fails. Plus it's kinda insecure as it enumerates your accounts exhaustively without asking for a password like iPhone/Safari (granted, not a problem specific to this app). And the interface to view the passwords is terrible. Old and familiar is not synonyms with "good".
However now that comex pointed me to the Password in the "System Settings" app, I at least can use it and it's fine if Keychain is left as is.
Maybe this was it...IIRC the user must also have iCloud For Windows installed? It's been several months since I tried this setup. For my personal user experience it was unacceptable.
And this annoys me greatly. I want cookies, bookmarks, and passwords to be owned by the system. That way I can switch between browsers with ease, and that would also lower the bar for new browsers to come out.
Agreed. This sounds like a nice user-friendly feature until you realize what a colossal privacy disaster this would be for any malicious app that the user grants these permissions to.
"DerpCo Derpolizer would like to access your stored cookies. This allows us to automatically log into your DerpCo account!" and then bam, they hoover up your login data in an instant and send it off as part of their telemetry.
Much better to have a system like (for example) sign in with Apple where you can easily click a button to have the system authenticate you, but no one gets access to anything without specifically asking for it.
Maybe if you're only using devices from one type of brand. But what if you wanna access those things on a Mac and Google Pixel and an Amazon Kindle. Sure, might not be that much of a mix, but I imagine a decent amount of people have at least one device from a different brand.
Funny situation, there's another thread I was replying to someone who wanted to shift back to native apps instead of cross plat electron apps (for performance reasons).
Well, Apple Passwords on Windows is a good example of how that turns out in reality. I believe it's using WinUI. While the performance is nice, the experience is entirely unlike what you get on Mac and winds up making you wish you were using another service entirely.
This has been the story of Apple apps outside MacOS forever: they appear to always do the absolute minimum to claim support, and you end up with a super clunky windows app that is terrible.
I doubt they’d do much better using electron: I think their development model is that if it isn’t on one of their platforms, they pump out a minimum-effort, low quality app. I’d guess that electron ones would be just as clunky, except with a significantly higher memory and CPU footprint.
That hasn't really been true. Apple supported iTunes and Safari which were great options on Windows. Not just "I'm already an Apple fan so I have to use it", but actively deciding to use them.
The root of the problem for Apple is that they cannot get away with doing what they used to in the past, they already have a plethora of platforms within their own umbrella to support, adding Windows native to the mix seems to result in maybe a handful of developers taking on enormous burdens by trying to catch up to their expected Mac apps.
If Apple were to seriously put its weight behind a cross-platform toolkit, this might change, especially as they want their services to grow. It's the very reason why their main service competitors can even compete.
But I agree that if they were to suddenly switch to Electron without a care it wouldn't turn out well, but likely have a better end user experience than their current reveals.
> Apple supported iTunes and Safari which were great options on Windows. Not just "I'm already an Apple fan so I have to use it", but actively deciding to use them.
No they weren't. They were notoriously awful. Apple resorted to bundling Safari with QuickTime to try to get you to use it but everyone still hated it.
Apple had (has?) Cocoa ported on Windows actually, so whatever they could so on macOS, they could do on Windows as well. Cocoa as such is cross-platform.
Basically, it was called Yellowbox, but it didn’t officially survive the release of Mac OS X IIRC. But Apple was at least still using parts of it for some Windows ports back then I believe.
> Apple Passwords on Windows is a good example [...] the experience is entirely unlike what you get on Mac
If you were a Windows user, why would you want an app that acts like a Mac app? Surely the benefit of having a dedicated Windows app is that the experience should be like other Windows apps.
You're not really thinking about it as a "mac app", but rather "the service". You expect it to act like the service you use on other platforms with all the features you rely on.
If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI", I immediately know where the genre categories are because I've already used it on android or linux and expect it to be there. I know exactly how to add a song to my library, to shift around playlists, to manage folders, everything is as I learned it on [other platform].
Design development becomes this duplicated burden where every feature now has to go through the ringer twice (or more) to fit native components for their respective platforms. When you hit limitations on those native components, you're now having to make the decision to either hold back the feature entirely, or create fragile workarounds.
In an alternate timeline native components would have had far greater appeal, where people actually hate and boycott apps designed otherwise. But we don't. Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components. The situation is even worse on windows past 7, where the idea of a "windows app" is so jumbled there is nothing to "expect" from the experience - which is actually part of why I think these unified app designs have really taken off.
> If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI"
We're either very different people or we have different use cases :) It immediately feels jarring to me to be using macOS and suddenly presented with a non-native UI. But I only ever use macOS on the desktop, so I don't have this cross-platform issue. What I find strange is, I would have thought that was the 99% common case — it seems strange to me to optimise for individuals using multiple OSes rather than multiple apps on one OS.
> Design development becomes this duplicated burden
That sounds like an OS flaw if true. Of course, I accept that some design will be necessary, even with the finest SDKs available to humanity, but it should be so burdensome that going non-native is seen as the solution.
> Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components.
You're totally right. Every now and again, I say to myself "I really must use Safari for the 'more native' experience", but I always come running straight back to Chrome again.
> The situation is even worse on windows
This was one of the things I liked best about macOS when I first migrated — everything was so consistent, things didn't visually clash, etc. I still get the impression it's better on macOS, but heck, it's definitely not as good as it used to be.
Not that I disagree with you, but have you seen the new Windows app for Apple Music? It definitely feels Windows 11-ey, with the animations you'd expect. A notable departure from the Mac design, in favor of Windows design, is the placement of the back button at the top left corner of the window, instead of slightly to the right of the top left on Mac.
I use Safari a lot but if I'm in a different browser then my passwords are unavailable.
No, it's not. I alternate between Safari, Firefox, and Duck. If a password I use in Safari isn't stored in Firefox, I copy it from the Keychain program and paste it into Firefox. Firefox then asks to save it. No problem.
The GUI is buried in System Settings.
It has its own program. /Applications/Utilities/Keychain Access
It's not just a good product if you're 100% Apple, it's only a good product if you're 100% Apple and are willing to accept a great deal of friction if Apple's direction no longer suits you in the future. It's a version of what some people call "high time preference".
Personally, I was taught to care about the future.
Still adds a great deal of friction and makes it harder to, say, experiment with an Android phone or a Linux desktop for a month. Compare that to 1password which just works.
As stated by another poster, Netscape vs MSFT was about coercing OEMs not to include competing browsers to be pre-installed on new systems. Apple could create and give away a cross platform password manager without much fear of ramifications, unless they exclude all other password managers.
Better yet, using the Shortcuts app for iOS, create a shortcut that opens a URL with `prefs:root=PASSWORDS` in Safari.
For macOS, you can make the same shortcut open `/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/PreferencePanes/Passwords.prefPane`.
A single shortcut can be used to accomplish this, using the OS check and an `if` condition.
Then add the shortcut to the home screen as an icon and it’ll also show up in Spotlight search.
I mean, thank you. Buttttttttt this is an asinine level of effort to achieve a workaround for a stock feature on the Apple platform. I'd just assume not use it before implementing this.
That said, this also proves that for non-power users: it needs an app and it needs integration with other browsers if it wants to be as easy to use (for most people) as the popular password managers.
On iOS, my only password manager I've ever used is the built-in Apple one.
I just tapped the "search" field on the home screen, and typed "passw".
"Top Hit": A store link to the LastPass password manager (which I do not and have never used—the button has the text "get", it's not installed and doesn't have the cloud-icon for previously-installed apps)
From there, it's three suggested Siri web searches: "passwords", "password manager", and "password generator"
Then two safari-iconed links (I assume these would search with my default search engine in safari?): "passwords on iphone" and "passew"
Searching inside the "settings" app is only marginally better. It's all much, much worse than it was a few iOS releases ago.
I learned from this thread that you can actually disable all that. I did so and my spotlight searching sped up 10-fold and now I only get app results. So much better.
Having to access something via a search incantation (or, alternatively, a ton of clicks) is not at all easily accessible. It’s buried alright.
Obviously you can find pretty much anything on macOS and iOS via search. That‘s how it‘s should be. But that doesn’t make things accessible or even just visible.
I use chrome to manage passwords on all my devices, it works well except for apps. When I'm trying to get a password for an app in iOS, I just switch to chrome to get the password. Same if my password was from registering from an app and I'm in Chrome. Rinse and repeat and now my passwords are in both password managers.
As for TOTP, if I lose my phone I don't know what will happen.
Most apps can use passwords from Chrome just fine, and you can also quickly open the native passwords window when encountering a password field using the key icon.
For TOTP, use apps like Authy which can be installed and used from multiple devices.
My biggest complaint is that it doesn’t keep a history! One misclicked “remember password” at the wrong moment (safari plugin often guesses password fields wrong) and you’ve just locked yourself out of your bank account. Literally happened to me.
> 1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.
Like a lot of other Apple stuff, I'm only able to use it because I don't use anything non-Apple for anything "serious" that involves a GUI. Windows is for gaming, Linux is my file storage and docker-service-running server that I only interact with over SSH and Web. Ditto Notes, all their Office-type programs, et c. I'd probably be on a lot more Google shit if I needed more cross-platform access to that stuff.
> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.
Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.
> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!
IDGAF about clicks because I search my way to everything in Apple's settings—what does bother me is that they've made search worse in the last couple versions of iOS, and that if I type "pass" in search, "Passwords" isn't even visible on the list yet. I can get all the way to "password" and it's still the fourth entry. The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case! Even fully typing "passwords" still leaves it as the second entry (of three) on my device. WTF.
> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.
Other browsers used to be able to use it. I do think it’s a really thorny issue—“allow this application to access all saved passwords?” is a pretty damn scary permission to include. Up there with the “allow this application to control your computer” permission that is used for accessibility apps (which apps can abuse to read passwords, if I understand correctly).
Apple’s tradition. Make the platform more secure, add an exception for first-party apps, and let the other browsers fuck off.
Yeah, I a think other browsers want to be able to test whether there is a saved password or not, and get the corresponding username, which is quite a big permission to give away. For actually filling in the password they could maybe offer a pop up where the user must authorise the app using biometrics or some other OS-level action. That’s already the experience with safari.
> allow this application to access all saved passwords
I'd like to see finer granularity, perhaps multiple web password vaults and a mechanism to allow certain browsers to use certain vaults.
It might also be nice to specify which passwords could be accessed with which kind of authentication. Unfortunately the current system password dialog is easily spoofable - it really looks like a questionable javascript popup.
What would that look like? Do you expect a prompt for every website you visit (Would you like to allow permission for Firefox/Chrome/whatever to view/store your password for "abcd.example.com"?) Would the permission be tied to the name of the app or the hash of the app? How do you securely identify the browser? Signed apps? Signed via a developer key -- trust the developer so that you can use Chrome as well as Chrome Beta?
The above is not a critique but certainly a list of things that lead to the possibility of a repeat of the infamous Windows popup for every single action you want to do out of the box. This leads to either decision fatigue or a pre-programmed "yes, just do it" response from the vast majority of users.
I personally think it should be an all-or-nothing type of allowance for this reason. Maybe the better way would be tracking access to passwords in Keychain. ie: Chrome+Safari+Firefox have all accessed your credentials for google.com but only Safari has seen your iCloud credentials and only Chrome has seen your HN credentials.
It's not unheard of - iOS already provides granular permission capabilities for photos. You don't have to give all-or-nothing permission to apps to access photos anymore; you can now choose precisely which photos the app has access to.
I'm looking forward to iOS doing the same for contacts; there's no reason why WhatsApp/Telegram/etc need access to my entire address book if I just want to call Steve.
> Do you expect a prompt for every website you visit (Would you like to allow permission for Firefox/Chrome/whatever to view/store your password for "abcd.example.com"?)
This is pretty much exactly how macOS Safari prompts, and has for several years, at least in Touch ID scenarios. It shows a suggested username/identity with a Touch ID icon next to it, presented just like a normal autofill suggestion otherwise.
The per-site prompt and the inclusion of username/identity are really good signals, and feel like they reinforce the opposite of Windows UAC. They definitely gate access in a similarly repetitive way which encourages repetitive acceptance. But they demonstrate prior authorization that would have to be manual at least once at some point before the prompt, and you won’t be promoted the same way for sites you didn’t manually authorize first.
It’s a good enough signal that I generally use it as my first line of defense against phishing/domain spoofing. If I don’t get promoted for credentials for a service I expect to have an account with, I’m immediately suspicious. That doesn’t mean I automatically trust or distrust on that alone, but it’s a pretty decent sniff test.
Obviously the browser doesn't need to have unfettered access.
It just needs to tell the password "hey there's a password on wellsfargo.com" and then the password manager asks the user if they want to use the password. And maybe give access to all passwords.
Safari pops up a little box attached to the login text field asking you if you want to use the password for wellsfargo, so it seems like it’s asking keychain “do you have a password associated with this url?”. At least on modern MacBooks they also figured out a good UX flow, when that box is on screen you put your finger on the Touch ID button and it authenticates you, puts in the password, and goes to the next field or hits submit.
Safari Passwords and 3rd party apps can and do use the Apple Keychain on macOS/iOS to store sensitive data. Though 3rd parties can't integrate with Safari's password manager.
If you use Chrome Sync with passwords on macOS, Chrome actually stores the decryption key in the macOS keychain. Just open Keychain.app (/Applications/Utilities/Keychain Access.app) and search for "Chrome Safe Storage" to find it. That's the decryption key for the actual encrypted password/sync data stored elsewhere. (So not possible to access Chrome passwords from the Keychain directly)
Safari Passwords (Apple's password manager) also stores passwords in the Keychain as individual entries and you can access them via Keychain.app. Unfortunately, since they’re part of the iCloud Keychain not the local login Keychain, they appear to be inaccessible with the `security` CLI tool which fails in an obtuse way.
> The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case!
Wow! Just discovered the Spotlight customization and it is so much faster and more useful when you remove certain locations and turn off definitions and Siri suggestions.
That sounds delightful. Sadly, while Apple documents “Suggestions in Search”, and I can even see that option when I search Settings for Siri, the option itself is missing from the Siri & Search page.
Bizarre. That's on iOS for me, searching in the settings app itself. I have to type most of "passwords" just to get it to show up at all, and some of the ones that are showing up instead have only the most tenuous connection to the search term "password".
It used to show up for me after a couple letters, in the settings app, until a few iOS versions ago, IIRC.
I use windows almost only for gaming (and CAD) too, and I've found that recently that the webapps, especially music and notes are good enough, and icloud drive and photos integration to windows actually work well.
But yes, passwords is annoying. You can use them on chrome on windows but not on MacOS, and on Windows it doesn't work on anything but chrome. Speaking of gaming, game launchers on windows can't get passwords from Apple and also seem to log me out all the time, so I have to revert to using my phone to see my password and manually type it in.
>> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.
> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope
No it's not. I don't want some exotic product connect to a domain I have passwords in and prompting me for access. The password should be tied to the product you used to login with.
This is a misunderstanding of keychain vs. lastpass. One is designed to remember "safari passwords" or any swift/cocoa application implementing keychain. One key feature is: once stored in Keychain this information is only available to your app, other apps can't see it.
Lastpass and other similar products are designed as a data warehouse / vault for you security items. From there, plugins in browsers etc. can take over.
I will totally agree with the fact that the GUI is frustrating at best.
Yeah, I'm also a heavy user Spotlight Search and it's still impossible to get to Keychain settings. I suppose my higher level point was that it's damn near impossible to efficiently get to the keychain settings.
OP is suggesting it's a terrible UI on iOS and Mac too, and one of their principle complaints is your #3.
So OP disagree that it's even a good product if you are 100% Mac, but are suggesting the functionality is all there, it just needs an actually designed UI/UX.
I ended up writing an AppleScript to open the Safari passwords dialog because I got sick of hunting for the proper dialog. If you save it as passwords.command and make it executable it'll open the window right up. But yeah, it's a kludge.
#!/usr/bin/osascript
tell application "Safari"
activate
end tell
tell application "System Events"
keystroke "," using {command down}
set pass_button to (button "Passwords" of toolbar 1 of window 1 of application process "Safari")
click pass_button
end tell
4. New passwords overwrite old ones. Easy to accidentally lose passwords in slightly odd situations like logging into an account whose password you just reset.
But I like it overall. Even though I use multiple browsers, I don't mind treating Keychain as the master DB and occasionally copying passwords out of it. Part of this is because I use Safari exclusively for the extra important things like my bank.
I’m all in for personal web browsing. Safari is a great browser basically 99% of the time and having free synced passwords (and really any critical data!) between my desktop, phone and tablet, I get tremendous value.
For work, I use chrome and chrome password management because my company uses gmail.
The main limitation of Apple's passwords implementation for me is lack of sharing. For accounts that my wife and I both need access to, we can have them in a shared location in bitwarden, but there's no comparable feature with Apple's. I'll probably even start paying for bitwarden so that I can share with more than one other person when my kids are old enough to need access to them
Yeah, this is a bugbear. FWIW my wife and I "share" keychain items by airdropping them to one another as required. It works, but nowhere near as nice as having a common record we can both maintain.
> The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!
I do: Cmd+space > "keychain" > Enter. Still not ideal but it's the fastest method I know. What do you mean, i.e. how do you access the GUI from the system settings? I tried finding keychain there but couldn't figure out where it is.
It's available as "Passwords" in the system settings. I think they added it recently to align it with iOS and iPadOS, where there is no mention of it being Keychain at all.
Went the other route, sold my iPad and went with a Surface instead...
the short of it: It's inelegant, there's bugs, the UI is half-assed and some aspects are straight hostile (default widgets etc.). But it's an actual generic computer. Most task you assume you could do with a computer, there will be a way to do it.
It might take some efforts to get to a decent setup, but the walled garden was also a PITA, so all in all, I felt my time is better invested in making windows a nice place than the endless fighting of Apple on iOS.
As a halo effect, I'm kinda thinking about moving to Windows on my main computer as well on the next refresh cycle...not fully decided, but that feels like a viable option.
I've always used Keychain Access to view/manage passwords. If they cleaned up the UI a bit it'd do pretty much exactly what Cabel is talking about here.
I will tell my family to use iCloud Keychain the day when it works across all major browsers and OSes. Or at least that they provide an API to sync with other password managers.
They already have an app, Keychain Access, but for weird reasons they integrated the new features into System Setting instead of expanding the existing app.
Fully in agreement here, getting people used to Apple Passwords can be a task purely because it's stuffed into settings.
Would like to see them in the process of transitioning it away from settings, also include the ability to change the name of the entries. Multiple URLs per login would be great too (or even a linking of separate entries). Think these are the biggest things keeping many general users still relying on the likes of 1Password/Bitwarden, which is where I disagree with the writer here, I think third party password tools should be replaced by sane defaults as soon as possible outside of niche cases.
> And it all syncs across your devices, for free?!
Really? My Linux devices? Android? Windows? I don't think so.
I recommend considering one of the most important features of a password manager is that it doesn't force you to use a single manufacturer's products forever. Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future. 1Password, Bitwarden, and others allow me to switch PC manufacturer, phone manufacturer, browser, and so on.
I can't tell you how many people used to think "Internet Explorer is popular, it'll always be the one and only browser". That did not end well.
> Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future.
Changing my mind is easy enough: I can export my iCloud passwords to a csv file, and I've done this to transfer a bunch of passwords to Firefox Linux desktop.
I'll tell you something though: If Bitwarden leaked passwords nothing would happen because America has very weak consumer protections, but if Google or Apple leaked passwords, they'd be hit in every EU member state for GDPR.
Some of these things are outside of my control, and using a password manager is too useful that I think it's worth a little risk, but I can't justify trusting any company unless they've got some skin in the game, and Bitwarden specifically wants to disclaim all liabilities? AgileBits thankfully is in Canada and you can at least sue them for what you've paid them in six months, but I personally have passwords more important than that. Surely there's someone else you could recommend?
But I think in this case it's pretty much required for good UX with the way file syncing works on mobile and in the browser, especially dealing with conflicts. I've done it both ways and there is a lot less friction with vaultwarden than my old 'synced KeePass file' approach.
It was just a suggestion, there are other ways to skin the cat.
LastPass' entire business model was about protecting passwords, and passwords still got leaked. Most prople want security, not "ability to sue" which is not at all the same thing.
I don't want something just because "most people" want that thing.
And I disagree: I think everyone who has been harmed by another wants the ability to have their story heard by a judge and jury and be cured by the law. Maybe they would prefer to not be hurt in the first place, but as you point out with LastPass, they may not have that option.
What we can choose is the jurisdiction in which we trade, and I would recommend people spend less time navel-gazing and more time thinking about what they can be doing to make things better for themselves.
This is as good as comment as any to hang my off-topic thoughts on...
I use Chrome's built-in password manager. I always set up website security questions with gibberish answers. I wish Chrome would give me a field to store those answers. Or, better yet, treat them like password fields and autofill them.
This. Wouldn’t matter if they had the best UX, and I have both an iPhone and a MacBook. First, I want to be able to use my Linux and Windows machines like they are first class citizens. But more importantly, if I lose my devices I don’t want to be locked out.
Apple is, to this day, largely unable to recognize that there is a world outside their beautiful dystopian garden. I’m sure they’re drooling about making the MacBooks run iOS so you can’t use any software that hasn’t been scanned and approved. When that day comes, I’m out for good.
I think the reason Apple hasn't prioritized this is that with their login with Apple implementations and passkeys, the utility of copying/pasting or looking up a password is dropping over time.
While we're on the subject, other Apple things that deserve an app:
Dashboard/status
- I have a smart lock, and they have their own app, where all it really does is show the current status of the lock and let me toggle it. There are quite a few apps like this. It'd be nice if they could all be condensed into a dashboard/status app that could just tweak values and show current status. Apple Home attempts to do some of this.
Notifications
- It'd be nice if there was a notifications app, and I could set most of my apps to deliver their notifications to that app, instead of me directly. This would reduce notification overload and distraction.
Have you tried Notification Summaries yet? That's sort of like a "deliver notifications to a separate app".
In the notifications settings you create at least one Scheduled Notification Summary. I've currently got ones setup roughly every four hours during "core daylight hours" for me, plus I enable the "preview option" to read the next summary early if I need to. Then you add as many apps as you want to the Notification Summaries. All of the notifications for those apps during each time period get rolled up into a single Summary object in your notifications, only give a notification alert once for the entire group of them (at the scheduled time), and don't cause Watch notifications (if that's a distraction/overload you especially juggle as I do).
At this point I've even got all my email notifications going into Summaries (which is why I turned on the preview for the next summary if I feel like I need a quick glance at recent email subject lines without opening my email app up).
It is such a useful tool and not a lot of iOS users discover it in the settings. May also be an indicator that it could use its own app because discovery in the Settings app itself is hard. Maybe the Settings app is just doing too many things now and needs some sort of reorg or something.
I met Ricky at a WWDC years ago when I was in the password manager field. What a wonderfully intelligent person. Actually, several members of the Safari team were present at that meeting and it was such a great set of people. I kind of miss that part of that job...
Thanks for that! My work machine blocks this too ironically, which is weird since Ricky is my friend and I know they are trustworthy. I’ll let them know.
That iOS supports multiple password sources from other apps already largely solves the case of using a cross-platform app to provide or store passwords.
It took effort but I finally got my dad to use 1Password regularly, but my mom would be a lot easier to convince if Apple just made its own password tools easier to use, especially cross-platform, including maybe putting a nice app face on it.
> PPS: I dream of a future where Passkeys could make the password manager extinct. But it’ll take time…
Passkeys even more so need more of a "curated app experience" to work right, cross platform. Ironically, it is my impression that preparing for Passkeys is why Apple finally added that password explorer to Windows' weird iCloud "control panel". (For a long time, the only way to use iCloud passwords on Windows was the awful Edge/Chrome integration.)
Maybe they don’t want to promote their own too heavily, to allow 1Password to take on the organizational risk of running a password manager? (For context, think about your current view of lastpass vs how you felt about it a year before their leak). Maybe the internal password management functionality is better suited to orgs which restrict third party apps?
WRT credential sharing, you can airdrop credentials to people on your contacts list.
But multiple vaults and vault sharing - no such luck. I don't think they want to deal with the UX confusion of it, especially since that confusion could lead to someone getting locked out of things.
I have been using the Apple manager since LastPass got hacked recently.
Hot take , but … I like the lack of integration in other operating systems/ browsers.
I see my phone as a Secure Enclave, and my passwords should be disconnected from potentially insecure systems.
I see the phone as those keychain one time passwords where you have to press a physical button to get a key.
Is it inconvenient to get a password, yes. But it offers the piece of mind that I only have to worry about iPhone/Apple exploits, instead of chrome+firefox+windows+Linux+Apple+iphone.
I don’t think in this case Apple is not doing the integration because of this security feature, but I think it is a feature non the less. Of course you can always choose not to install the extensions even if they existed, but the point is that if they existed it would lower security.
We can use the same argument for any other cloud password manager.
If google/Apple blocks my access, well it’s those services I am trying to log into in the first place so the point is moot.
Also I have recovery keys for the more important accounts printed and stored in a safe box.
I used keePass before LastPass, but the issue was with keeping the file synced. I had it in Dropbox and I was able to open it no problem from the phone, but making updates from phone was a challenge. Maybe I was not using a good app but it was a hassle to keep it synchronized.
But anyway, somebody could cut off your access to Dropbox, but it’s less of an issues since you have a backup.
I simply don’t sync my vault. I don’t add or change passwords very often, so I treat the vault in my computer as a “main copy” and once a week, during my backup routine, I copy the current vault to my phone. Never had an issue.
This was precisely what drove me off Apple password manager. If your iPhone were compromised, such as in those iPhone unlocking scams[1] (something quite common here in Brazil at least since 2021), it's game over for your entire password database.
I've been using KeePass apps (MacPass on macOS, KeePassium no iOS), with a different, unique master password, unlogged by default on iPhone, plus DB locks automatically after 10 minutes of inactivity.
Absolutely. Given these reports, Apple's security model isn't close to being sophisticated enough to warrant trusting them with passwords or (even more critically, arguably) WebAuthN passkeys.
I recently saw it with my own eyes as a family member was able to reset their iCloud password and gain full access to their account on a new device, including iCloud Keychain, using nothing but their iPad and the corresponding unlocking code. No iCloud password, no SMS-2FA (not that it would help much in the case of a stolen iPhone), nothing else.
The attack in this case would be somebody shoulder-surfing your PIN and grabbing your device.
They then have everything they need to take over your iCloud account (kicking you out of it in the process by resetting all other devices capable of resetting it) and can see all your passwords stored in it, as well as use all of your WebAuthN passkeys.
I'm not sure if having a recovery code would improve that situation, but I'd guess that many people don't.
Ah ok, yes the shoulder surfing is definitely a problem.
Hard to mitigate somebody looking over your shoulder, this is the case with most password managers, but I understand why this is a more likely scenario.
In a semi-safe situation (e.g. on busy public transit or in a crowded place with people behind me), I do sometimes unlock my password manager using Face ID to access a website, but I'd never enter my passphrase if the biometric unlock fails.
If somebody watches me enter my passcode and then rips the device out of my hands and runs off with it (assuming the password manager is not open), they now have access to most of the content on my phone, but importantly not the parts protected by Face ID, which includes the password manager.
If I had used Apple's password manager instead, they'd be able to recover all passwords (using the tactics described above or simply enrolling their own face in Face ID, which is possible using only the passcode).
If you reset/create an alternate appearance for faceid does that force a manual login for the services that use it? Because your device passcode lets you change all the faceid stuff… too lazy to mess around with it myself
Apps can choose [1] to tie have keys to the current set of enrolled biometric credentials (i.e. faces or fingers), and at least my password manager does that, as far as I remember from some testing.
Some apps don't, and some even react really poorly to a change of the biometric set (i.e. crashing at every Face ID use with no way to reset other than reinstalling), so I'm also not too keen on testing this on my main device.
One thing that surprised me during my limited testing was that Apple apparently doesn't make use of this capability for storing the "encrypted notes" passphrase, which effectively also reduces the security of that to that of the device passcode.
I have an iPhone and while I understand that Face ID probably has fewer false positives than fingerprint recognition, I really miss the physical rear sensor on my Pixel 2. I don't know what the collision rate is, or how easy it would be to break if someone stole the phone, but it was a really great user experience: haptic feedback is good, it was/is incredibly reliable at unlocking and it was useful because you could pass your phone to a partner/passenger in a car and unlock without looking (i.e. no more unsafe than changing the cabin temp) and no need to share your pin if with a stranger. I think the only time it failed was after climbing with chalky fingers.
I saw advice here a while back about using Screen Time to block PIN and Account updates. This gives you a separate PIN to protect those, so theoretically if someone shoulder surfs your phone PIN they can’t take over your iCloud account.
I use this trick. It's an added layer of security, although a weak one — Screen Time PIN is four digit-mandatory — and a workaround — as in: not made for security purposes.
Incidentally this is the method my 6 year old nephew used to reset his mom’s Apple ID password so he could make in-app purchases. He figured it out on his own and then spent $3000 in a couple days. His mom had been very careful with her password but when he wanted a code on his iPad she thought it was harmless—she certainly never expected that he could get all the way to changing her password with nothing more than the lock code! Took her months to sort it out.
Thing is, even within these constraints it has rough edges.
If you have two accounts (let's say a personal one and work/family/org one), getting passwords for the second account will just be a PITA.
Same issue of course if you need someone else's password (e.g. your spouse's hotel reservation account's password)
Trying to work this around means you'll either be asking people's passwords other the phone or other means, or you'll often switch between accounts and will want lower security on the account themselves as the identification process get old very quick. Basically, these limitations are not without impact on security and how people will deal with them.
If Apple password manager is anywhere as well thought out as their 2FA for Apple TV then I don't want to come next to it within 10 light years.
Every time it asked me to either "confirm on your iPad" (I have 3 of those around the house) or "confirm on your iPhone" (I have 0 of those) I was ready to hurl shit. SMS option buried in some dark pattern, of course.
If these companies want to encroach in the secrets management space they really need to hire more qa and test more than a single happy path. The number of failure modes in these systems is astonishing for the billions of dollars these companies can throw at the problem.
I suggest you move to Ross 248, which is a mere 10.3 light-years away. However, 32000 years from now it will be the closest star to our sun at 3.024 light-years so keep that in mind!
I think there’s a setting for that in setup. Is your problem that Apple thinks you have a iPhone or that you have to interact with the tv on a second device?
As with all things apple when you buy in you get the best experience. That feature on AppleTV works really well with an Apple Watch.
Which really sucks and puts you off from getting more Apple devices if you're a person who slowly buys into the ecosystem rather than go all-in without testing things.
Personally, I was a fan of Apple laptops between something like 2010 - 2015, but after that I just couldn't deal with it anymore, as I had a Android phone and nothing else Apple.
Fast forward to 2019, Apple finally releases a phone that fits in my tiny hands, so I get a iPhone 12 Mini, thinking that the CarPlay experience will be loads better than Android Auto on a measly Moto G.
But holy smokes if I wasn't wrong, CarPlay is a UX disaster and I can't wait for the iPhone to break somehow or get too slow because of OS upgrades, so I can justify buying a new phone again.
Just the simple fact that a phone calls covers the entire screen (which I use for GPS) seems like such a simple use case that they somehow missed, that I just wanna bin the entire system and I'll never buy Apple hardware for daily use again.
I still have to use Apple laptops for software I release, but every time, I'm reminded how great the UX used to be, but how far they have fallen. Really sad to see. Windows is no better either, each version gets worse and worse...
Even if macOS and iOS are my primary work (and personal) platforms these days, I still like a solution that works great on Windows, Linux, and Android as well.
I'm pretty happy with 1Password - it does all of the things mentioned in this article with more platform support
Exactly, this is why many of the Apple services are useless unless you are 110% in their ecosystem. At least Apple Music is the one app they somehow made available on Android and Windows.
There's a feature on the AirPods that allows you to enroll them in your iCloud account enabling Find My.
All you need to do is connect the AirPods to an iCloud-enrolled Apple device, and it will automatically connect to that iCloud account.
Oh, but it's not any iCloud-enrolled device, it must be an iOS device. Connecting them to my MacBook didn't do anything.
I went into the Apple Store to ask for a solution to that problem. They legitimately asked me why I'm buying AirPods if I don't have an iPhone -- they're called Air Pods after all... Anyway, their proposed solution was for me to buy a refurbished iPad for $450 to connect the AirPods to my iCloud.
I find 1Password to be sort of a pain when signing up for new accounts on my iphone – the generate secure password & autofill doesn't always work for me – on the web it's great though
I considered 1Password when shopping around for a new password manager, but the pricing of the subscription and the fact that it was an Electron app killed it for me.
Currently test-driving a smaller alternative with a one-time payment.
My passwords are split between iCloud on my Apple stuff and 1Password doing cross-platform duty.
I've been paying for 1Password for a while, but boy that electron app they rolled out with v8 is a clunker… will probably keep paying so long as 1Password 7 works but after that I'm gonna have to figure something else out.
One problem with that is if a person has a non-Apple product, Apple won't build the app cross-platform, so they are even further locked into Apple hardware then.
Might not affect that many people. But it would surely limit choice for those who don't even know about the lock-in later in their lives.
Any attempted lock-in is guaranteed to attract attention of EU regulators.
This is what Apple probably wants to avoid. They won't be allowed to play a "Safari" this time (i.e. all password managers are allowed, as long as they are a frontend to our own password manager).
Also, having the password manager as a separate app, it is likely they will be asked to provide a standalone password migration API for third party password managers. This would make switching to another ecosystem trivial for moms & pops, who currently need to deal with CSV import & export* if they want to move their passwords out of iCloud.
* Not sure what the situation is ATM, but a few years back exporting passwords from iCloud was not directly supported. I had to run a third-party AppleScript script to generate a CSV to import in another password manager.
Keep a “Notes” field where you can add extra data, like 2FA backup codes, for each password!
I'm not sure if the reference here is to Keychain's "Secure Notes" or the "comments" field associated with password items. If the latter, I've found (at least on older versions of OS X/macOS) that when Safari updates the value of a changed password, it deletes the comments! I used the comment field to add the (random) answers to security questions, and got burned on a couple of sites when I've needed to do an account reset and lost those answers.
> that when Safari updates the value of a changed password, it deletes the comments!
It doesn't change a password, it creates a new one.
This means if you somehow mangle saving the password (you thought you updated it, but didn't) the older password is still in your keychain with the older note and it can still be retrieved.
Tangentially related, something that has slightly inconvenienced me a few times: Can someone point me to a setting to get Siri to show me my passwords again, on iOS 16?
Before, I could ask on an unlocked phone to “show me my password for GitHub” and Siri would open the settings app with the password list and show the GH credentials. Now (since iOS 16?) Siri just refuses to do any request that contains ‘password’.
What I described didn’t need a shortcut before. It was a vanilla iOS feature. I assume it went away for privacy reasons with one of the OS updates. And hoped there’d be a setting to get it back.
417 comments
[ 3.2 ms ] story [ 382 ms ] threadShe uses it to generate her passwords and fill-in within Safari which is great!
But there's no "Passwords" app, and she didn't know to go into Settings to reference a password when Safari doesn't recognize a password field (probably the website's fault).
2FA is also a confusing experience, but 2FA is also just confusing enough for her where Apple isn't really the problem here.
It's called Keychain Access.
Secure notes, your own signing certificates, keys, root CAs, and specific self signed certs you've accepted for SSL.
This will then show up in the launchpad. https://i.imgur.com/IRPOMC5.png
Searching for 'pass' in Spotlight does bring up Keychain access - as that's in the apps list of Keywords... however the list of apps is way down on the scrolling https://i.imgur.com/KFUC0G0.png - it found 'password' as a string in 100 python files that I had to scroll through first.
Sorry, but that also doesn't mean anything to the average user. If anything it's made it more complicated for them—they will remember to type in "key" before they learn how to make an alias
That I don't have an issue with the word "keychain" doesn't mean it's not bad UX for the average Mac OS user
If you do control-space (to bring up spotlight) and type in password, what do you want it to do and what is missing?
My wife asks me weekly "honey, what's that word I gotta type to see my passwords again?"
The thing is, its the 3rd one down.
MacOS has both Keychain Access as a standalone app, and Passwords as a section in your settings. The latter is dedicated to purely passwords that you, as the user, make. Keychain Access also contains passwords for Wi-Fi and other systems.
https://rmondello.com/passwords-shortcut/
You should be add this to home-screen like an app. Should make it a bit easier open passwords.
[1]: https://steptwo.app
In short.
1. The experience on Windows is terrible. They can claim it's cross-platform but it's truly a sub-par product.
2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.
3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!
I think those were my big complaints. If you are 100% Mac then it's a good product. Going outside of the walled Apple garden leaves a lot to be desired.
I think Apple would consider this "working as designed."
Plus, putting second factors in the same location as your first factor (e.g., 1Password) seems to pretty much defeat the entire purpose of having a second factor. If you're using strong passwords with 1Password, your second factor is basically only defending against a leak of your password database. If you're storing your second factor in that same password database, what are you gaining?
But if you have backup second factors (you have backup second factors, right?) and you're worried about Passkey lock-in for whatever reason… just use that other second factor for AWS or any other account which supports only one.
> Now, you can add multiple MFA devices to AWS account root users and AWS Identity and Access Management (IAM) users in your AWS accounts. This helps you to raise the security bar in your accounts and limit access management to highly privileged principals, such as root users. Previously, you could only have one MFA device associated with root users or IAM users, but now you can associate up to eight MFA devices of the currently supported types with root users and IAM users.
— https://aws.amazon.com/blogs/security/you-can-now-assign-mul...
But if you lose all the devices with your passkeys on them, they are gone for good.
Not quite! 1password itself counts as two factors: something you know (the master password), and something you have (the additional secret key).
Passkeys in 1password would eliminate phishing as a problem.
Feels like these things are designed by Californians with no idea of how the world is.
My comment is targeted at someone who is savvy enough to: a) care about having "real" 2FA, and b) is concerned about lock-in, and c) is extremely sensitive to being locked out. For someone like that, you're already buying YubiKeys or some equivalent. And if you don't already have some, you're never prevented from using them later.
If you're using hardware 2FA, you should absolutely have backups. I've used YubiKeys for years and have one in my laptop, one on a keychain, and one in a safety deposit box.
Passkeys are just another instance of this. I have added Passkeys to all of my accounts with 2FA and it's somewhat more convenient (significantly more convenient for mobile devices). But every account also has all my YubiKeys attached as second factors.
There is no lock-in. And while it's inconvenient and annoying to have to add multiple keys to every account, that is already the reality if you're responsibly using hardware second factors.
I currently have a Microsoft (Work) account that I'm SSO logged on.
Incoming iTunes Password Manager, next event :P
Punishing us geeks who like using multiple different kinds of OS on their phones and computers. :(
It also works on Windows!
It‘s a view and editor for all kinds of stored keys. I don’t think its target audience ever were intended to be some random macOS users. That’s just not the target group. It‘s about power users that need to access or store all kinds of keys.
Chrome used to be tied into Keychain but they went their own way a long time ago, which is a damn shame.
That policy has really killed a lot of functionality on macOS. I suspect it will cause fiction on iOS when the EU forces them to allow alternative install sources.
Personally, it grates me when Apple cripples functionality this way to try to keep us stuck in their platform. Can't use Firefox with Keychain. You can only view your current Apple Card balance on an iOS device -- not even a macOS device. At the end of the day, I hate being manipulated so much that it actually pushes me away from the platform to see this scummy behavior.
Most macOS users don't use the app store. So directing folks there can be annoying for users, or even cause problems if they aren't signed into iCloud.
They'd likely end up with either an old version on the app store at all times, or with a massive, unpredictable day-or-week-long delay waiting for Apple's reviews before every release. Small wonder they don't bother.
That sounds especially annoying. An iPad next to you can auto-config itself as the umpteenth monitor of a Mac, but macOS can't pull Apple Card balance from your nearby iPhone?
Also, on iPhone it's ok-ish but on Mac the experience is a subpar too: Keychain, the app you use to view your passwords, feels like a 90s Visual Basic application. Plus you can't organize your accounts, and even if you prefix them to "sort by name", the special name you give is lost after using it.
On the other hand, I already have other Apple cloud stuff and kinda trust them, so I suffer through it. And other password managers aren't anything to write home about either to make me change :/
The other two have even less organization functionality than Keychain Access, so this probably doesn’t help you, but the blog post was talking about the System Settings version so I wanted to point it out.
However now that comex pointed me to the Password in the "System Settings" app, I at least can use it and it's fine if Keychain is left as is.
Huh, I never realised Keychain showed iCloud Passwords. I always just use Safari (which is inconvenient in its own way admittedly).
I honestly didn't know that was possible before that extension.
"DerpCo Derpolizer would like to access your stored cookies. This allows us to automatically log into your DerpCo account!" and then bam, they hoover up your login data in an instant and send it off as part of their telemetry.
Much better to have a system like (for example) sign in with Apple where you can easily click a button to have the system authenticate you, but no one gets access to anything without specifically asking for it.
Well, Apple Passwords on Windows is a good example of how that turns out in reality. I believe it's using WinUI. While the performance is nice, the experience is entirely unlike what you get on Mac and winds up making you wish you were using another service entirely.
I doubt they’d do much better using electron: I think their development model is that if it isn’t on one of their platforms, they pump out a minimum-effort, low quality app. I’d guess that electron ones would be just as clunky, except with a significantly higher memory and CPU footprint.
The root of the problem for Apple is that they cannot get away with doing what they used to in the past, they already have a plethora of platforms within their own umbrella to support, adding Windows native to the mix seems to result in maybe a handful of developers taking on enormous burdens by trying to catch up to their expected Mac apps.
If Apple were to seriously put its weight behind a cross-platform toolkit, this might change, especially as they want their services to grow. It's the very reason why their main service competitors can even compete.
But I agree that if they were to suddenly switch to Electron without a care it wouldn't turn out well, but likely have a better end user experience than their current reveals.
For Safari Windows they ported a portion of Cocoa.
Having an internal Windows version of SwiftUI would not be unthinkable!
No they weren't. They were notoriously awful. Apple resorted to bundling Safari with QuickTime to try to get you to use it but everyone still hated it.
300GB library around that time with no issue at all. Smart Playlists made all other players obsolete for me.
https://i.imgur.com/tdr6XTO.png
https://www.stone.com/dev/StonesThrow2/OneFoxTwoFox.html
Basically, it was called Yellowbox, but it didn’t officially survive the release of Mac OS X IIRC. But Apple was at least still using parts of it for some Windows ports back then I believe.
If you were a Windows user, why would you want an app that acts like a Mac app? Surely the benefit of having a dedicated Windows app is that the experience should be like other Windows apps.
If I'm using Spotify, I don't think "oh this doesn't use windows navigation component from winUI", I immediately know where the genre categories are because I've already used it on android or linux and expect it to be there. I know exactly how to add a song to my library, to shift around playlists, to manage folders, everything is as I learned it on [other platform].
Design development becomes this duplicated burden where every feature now has to go through the ringer twice (or more) to fit native components for their respective platforms. When you hit limitations on those native components, you're now having to make the decision to either hold back the feature entirely, or create fragile workarounds.
In an alternate timeline native components would have had far greater appeal, where people actually hate and boycott apps designed otherwise. But we don't. Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components. The situation is even worse on windows past 7, where the idea of a "windows app" is so jumbled there is nothing to "expect" from the experience - which is actually part of why I think these unified app designs have really taken off.
We're either very different people or we have different use cases :) It immediately feels jarring to me to be using macOS and suddenly presented with a non-native UI. But I only ever use macOS on the desktop, so I don't have this cross-platform issue. What I find strange is, I would have thought that was the 99% common case — it seems strange to me to optimise for individuals using multiple OSes rather than multiple apps on one OS.
> Design development becomes this duplicated burden
That sounds like an OS flaw if true. Of course, I accept that some design will be necessary, even with the finest SDKs available to humanity, but it should be so burdensome that going non-native is seen as the solution.
> Even on iOS or mac, people regularly rely on apps that only vaguely interpret their native components.
You're totally right. Every now and again, I say to myself "I really must use Safari for the 'more native' experience", but I always come running straight back to Chrome again.
> The situation is even worse on windows
This was one of the things I liked best about macOS when I first migrated — everything was so consistent, things didn't visually clash, etc. I still get the impression it's better on macOS, but heck, it's definitely not as good as it used to be.
Have you given Arc Browser a shot yet? It feels pretty great. Feels designed for Mac and has its own design language at the same time.
No, it's not. I alternate between Safari, Firefox, and Duck. If a password I use in Safari isn't stored in Firefox, I copy it from the Keychain program and paste it into Firefox. Firefox then asks to save it. No problem.
The GUI is buried in System Settings.
It has its own program. /Applications/Utilities/Keychain Access
Woah that's the same way I used password managers 10 years ago. Even back then it was considered barbaric. I had no idea people still lived like that.
The previous commenter said passwords were "unavailable" outside of Safari. I merely demonstrated that his statement was false.
Personally, I was taught to care about the future.
(e.g. Netscape vs Microsoft Internet Explorer)
EDIT: why the downvotes without a reply? If you don't agree, why not just respond why so that a health dialogue can occur.
Safari > Preferences > Passwords
Would love to have iCloud Keychain in other browsers, though.
On Mac, at any time, type: command-space passw <return>
On iOS tap <search> on any home screen, type passw, tap suggested result
https://www.icloud.com/shortcuts/71fea01c333341878e4355df52c...
For macOS, you can make the same shortcut open `/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/PreferencePanes/Passwords.prefPane`.
A single shortcut can be used to accomplish this, using the OS check and an `if` condition.
Then add the shortcut to the home screen as an icon and it’ll also show up in Spotlight search.
That said, this also proves that for non-power users: it needs an app and it needs integration with other browsers if it wants to be as easy to use (for most people) as the popular password managers.
I just tapped the "search" field on the home screen, and typed "passw".
"Top Hit": A store link to the LastPass password manager (which I do not and have never used—the button has the text "get", it's not installed and doesn't have the cloud-icon for previously-installed apps)
From there, it's three suggested Siri web searches: "passwords", "password manager", and "password generator"
Then two safari-iconed links (I assume these would search with my default search engine in safari?): "passwords on iphone" and "passew"
Searching inside the "settings" app is only marginally better. It's all much, much worse than it was a few iOS releases ago.
Having to access something via a search incantation (or, alternatively, a ton of clicks) is not at all easily accessible. It’s buried alright.
Obviously you can find pretty much anything on macOS and iOS via search. That‘s how it‘s should be. But that doesn’t make things accessible or even just visible.
Agree the UI is terrible in iOS.
As for TOTP, if I lose my phone I don't know what will happen.
Most apps can use passwords from Chrome just fine, and you can also quickly open the native passwords window when encountering a password field using the key icon.
For TOTP, use apps like Authy which can be installed and used from multiple devices.
Like a lot of other Apple stuff, I'm only able to use it because I don't use anything non-Apple for anything "serious" that involves a GUI. Windows is for gaming, Linux is my file storage and docker-service-running server that I only interact with over SSH and Web. Ditto Notes, all their Office-type programs, et c. I'd probably be on a lot more Google shit if I needed more cross-platform access to that stuff.
> 2. On Mac it's tied specifically to Safari. I use Safari a lot but if I'm in a different browser then my passwords are unavailable.
Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope.
> 3. The GUI is buried in System Settings. Heaven forbid you need search it's only a simple 37 clicks away!
IDGAF about clicks because I search my way to everything in Apple's settings—what does bother me is that they've made search worse in the last couple versions of iOS, and that if I type "pass" in search, "Passwords" isn't even visible on the list yet. I can get all the way to "password" and it's still the fourth entry. The fucking name of the screen is "passwords"! I shouldn't have to get farther than "pas" for it to be the first entry on the list, "pass" in the worst-case! Even fully typing "passwords" still leaves it as the second entry (of three) on my device. WTF.
Other browsers used to be able to use it. I do think it’s a really thorny issue—“allow this application to access all saved passwords?” is a pretty damn scary permission to include. Up there with the “allow this application to control your computer” permission that is used for accessibility apps (which apps can abuse to read passwords, if I understand correctly).
Apple’s tradition. Make the platform more secure, add an exception for first-party apps, and let the other browsers fuck off.
I'd like to see finer granularity, perhaps multiple web password vaults and a mechanism to allow certain browsers to use certain vaults.
It might also be nice to specify which passwords could be accessed with which kind of authentication. Unfortunately the current system password dialog is easily spoofable - it really looks like a questionable javascript popup.
The above is not a critique but certainly a list of things that lead to the possibility of a repeat of the infamous Windows popup for every single action you want to do out of the box. This leads to either decision fatigue or a pre-programmed "yes, just do it" response from the vast majority of users.
I personally think it should be an all-or-nothing type of allowance for this reason. Maybe the better way would be tracking access to passwords in Keychain. ie: Chrome+Safari+Firefox have all accessed your credentials for google.com but only Safari has seen your iCloud credentials and only Chrome has seen your HN credentials.
I'm looking forward to iOS doing the same for contacts; there's no reason why WhatsApp/Telegram/etc need access to my entire address book if I just want to call Steve.
Why not? It works fine for Little Snitch.
And here it would be even less prompts, as it would just be every website I visit && have an login account at.
This is pretty much exactly how macOS Safari prompts, and has for several years, at least in Touch ID scenarios. It shows a suggested username/identity with a Touch ID icon next to it, presented just like a normal autofill suggestion otherwise.
The per-site prompt and the inclusion of username/identity are really good signals, and feel like they reinforce the opposite of Windows UAC. They definitely gate access in a similarly repetitive way which encourages repetitive acceptance. But they demonstrate prior authorization that would have to be manual at least once at some point before the prompt, and you won’t be promoted the same way for sites you didn’t manually authorize first.
It’s a good enough signal that I generally use it as my first line of defense against phishing/domain spoofing. If I don’t get promoted for credentials for a service I expect to have an account with, I’m immediately suspicious. That doesn’t mean I automatically trust or distrust on that alone, but it’s a pretty decent sniff test.
It just needs to tell the password "hey there's a password on wellsfargo.com" and then the password manager asks the user if they want to use the password. And maybe give access to all passwords.
IDK, what does safari do?
If you use Chrome Sync with passwords on macOS, Chrome actually stores the decryption key in the macOS keychain. Just open Keychain.app (/Applications/Utilities/Keychain Access.app) and search for "Chrome Safe Storage" to find it. That's the decryption key for the actual encrypted password/sync data stored elsewhere. (So not possible to access Chrome passwords from the Keychain directly)
Safari Passwords (Apple's password manager) also stores passwords in the Keychain as individual entries and you can access them via Keychain.app. Unfortunately, since they’re part of the iCloud Keychain not the local login Keychain, they appear to be inaccessible with the `security` CLI tool which fails in an obtuse way.
Apple has no such problem since they don’t have other OEMs.
Same deal with why Google got in trouble with the play store.
Weird. "pas" and it was top of the list for me.
Also, Spotlight is bizarrely slow finding even local apps and things like Passwords. WTF
It used to show up for me after a couple letters, in the settings app, until a few iOS versions ago, IIRC.
Which is unfortunate, because it's not very good at it.
But yes, passwords is annoying. You can use them on chrome on windows but not on MacOS, and on Windows it doesn't work on anything but chrome. Speaking of gaming, game launchers on windows can't get passwords from Apple and also seem to log me out all the time, so I have to revert to using my phone to see my password and manually type it in.
> Yeah, this is super fucking weird. You'd think this would be connected in some fashion to "keychain", but nope
No it's not. I don't want some exotic product connect to a domain I have passwords in and prompting me for access. The password should be tied to the product you used to login with.
This is a misunderstanding of keychain vs. lastpass. One is designed to remember "safari passwords" or any swift/cocoa application implementing keychain. One key feature is: once stored in Keychain this information is only available to your app, other apps can't see it.
Lastpass and other similar products are designed as a data warehouse / vault for you security items. From there, plugins in browsers etc. can take over.
I will totally agree with the fact that the GUI is frustrating at best.
It probably very much is. But Google would never add Keychain integration when they want to push you to their own password manager within Chrome
So OP disagree that it's even a good product if you are 100% Mac, but are suggesting the functionality is all there, it just needs an actually designed UI/UX.
And/But your #2 sounds pretty terrible to me too!
It does not sound like a good product at all.
But I like it overall. Even though I use multiple browsers, I don't mind treating Keychain as the master DB and occasionally copying passwords out of it. Part of this is because I use Safari exclusively for the extra important things like my bank.
This has been the Apple way since the 1980's
I just learned that this GUI exists. I have been using /System/Applications/Utilities/Keychain Access.app for years to deal with passwords.
I use 100% ma except for gaming. However, I use other browsers as well, so the coupling to Safari is a deal breaker.
https://www.icloud.com/shortcuts/22133925f3e34579b22951d6593...
That was biggest deal killer for me.
For work, I use chrome and chrome password management because my company uses gmail.
On iOS you can ask Siri "show my passwords". Doesn't seem to work on MacOS though.
I do: Cmd+space > "keychain" > Enter. Still not ideal but it's the fastest method I know. What do you mean, i.e. how do you access the GUI from the system settings? I tried finding keychain there but couldn't figure out where it is.
the short of it: It's inelegant, there's bugs, the UI is half-assed and some aspects are straight hostile (default widgets etc.). But it's an actual generic computer. Most task you assume you could do with a computer, there will be a way to do it.
It might take some efforts to get to a decent setup, but the walled garden was also a PITA, so all in all, I felt my time is better invested in making windows a nice place than the endless fighting of Apple on iOS.
As a halo effect, I'm kinda thinking about moving to Windows on my main computer as well on the next refresh cycle...not fully decided, but that feels like a viable option.
Ditto. Why do I have to replace my Windows login password with a "PIN" code that's the same as the iCloud Keychain PIN !? That's super weird!
Would like to see them in the process of transitioning it away from settings, also include the ability to change the name of the entries. Multiple URLs per login would be great too (or even a linking of separate entries). Think these are the biggest things keeping many general users still relying on the likes of 1Password/Bitwarden, which is where I disagree with the writer here, I think third party password tools should be replaced by sane defaults as soon as possible outside of niche cases.
Really? My Linux devices? Android? Windows? I don't think so.
I recommend considering one of the most important features of a password manager is that it doesn't force you to use a single manufacturer's products forever. Even if you swear undying fealty to Apple (or anyone else) today, you might change your mind in the future. 1Password, Bitwarden, and others allow me to switch PC manufacturer, phone manufacturer, browser, and so on.
I can't tell you how many people used to think "Internet Explorer is popular, it'll always be the one and only browser". That did not end well.
Changing my mind is easy enough: I can export my iCloud passwords to a csv file, and I've done this to transfer a bunch of passwords to Firefox Linux desktop.
I'll tell you something though: If Bitwarden leaked passwords nothing would happen because America has very weak consumer protections, but if Google or Apple leaked passwords, they'd be hit in every EU member state for GDPR.
Some of these things are outside of my control, and using a password manager is too useful that I think it's worth a little risk, but I can't justify trusting any company unless they've got some skin in the game, and Bitwarden specifically wants to disclaim all liabilities? AgileBits thankfully is in Canada and you can at least sue them for what you've paid them in six months, but I personally have passwords more important than that. Surely there's someone else you could recommend?
Even if one needed a server for syncing files, should each application that needs synching require its own server?
But I think in this case it's pretty much required for good UX with the way file syncing works on mobile and in the browser, especially dealing with conflicts. I've done it both ways and there is a lot less friction with vaultwarden than my old 'synced KeePass file' approach.
It was just a suggestion, there are other ways to skin the cat.
And I disagree: I think everyone who has been harmed by another wants the ability to have their story heard by a judge and jury and be cured by the law. Maybe they would prefer to not be hurt in the first place, but as you point out with LastPass, they may not have that option.
What we can choose is the jurisdiction in which we trade, and I would recommend people spend less time navel-gazing and more time thinking about what they can be doing to make things better for themselves.
I use Chrome's built-in password manager. I always set up website security questions with gibberish answers. I wish Chrome would give me a field to store those answers. Or, better yet, treat them like password fields and autofill them.
Apple is, to this day, largely unable to recognize that there is a world outside their beautiful dystopian garden. I’m sure they’re drooling about making the MacBooks run iOS so you can’t use any software that hasn’t been scanned and approved. When that day comes, I’m out for good.
Dashboard/status
- I have a smart lock, and they have their own app, where all it really does is show the current status of the lock and let me toggle it. There are quite a few apps like this. It'd be nice if they could all be condensed into a dashboard/status app that could just tweak values and show current status. Apple Home attempts to do some of this.
Notifications
- It'd be nice if there was a notifications app, and I could set most of my apps to deliver their notifications to that app, instead of me directly. This would reduce notification overload and distraction.
In the notifications settings you create at least one Scheduled Notification Summary. I've currently got ones setup roughly every four hours during "core daylight hours" for me, plus I enable the "preview option" to read the next summary early if I need to. Then you add as many apps as you want to the Notification Summaries. All of the notifications for those apps during each time period get rolled up into a single Summary object in your notifications, only give a notification alert once for the entire group of them (at the scheduled time), and don't cause Watch notifications (if that's a distraction/overload you especially juggle as I do).
At this point I've even got all my email notifications going into Summaries (which is why I turned on the preview for the next summary if I feel like I need a quick glance at recent email subject lines without opening my email app up).
It is such a useful tool and not a lot of iOS users discover it in the settings. May also be an indicator that it could use its own app because discovery in the Settings app itself is hard. Maybe the Settings app is just doing too many things now and needs some sort of reorg or something.
https://twitter.com/rmondello
https://hachyderm.io/@rmondello
[1]: https://rmondello.com/passwords-shortcut/
> PPS: I dream of a future where Passkeys could make the password manager extinct. But it’ll take time…
Passkeys even more so need more of a "curated app experience" to work right, cross platform. Ironically, it is my impression that preparing for Passkeys is why Apple finally added that password explorer to Windows' weird iCloud "control panel". (For a long time, the only way to use iCloud passwords on Windows was the awful Edge/Chrome integration.)
Maybe they don’t want to promote their own too heavily, to allow 1Password to take on the organizational risk of running a password manager? (For context, think about your current view of lastpass vs how you felt about it a year before their leak). Maybe the internal password management functionality is better suited to orgs which restrict third party apps?
I haven't noticed even minimal credential sharing facilities in keychain.
But multiple vaults and vault sharing - no such luck. I don't think they want to deal with the UX confusion of it, especially since that confusion could lead to someone getting locked out of things.
Hot take , but … I like the lack of integration in other operating systems/ browsers.
I see my phone as a Secure Enclave, and my passwords should be disconnected from potentially insecure systems. I see the phone as those keychain one time passwords where you have to press a physical button to get a key.
Is it inconvenient to get a password, yes. But it offers the piece of mind that I only have to worry about iPhone/Apple exploits, instead of chrome+firefox+windows+Linux+Apple+iphone.
I don’t think in this case Apple is not doing the integration because of this security feature, but I think it is a feature non the less. Of course you can always choose not to install the extensions even if they existed, but the point is that if they existed it would lower security.
Not saying Apple is doing that now, but I imagine it's not outside the realm of possibility.
Also I have recovery keys for the more important accounts printed and stored in a safe box.
But anyway, somebody could cut off your access to Dropbox, but it’s less of an issues since you have a backup.
Which I'm glad to know you can at least do with Keychain [1], although I use Bitwarden myself.
[1] https://support.apple.com/guide/keychain-access/import-and-e...
It’s useful even in non-multi-device scenarios.
What is the other one doing in the gym, unprotected?
Oh, they're stored online? There goes your entire "secure enclave" argument ;-)
I've been using KeePass apps (MacPass on macOS, KeePassium no iOS), with a different, unique master password, unlogged by default on iPhone, plus DB locks automatically after 10 minutes of inactivity.
Maybe I'm way off, but it seems safer to me.
[1] https://www.wsj.com/articles/apple-iphone-security-theft-pas...
I recently saw it with my own eyes as a family member was able to reset their iCloud password and gain full access to their account on a new device, including iCloud Keychain, using nothing but their iPad and the corresponding unlocking code. No iCloud password, no SMS-2FA (not that it would help much in the case of a stolen iPhone), nothing else.
Would someone need to steal two of your devices ?
I was under the assumption that you need to be logged in with touchid/faceid/pin code to get the unlock code
They then have everything they need to take over your iCloud account (kicking you out of it in the process by resetting all other devices capable of resetting it) and can see all your passwords stored in it, as well as use all of your WebAuthN passkeys.
I'm not sure if having a recovery code would improve that situation, but I'd guess that many people don't.
Hard to mitigate somebody looking over your shoulder, this is the case with most password managers, but I understand why this is a more likely scenario.
If somebody watches me enter my passcode and then rips the device out of my hands and runs off with it (assuming the password manager is not open), they now have access to most of the content on my phone, but importantly not the parts protected by Face ID, which includes the password manager.
If I had used Apple's password manager instead, they'd be able to recover all passwords (using the tactics described above or simply enrolling their own face in Face ID, which is possible using only the passcode).
Some apps don't, and some even react really poorly to a change of the biometric set (i.e. crashing at every Face ID use with no way to reset other than reinstalling), so I'm also not too keen on testing this on my main device.
One thing that surprised me during my limited testing was that Apple apparently doesn't make use of this capability for storing the "encrypted notes" passphrase, which effectively also reduces the security of that to that of the device passcode.
[1] https://developer.apple.com/documentation/security/secaccess...
If you have two accounts (let's say a personal one and work/family/org one), getting passwords for the second account will just be a PITA.
Same issue of course if you need someone else's password (e.g. your spouse's hotel reservation account's password)
Trying to work this around means you'll either be asking people's passwords other the phone or other means, or you'll often switch between accounts and will want lower security on the account themselves as the identification process get old very quick. Basically, these limitations are not without impact on security and how people will deal with them.
https://support.apple.com/en-ca/guide/iphone/ipha6173c19f/io...
Every time it asked me to either "confirm on your iPad" (I have 3 of those around the house) or "confirm on your iPhone" (I have 0 of those) I was ready to hurl shit. SMS option buried in some dark pattern, of course.
If these companies want to encroach in the secrets management space they really need to hire more qa and test more than a single happy path. The number of failure modes in these systems is astonishing for the billions of dollars these companies can throw at the problem.
As with all things apple when you buy in you get the best experience. That feature on AppleTV works really well with an Apple Watch.
Personally, I was a fan of Apple laptops between something like 2010 - 2015, but after that I just couldn't deal with it anymore, as I had a Android phone and nothing else Apple.
Fast forward to 2019, Apple finally releases a phone that fits in my tiny hands, so I get a iPhone 12 Mini, thinking that the CarPlay experience will be loads better than Android Auto on a measly Moto G.
But holy smokes if I wasn't wrong, CarPlay is a UX disaster and I can't wait for the iPhone to break somehow or get too slow because of OS upgrades, so I can justify buying a new phone again.
Just the simple fact that a phone calls covers the entire screen (which I use for GPS) seems like such a simple use case that they somehow missed, that I just wanna bin the entire system and I'll never buy Apple hardware for daily use again.
I still have to use Apple laptops for software I release, but every time, I'm reminded how great the UX used to be, but how far they have fallen. Really sad to see. Windows is no better either, each version gets worse and worse...
I'm pretty happy with 1Password - it does all of the things mentioned in this article with more platform support
All you need to do is connect the AirPods to an iCloud-enrolled Apple device, and it will automatically connect to that iCloud account.
Oh, but it's not any iCloud-enrolled device, it must be an iOS device. Connecting them to my MacBook didn't do anything.
I went into the Apple Store to ask for a solution to that problem. They legitimately asked me why I'm buying AirPods if I don't have an iPhone -- they're called Air Pods after all... Anyway, their proposed solution was for me to buy a refurbished iPad for $450 to connect the AirPods to my iCloud.
Currently test-driving a smaller alternative with a one-time payment.
I've been paying for 1Password for a while, but boy that electron app they rolled out with v8 is a clunker… will probably keep paying so long as 1Password 7 works but after that I'm gonna have to figure something else out.
Might not affect that many people. But it would surely limit choice for those who don't even know about the lock-in later in their lives.
This is what Apple probably wants to avoid. They won't be allowed to play a "Safari" this time (i.e. all password managers are allowed, as long as they are a frontend to our own password manager).
Also, having the password manager as a separate app, it is likely they will be asked to provide a standalone password migration API for third party password managers. This would make switching to another ecosystem trivial for moms & pops, who currently need to deal with CSV import & export* if they want to move their passwords out of iCloud.
* Not sure what the situation is ATM, but a few years back exporting passwords from iCloud was not directly supported. I had to run a third-party AppleScript script to generate a CSV to import in another password manager.
I'm not sure if the reference here is to Keychain's "Secure Notes" or the "comments" field associated with password items. If the latter, I've found (at least on older versions of OS X/macOS) that when Safari updates the value of a changed password, it deletes the comments! I used the comment field to add the (random) answers to security questions, and got burned on a couple of sites when I've needed to do an account reset and lost those answers.
It doesn't change a password, it creates a new one.
This means if you somehow mangle saving the password (you thought you updated it, but didn't) the older password is still in your keychain with the older note and it can still be retrieved.
Before, I could ask on an unlocked phone to “show me my password for GitHub” and Siri would open the settings app with the password list and show the GH credentials. Now (since iOS 16?) Siri just refuses to do any request that contains ‘password’.
prefs:root=PASSWORDS
You'll want to set up Siri separately as part of it, but you can definitely do that with Shortcuts.
What I described didn’t need a shortcut before. It was a vanilla iOS feature. I assume it went away for privacy reasons with one of the OS updates. And hoped there’d be a setting to get it back.