I use iCloud Keychain for passwords. It's a trade-off between security and convenience.
Passwords aren't as critical in my opinion, because I can always change them. Sure, it would suck if someone broke into my hosting account or my bank account, but I could probably fix it somehow. I was more thinking about secrets that I don't want people to find out, because there is no way to make people forget something they learned about me that I wanted to hide.
iCloud Keychain is handy for simple use cases. But it quickly breaks down if you want to have a good password habits.
For example, I use my Apple ID to login to a bunch of different Apple sites. With the keychain that would create separate entries for each site although they are the same. Change your password and you'll end up with items with outdated passwords (which you'll only find out when you try filling them).
The keychain is also cumbersome to create items manually (imagine you need to save an SFTP or VNC login?). Furthermore how would you have access to these items on your iOS device?
You also can store more than just passwords with Secrets.
I use iCloud Keychain because Apple is not in business of making money off a password manager. They charge me more via their hardware sales scheme but at the end of the day it’s a good experience overall
I use a password manager but, as a mostly-Apple user, I see very little reason not to just use iCloud Keychain: the UX of Apple’s solution is significantly better than all the alternatives because I don’t have to remember yet another password/mfa token to type in every once in a while.
Hate to say it, but I personally don't feel comfortable storing all of my logins on Apple or Google's servers. Sorry, not for me.
If you have multiple Apple devices, for example, you don't have to use iCloud Keychain for passkeys if you're that paranoid, regardless of how convenient it is. All I can say is Keychain is pretty badass; I have no qualms about using it [1].
If you're on a cruise and you accidentally drop your iPhone into the ocean, you could buy a new one at the next port—or when you get back home—and do Apple's restore process and you're back in business in 10 minutes. All of your logins, credentials, certificates, etc. are encrypted with a key Apple doesn't have, so they can't access or give it to anyone else even if they were presented with a search warrant by law enforcement [2].
And also what happens if the public private key pair is compromised?
It's called a public key for a reason; it can't be compromised, right? The public key replaces your username when logging in; both are public information.
The private key never leaves your device, so there's no opportunity for a sketchy website or fishing attack to get it. And it certainly can't be intercepted like SMS codes can be.
You know how people get fooled into logging into a fake site who's domain is one character different than the authentic domain? A password manager doesn't help you with that but passkeys are cryptographically attached to a domain, so it can't be used on a site masquerading as your bank's website.
They criticize 2FA as flawed in the article, but how common are the SMS vulnerabilities that they talk about?
You're kidding, right? These are the first 3 hits on google: [3] [4] [5]
iCloud Keychain works great for me. Although, if I could change one thing, it would be to add a dedicated iOS app, instead of having to go to Settings > Safari > Passwords.
It's kind of funny- I find myself to be on the critical side when it comes to Apple, especially on HN, but when it comes to iCloud Keychain I use it pretty unquestioning. Probably because I don't trust 1Password or other password managers to be any better, and it's a feature that's baked into the OS so adoption is frictionless.
iCloud Keychain is pretty good, but it tragically fails in the followings cases:
* Any browser other than Safari.
* Apps that MacOS/iOS don't parse for password fields for some reasons so you can't generate a password right there — and it's a huge pain to add them manually, practically impossible on iOS.
* Cloud access (if you need your account and don't have any of your devices). Your Keychain is in the iCloud, but you can't access it from icloud.com
So Apple could easily make it much better but they haven't.
I'm interested to hear what the HN community thinks about keeping passwords in iCloud-based Keychain (Safari) or whatever Google's alternative is called.
I don't care about portability. Why would I want e.g. 1Password instead of simply using Apple Keychain.
iCloud Keychain is definitely well-integrated, but I've run into a few edge cases where it doesn't behave the way I need it to. In these cases, 1Password is better since it actually lets me dig in and edit some of the low-level details in a quality UI (versus digging a couple levels deep in system settings/Safari preferences to find/edit the password in question).
Apple has keychain linked to an icloud account but it's subpar of a password manager at best. Most mac people who I know that are techy just use lastpass.
> The problem with iCloud keychain for me is that I don't only use Apple devices
If I ever need to sign into something on a non-Apple OS, I look up the desired iCloud KeyChain-stored password on my iPhone, then manually retype it on the other device.
i would prefer icloud keychain allows an alternative password - i refrain from adding some credentials to the keychain since my passcode is easy to steal?
iCloud Keychain has done more to raise the tide for passwords than any other password manager in existence. I love that it “just works” for the vast amount of people who use iOS/Mac.
Passwords aren't as critical in my opinion, because I can always change them. Sure, it would suck if someone broke into my hosting account or my bank account, but I could probably fix it somehow. I was more thinking about secrets that I don't want people to find out, because there is no way to make people forget something they learned about me that I wanted to hide.
reply