Is Apple's keychain a reasonable choice for password storage?

[Dave Merrill]

I'm not a mac guy, but some family members are, and they're asking whether Apple's keychain is a reasonable choice for password storage.
Has the pluses that it's built in, free, supported by Apple, and shares between Mac and iPhone.
Some minuses are Apple lock-in, plus their general opacity and invisible automatic everything, as long as that works out.

Thoughts?

 

[AlbertA]

yeah it is.

I use 1password however, since I need support on non-apple devices as well.

 

[DallasGlenn2005]

I’ve used it for a number of years. It’s convenient and user friendly and works well between the iPhone and Mac. I also think we’ve come to a point in time where having a single password for every site or even a sort of common password with a slight variation is a bad idea. So using some type of password keeper is a very good idea. Finally, it’s as portable as your iCloud ID I suppose. However, I have no idea how secure it is relative to other options.

 

[mr_fender]

Apple's security record is pretty good, so it's probably a decent solution.

I jumped ship from LastPass after their recent debacles, so I'm using Bitwarden now. It's free, open source, and cross platform.

 

[DallasGlenn2005]

Hey LastPass, you only had one job. Just one.

 

[Greg Ferguson]

Keychain is really well integrated into their products and has been part of the OS for years. In the early days when it first became part of the system I had some problems but it’s been very stable for me for years now. I’m going to go knock on wood for a while now.

Apple is really helping to push some new technologies that do away with passwords and password managers when dealing with the internet. I used to keep up with that stuff so the announcements last year caught my eye, but I don’t have much need to track it anymore. Here’s a demo of the technology https://www.passkeys.io/

 

[redhedded1]

I use 1 Password and it's other features as well such as secure notes and secure links to give to people that contain their password or login info for an app or server. I like having the iPhone and iPad apps also.

 

[Dave Merrill]

Re passkeys, I confess I haven't done the homework, but if I'm not mistaken, it amounts to a password manager you can't see and don't control, whose master password you can't see and can't change since it's biometric, and that isn't portable to other passkey vendors.

Please tell me I'm wrong about most of that, since it's a great vision that the world seems to be barreling towards.

 

[Dave Merrill]

Does keychain not have secure notes?

 

[DallasGlenn2005]

At least on the iPhone it’s secured in the UI with your iPhone passcode.

 

[CodePoet]

Dang, do I need to drop LastPass now?

 

[s0c9]

Been using the Pro version of LastPass for a couple of years. Works on every platform (PC/Mac/iOS/Linux) and as a plugin for most browsers.
Totally integrated on each device.

Disclosure: No relationship with them except as a happy customer!

 

[GlennO]

Dang, do I need to drop LastPass now?

Like a hot potato.

 

[bebaldwin]

I'm not a mac guy, but some family members are, and they're asking whether Apple's keychain is a reasonable choice for password storage.
Has the pluses that it's built in, free, supported by Apple, and shares between Mac and iPhone.
Some minuses are Apple lock-in, plus their general opacity and invisible automatic everything, as long as that works out.

Thoughts?

I use 1Password as well and have been for years. If you get the subscription you can use it through multiple devices because the passwords are stored on a secure server that only you know the password for, however, If you loose or forget it they cannot help you retrieve it.

 

[Dave Merrill]

Dang, do I need to drop LastPass now?

^^^ YES.

LastPass had a breakin, where a backup copy of some unknown segment of their master archive was stolen. Each customer's data is still encrypted with that person's master password, but:

- Only user names and passwords and the content of secure notes were encrypted. URLs, comments in regular password entries, etc are in clear text.

- The attackers have that backup copy now, and they can just keep trying every possible password on every customer's data, forever, until they get into some of them. The stronger your master password was, the more likely it is that that'll take a long time, but when they do, they'll have complete access to everything in your vault, as of whenever that backup was made.

- Nothing you do in LastPass now can prevent that, the attackers already have that backup. Your only real defense is to change every important password you had in there, now, making the attacker's backup copy irrelevant.

- LastPass never should have let anything like this happen, and they should have been more forthcoming about it when it did. They don't deserve your business, and you need better protection than I'd trust that company to deliver.

This isn't hyperbole, the story has been all over every major news outlet, Wikipedia, etc.

 

[mr_fender]

Yeah it's pretty much a worst case scenario for LastPass. I've been going through all my sites and changing my passwords. Pain in the ass.

 

[GlennO]

LastPass had a breakin,

"A" break in? They have had 7 major breaches. Not only do they not care about their customers' security, they don't even care about their own security.

 

[Dave Merrill]

Yeah it's pretty much a worst case scenario for LastPass. I've been going through all my sites and changing my passwords. Pain in the ass.

And switching to a different provider too I hope.

 

[mr_fender]

Yep. Switched to Bitwarden.

 

[CodePoet]

"A" break in? They have had 7 major breaches. Not only do they not care about their customers' security, they don't even care about their own security.

Yep, good point. Is 1Password more secure or do they just not disclose their breaches?