FlippedBITS: 1Password Versus iCloud Keychain
Everyone agrees that passwords are a pain. The idea that each user of a computer, Web site, or online service should gain access using a unique identifier (a username) and a self-selected password must have seemed logical back in the day, but the system hasn’t scaled well. Now we all need passwords for dozens or even hundreds of services, while frequent high-profile security breaches remind us that a password-based infrastructure is inherently fragile and vulnerable.
In response, service providers make ever-harsher demands of their users: create longer, more complex passwords; change them whenever the provider sees fit; answer security questions; add two-step verification; and so on. Frustrated users, in turn, respond in ways that make them far less secure: they often choose easily guessable passwords, and reuse the same password (or one of a few) everywhere.
I’ve been thinking and writing about the password problem for a long time. In the recently published “Take Control of Your Passwords, Second Edition,” I lay out the whole problem from top to bottom and help readers think through a sensible, safe, and sustainable strategy. One key recommendation is to use a password manager whenever possible. This type of software automatically generates, remembers, and fills in passwords as needed, and syncs them across your various devices. Although a password manager alone isn’t a complete solution to anyone’s password woes, it can eliminate a large portion of the hassle while increasing your security tremendously.
There are lots of great password managers out there, and I truly don’t care which one you use, as long as it works well for you. I know that apps like LastPass, Dashlane, Blur, and many others, have lots of fans. In addition, Apple’s own solution, iCloud Keychain, works in Safari for recent versions of OS X and iOS — and it’s free for anyone with an iCloud account. I wrote extensively about iCloud Keychain in another of my books, “Take Control of iCloud.”
My personal favorite, however, is 1Password, which I’ve been using for nearly ten years. I’ve found that it hits the sweet spot of power, usability, and affordability — and it keeps getting better all the time. I like it so much I wrote yet another book about it, “Take Control of 1Password,” which explains how to make the most of the app’s extensive capabilities, many of which aren’t entirely obvious.
But wait a minute! Since iCloud Keychain is free, requires no extra software, and is supported by Apple, why would anyone bother with a third-party product in the first place? I’ve heard this question a number of times. For example, when I covered the latest major release in “1Password 6 for Mac Adds Teams, Expands Sync Options” (18 January 2016), a commenter named Jim inquired:
This would be a great chance to ask the question I’ve always had about 1Password. I hear nothing but praise for it, but… What exactly does it do that Apple’s built-in tools (Keychain, iCloud Keychain, etc.) don’t do?
I’ve read so many glowing reviews of 1Password, yet that’s the part I still don’t get…
I replied by pointing out a number of things 1Password can do that iCloud Keychain can’t, but the question deserves a more extensive answer. After all, 1Password isn’t free and does have a bit of a learning curve — and switching from one password manager to another isn’t always simple. I can understand why this might seem like a Pepsi-versus-Coke choice, but it’s more like pitting a standard can of Pepsi against a Cherry Vanilla Coke float made with artisanal hand-churned organic ice cream — and two straws.
Before I get into the feature differences, let me make two quick disclaimers. First, although I’m talking only about 1Password here, many of the features I point out can be found in other third-party password managers too. And second, I’m not trying to diss iCloud Keychain. In fact, as I’ll explain later, it’s an ideal choice for certain tasks, and there’s no reason you can’t use it alongside a third-party tool.
1Password’s Advantages — 1Password was developed long before iCloud Keychain was a gleam in Apple’s eye, and over many years it has been refined based in large part on user feedback, an approach that Apple often seems to be allergic to. Here are some of the ways in which 1Password surpasses iCloud Keychain:
- Platform Support: If you use only recent-vintage Macs and iOS devices, this might make no difference to you. But if you happen to use Windows or Android devices, or even older versions of OS X (iCloud Keychain was introduced in OS X 10.9 Mavericks), iCloud Keychain won’t help you on those platforms. 1Password, on the other hand, can sync your data to all those locations, although admittedly you’ll need to download a legacy version of the app if you want to run it on Mavericks or earlier.
- Browser Support: 1Password works with most popular browsers, so if you prefer to use Chrome or Firefox instead of Safari (or if you switch between browsers from time to time), that’s no problem. iCloud Keychain, on the other hand, works only with Safari (in both OS X and iOS).
-
Password Strength: iCloud Keychain can generate random passwords for you in Safari, which is undeniably handy. But all those passwords are exactly 15 characters long, following the pattern
XXX-XXX-XXX-XXX
, where each X is an alphanumeric character. Because the three hyphens are invariant, all those passwords have an effective length of only 12 characters, and because none of the other characters can be other punctuation, those 12-character passwords are much weaker than ones built from a wider character set. (Also, some Web sites limit passwords to fewer than 15 characters.) 1Password can make random passwords up to 50 characters long, with your choice of attributes; you can even
opt for a series of random words instead of random characters, although a password of that type must be considerably longer to be as strong as one composed of random characters. -
Additional Data Types: iCloud Keychain can store passwords, username-and-password combinations, secure notes, and credit card numbers, but that’s it. 1Password can also store many other kinds of data, such as software licenses, passports, membership cards, licenses, and bank account numbers. In addition, it can securely store and sync virtually any document you care to drag in, such as a Word document, PDF, or photograph containing confidential data.
-
CVV Numbers: iCloud Keychain can store credit card numbers and their associated expiration dates, but not CVV (card verification value) numbers. Apple says this is for security, but it means that every time you buy something online, you have to drag your card out of your wallet, look up that number, and type it in. My feeling is that if iCloud Keychain is secure enough to hold my bank account number and login credentials, not to mention passwords that could unlock all kinds of other highly confidential services, it should be secure enough to store and fill in a CVV too. 1Password has no trouble storing and filling in CVV numbers.
-
iOS App Support: Browsers aren’t the only apps that use passwords. Think of apps like Slack, Buffer, Basecamp, SoundCloud, Instapaper, and dozens of others that connect to online accounts. Using a simple API created by 1Password developer AgileBits, developers can enable their apps to query 1Password directly — it’s much quicker and easier for users than having to switch to 1Password, look up credentials, copy, switch back, and paste. Well over 100 apps have already added this support. And what I find even more interesting is that developers of other password managers can use the same API, so if your app supports 1Password, it also works with other iOS
password managers. Although it’s possible for specially modified third-party iOS apps to access saved Safari passwords (which, in turn, may sync via iCloud Keychain), very few apps take advantage of this capability. -
One-time Passwords: Many sites now offer two-step verification as an extra security measure. The most common implementation is that after you enter your password, the site prompts you for a second code — a time-based one-time password (TOTP), which is normally generated by a separate app such as Google Authenticator or Authy, and changes every 30 seconds. But 1Password can generate these codes too, meaning you don’t have to install a separate app to obtain them (and you don’t have to switch apps as often either). iCloud Keychain lacks such a feature.
-
Syncing Options: As you might guess from the name, iCloud Keychain syncs exclusively via iCloud. 1Password can sync via iCloud too, but if you prefer to use Dropbox, direct syncing over Wi-Fi, or even (for iOS devices) syncing your data via a USB cable and iTunes, you can. (Yet another way to sync is to use 1Password for Teams or Families, discussed just ahead.)
-
Ease of Use: Storing and entering passwords in a browser is one thing, but what if you need to look up a password for some other reason, or make other changes to your secure data? On a Mac, you have to use the ancient Keychain Access app (in
/Applications/Utilities
), which is incredibly cumbersome and unintuitive. On an iOS device, no such app exists; you can go to Settings > Safari > Passwords to see and edit your credentials, but even that is a clumsy interface. 1Password’s user interface, by contrast, is far more user-friendly. It’s easy to search, sort, organize, tag, and edit items, and you can even do things like sort your passwords by strength to see which ones might
be in need of changing. -
Teams and Families: If you want to share certain passwords securely with other people — coworkers or family members, say — you can’t do so with iCloud Keychain. (Like most iCloud features, it’s all about sharing stuff across your own devices, not sharing stuff with other people.) 1Password has long offered a primitive way to share data using Dropbox, but with 1Password for Teams or 1Password Families (each available for a modest monthly fee), your business or family, respectively, has a simple yet secure and versatile mechanism for sharing passwords.
-
Other Details: 1Password also stores a history of the passwords you’ve used previously for each site. It can alert you to passwords that may need to be changed due to a security breach or because they’re duplicates. And it has quite a few other small conveniences that add up to a much better experience in managing passwords. (If I’ve skipped over anything you find particularly important, please remind me in the comments!)
iCloud Keychain’s Benefits — Having said all that, let me now change my tune slightly and say some nice things about iCloud Keychain:
- Better in Safari for iOS: Because iCloud Keychain is built right into Safari for iOS, it takes at most a tap or two to fill in your credentials and submit a form. Since the advent of extensions in iOS 8, it’s reasonably convenient to access 1Password from within an iOS browser, but you’ll still have to tap an icon to open the Share sheet, tap the 1Password icon, authenticate with Touch ID (or a PIN or your master password, depending on your device and configuration), and tap the desired login item. Of course, 1Password is doing the best it can given the restrictions Apple imposes, but if you want the least possible friction when entering credentials in Safari for iOS, iCloud Keychain is the way to go.
-
System-level Credential Syncing: iCloud Keychain isn’t just for Web forms. It can also store credentials that are used at a system level, such as Wi-Fi passwords and Internet accounts (Google, Facebook, Twitter, email servers, and so on). So, if you enter the password for a new Wi-Fi network on one of your devices, then as soon as iCloud Keychain syncs to your other devices (usually within seconds), they’ll have that password too and can join the new Wi-Fi network without so much as a password prompt. (For some reason, iCloud Keychain syncs email accounts only with other Macs, not with iOS devices.) Because 1Password doesn’t have the system-level access that would be necessary for such a feat, it can’t
perform the same trick. -
Reliability: Your mileage may vary, but I’ve found iCloud Keychain to be almost shockingly reliable — it syncs quickly and nearly always does exactly what I expect. I’ve often griped about other types of iCloud synchronization working poorly, but in this case I can’t complain. Because it’s part of OS X and iOS, there’s never any software to update separately, never any data to back up separately, and no worries about compatibility.
Sure, that’s a shorter list of compliments than the one I gave 1Password, but they’re not insignificant. If you use only Safari on Apple devices; have only a modest number of accounts; prefer iCloud syncing; and have no need to store other data types, share credentials, or use one-time passwords, you might be perfectly content with iCloud Keychain. Without question, using iCloud Keychain is a thousand times better than using no password manager at all, and if you like it, more power to you.
However, keep in mind that this isn’t an either/or decision. You can use iCloud Keychain and 1Password together. For example, you might rely on iCloud Keychain to handle your Wi-Fi passwords and the credentials you use most frequently in Safari for iOS, but 1Password for everything else. Or you could try to keep both apps updated with the majority of your passwords, using whatever happens to be easiest at any moment (given your current platform and browser). Or use 1Password to generate new passwords but iCloud Keychain to store and fill them. Although using both together is more work and arguably a bit less secure than picking just one, it’s not an unreasonable approach.
From my iPad Air w iOS9.3 and before, I often must manually look up and enter passwords for the web. Using iOS9.3, if I go to MacRumors or from Tweeter to a website, iCloud syncing doesn't seem to remember passwords. Maybe I need to rethink how I expect iCloud to operate, but I am wondering if iPassword would solve these gaps that iCloud seems to be unable to sync. I run across this when asked for Facebook sign-ins from the web going indirectly to Facebook. Visiting Facebook from OSX Safari is no issue for iCloud. It's the indirect visit. Another incident would be visiting TidBits. If I am using iOS9x, visiting TidBits, iCloud sometimes does not remember my sync'd password, so I must manually look up my TidBits password. Would iPassword eliminate this iOS gap in syncing passwords?
It sounds like you're talking about cases where you're using a browser embedded in another app rather than Safari. 1Password can handle most (perhaps not all) of these situations via its extension.
Thank you for your response, Joe. If the app can keep me from digging into my password memos when iCloud fails, it'll be worth mucho dinero.
No matter how good the software at the user end, your online accounts are mostly likely (say 90%) with the business institutions being hacked or someone in his/her institution selling passwords.
The statistics for malicious use of passwords from the user end show the rarity of this happening.
The business institutions need to secure their systems rather than shifting unnecessary requirements onto users.
That said really all that is needed at the user end is a paper list of passwords. Users could even tape this next the their computer as there is less likelihood of online accounts being compromised than the more usual and frequent breaches made by the institutions themselves.
I love your optimism :)
I have 700 passwords and other items in 1Password. A paper list stuck to my monitor is not going to help! This is especially the case for me since I use my accounts at home, at work, and while travelling interstate or internationally.
If your passwords are all long, random, and unique (as they should be), then a piece of paper is not a very effective password manager. It forces you to type in each password manually every time, it won't help you create new passwords, and it won't do you much good if you need a password when your paper is somewhere else!
I have well over 800 unique passwords, and it takes, at most, a single keyboard shortcut to fill them in. Plus they sync automatically to all my devices. I can't control what happens on the other end, but I can control how good my passwords are and how easy it is to create, remember, sync, and fill them. That's why I use a password manager.
I use LastPass on my Windows virtual machines; not sure if 1Password supports non-Apple devices.
Password managers mostly work with brokers and not standalone apps such as Mail or Parallels for example.
A personal nit of mine is the idea of a username as a unique identifier and differing uses of email address, email Id, user name, user id,etc. An email address is unique amongst 6 billion people in the world. My username is (re)used amongst many of my accounts and is part of my email addresses. A username however may connote the use of alpha characters whereas user Id may connote the mixed use of number, alphabetic, and special characters. I'm OK with either ; potatoes - potahtoes (sp).
MN
In the "Platform Support" bullet I pointed out that 1Password works on Windows and Android as well as OS X and iOS.
You're correct that password managers are designed to tie into browsers; in most cases, other desktop apps have no way to communicate with them directly. However, on iOS, third-party apps can integrate support for 1Password and other password managers.
Still like Passwordwallet better. http://www.selznick.com/products/passwordwallet/
Keychain and OS X are seriously flawed, because there is no online account database (service, user-id, password), which is then used system wide. There is the preference pane for internet accounts, but it only works for mail, calendar etc., but not for Safari and other third party programs. Due to that, I have several entries for each domain and account in keychain: smtp, imap, calendar, safari, adium, iMessage, … This is very disappointing and should be fixed by Apple.
One significant advantage of a password manager is protection if you happen to hit a phishing link that asks for your credentials. You may think you're on a legitimate site and ask the PW manager to enter your name and password, but the PW manager will not recognize the look-alike URL and refuse to put in the data.
I am a long-time 1Password user and love it. Recently my son sent me a link to an article by Kevin Roose, news director at Fusion.net. Kevin had requested two hackers to use their skill on him. One of the hackers used a phishing attack to install software including a key logger which he used to capture Kevin's master password for 1Password. I am interested in ways to defeat that kind of attack. I use Little Snitch but I would love to hear of any other security tools that might be helpful. Here is a link to the article:
http://fusion.net/story/281543/real-future-episode-8-hack-attack/
Keyloggers can be pretty nasty, so the best advice is to use tools that prevent phishing attempts from succeeding in the first place. A good spam filter can help, not clicking links in messages can help, and paying careful attention to what you give permission to with your account password. There are all kinds of anti-spying apps out there, too, I don't have any specific recommendations.
What's up with password synchronisation using iTunes?
What do you mean by "up"? You can use iTunes to copy your entire 1Password data file to or from your iOS device using iTunes (via USB or Wi-Fi). It's not really a two-way sync, but it's an option. Instructions in my book or in the 1Password documentation.
I wonder whether storing passwords in iCloud Keychain is a good idea:
1) my iDevices are locked with a four digit 'passcode' - so my >700 randomly chosen, strong, unique passwords would be locked behind a very weak master password of only 4 digits
2) anyone with administrative permissions on one of the macs I use would be able to access my passwords
Or am I missing something?
1) Do you have the option to erase your data after 10 wrong passcode attempts turned on? If so, refer to the last many weeks of news about FBI vs. Apple for an idea of how challenging it is for someone to get at your passwords.
2) Not just anyone with administrative permission—only someone who knows your personal account password. Which should be very strong!
1) No I haven't and will not do that because I don't want my data to be erased when I am too absent minded, tired or otherwise confused to remember my password.
2) It might differ on El Capitan, but on Yosemite someone with administrative privileges can reset anyone's password.
Also, I hate it to have to type long difficult passwords every time I leave my mac for more than 5 minutes. 1Password saves me that burden!
Anyway, I feel it is not good practice to recommend iCloud Keychain as a password manager without adding a list of 'provided thats'.
1) Really? A passcode you use multiple times a day? If you're afraid you won't be able to remember it, even after 9 tries, you can always write it down!
2) Any administrative user can reset an administrative password, true, but that is not necessarily the same as resetting the *Keychain* password. (You can use a different password for Keychain.) And, note that you can change the delay for when you're prompted to log in again.
All that to say: my opinion is that the security risks of iCloud Keychain are far smaller than you're imagining. I still, of course, prefer 1Password, but as I said in the article, there are things iCloud Keychain can do that 1Password can't.
1) What I am afraid of is not that I can't remember my password, but that I am typing the wrong passcode again and again (thinking that I type the correct one the moment I type it and thinking that I made a typing error the moment it doesn't work) before realizing that it is the 9th time. But you are right that ten times is very much, so perhaps I should reconsider that policy.
2) I just tried it but someone with administrative permissions can reset any password used to login of any user and, hence, access their login keychain. I couldn't find a special keychain password: as soon as I am logged in I can access my keychain. Yes, I know that I can change the delay before being prompted to log in again, but I don't want to have my passwords unprotected for 15 minutes.
You can change the password for your keychain to NOT be the same as your login password, so that changing your login password won't change your keychain password. To do this, open Keychain Access, select your login keychain, and choose Edit > Change password for Keychain "login".
It is true that an admin account can reset the password for any user login on that system. However, it is _not_ true that this also changes the user's keychain. I administer Macs for a small organisation, and the inability to update the keychain password used to cause confusion for users in cases where I had to change a user's login password. (In recent versions of OS X, Apple has greatly improved how this is handled, so a user is prompted to update the keychain password when logging in after a password reset.)
So even if you or another admin user resets an account password, the keychain remains locked and completely inaccessible even after logging into the account. You cannot get to the contents of the keychain unless you/the user can remember the keychain password (i.e. the original account password). If not, you must trash the keychain and start a new, empty one. So there is no risk that passwords stored in the Mac Keychain are available to anyone with admin access to your Mac.
That's right—my memory was faulty. Thanks for the correction!
I have been using LastPass for some time now just on my computers. I would like to use some, but not all, of my passwords on my iPhone. I don't know if LP lets me do that but reading this story suggests that maybe Keychain would be the solution. BUT that depends on how hard it is to move some LP entries to Keychain. I don't have a lot of sites to sync to my iPhone so copy and paste could work unless there is a simpler way. Is linking a third party program (LP) to Keychain covered in your updated book?
You can't link anything to Keychain as such, but what you can do is let LastPass fill in your credentials in Safari and then let Safari store them as you browse, which will add them (one at a time) to your iCloud Keychain.
LastPass does have a free iPhone app, which is probably the easiest solution.
https://itunes.apple.com/us/app/lastpass-free-password-manager/id324613447?mt=8
I started using 1Password because of Joe Kissell and the his Take Control book on passwords. The first chapter was an eye-opener. Break a four-pin password in a matter of hours?
I have recommended 1Password (or at least the concept of a password manager) to I don't know how many people. Every one of them was interested, especially those who (surprise, surprise) work in security for a bank or credit card. I've also recommended his book.
I have no reason to leave 1Password. I agree with Mr. Kissell about the ease of use. It's gotten to where I resent those sites that only allow 6 - 8 characters. I want as long and as complex a string as I can get, because 1Password remembers it for me, along with credit card numbers, expiration dates, etc.
I'm sure it's a minor point for most, but for me, it's one of the best little features. The syncing doesn't have to go through a cloud system (I don't trust online security). You can wirelessly sync to your devices if your computer, etc. has Bluetooth. I apologize if that is he meant by syncing.
When I can afford it, I'm buying the 1Password Take Control book to find out what I have been missing.
Kudos, Mr. Kissell. I appreciate what you have done for my understanding about privacy and other issues. Your writing style is clear and plain-spoken, free from jargon and technical language. That says much in today's tech world.
I'm delighted to hear that you like and have recommended my book! Thanks so much for your kind words.
The file that contains your passwords is encrypted on your computer, and it can then sync via the cloud (iCloud or Dropbox), or Wi-Fi, or even with iTunes using a USB cable. It can't sync via Bluetooth, however. There's no reason not to trust online security, in that even if there were no online security whatsoever, your data is as securely encrypted in the cloud as it is on your Mac or PC. For what it's worth.
I did make the mistake of saying Bluetooth when I meant Wi-Fi. Thank you for the correction.
I'll buy and read your online security Take Control book. It might change my mind.
What I don't like are those sites that specify exactly how many characters & numbers you have to use, how many have to be in upper and lower case, and limit you to only certain special characters.
Agreed! Arbitrary password restrictions are awful. I do wish every site would accept passwords of any length and configuration—at least over some minimum number of characters.
I was a long-time 1Password user up until March 2016, when I switched to LastPass. My reasons:
* Runs on Linux and more OSes.
* Same features as 1Password, often implemented better.
* LastPass has a superior Android app that requires fewer taps to use. With 1Password, I have to search for, then copy and paste usernames and passwords between it and the other app to authenticate.
* Although a personal opinion, the LastPass user interface is much cleaner and easier to use than 1Password.
I tried LastPass and decided it was just a 1Pwd wannabe.
For me the advantage of 1Password over iCloud Keychain is that my husband and I share a Dropbox account and 1Password is synced in Dropbox, which means we both have access to our passwords without sharing our computers, iPads, etc.
Joe, on my iOS devices, I use the web browser built-in to 1Password. I figure if I have to launch 1Password to get the sign-in data for a web site, I might as well just log-in with the built-in browser.
If that works for you, great! Personally, I'd be lost without the other stuff I get in Safari, such as synced bookmarks and tabs—and if I tap a link to a URL in another app, it opens in Safari rather than in 1Password. So for me, using the extension with Safari is the path of least resistance.
I have had a lot of people recommend password managers, but have never bit the bullet and tried one. Maybe I just want to be in control, but there are some things that concern me based on my experience over many years as a Mac user. For iCloud, I have these concerns:
1. Apple updates sometimes are not that reliable. There are regular stories of updates that stuffed things. When I am looking at my ability to access important sites, do I want to take that risk?
2. Once bitten twice shy. I have lost data in iCloud in the past.
3. Apple has a history of releasing updates that are not compatible with earlier versions - think iPhoto. I run older operating systems for particular software. It is a pain, for example, that contacts and calendar on Snow Leopard cannot sync with the current version of iCloud. (I tried the hacks that claim to do this, but they do not work well.)
For password managers in general, while they work it may be fine, but what happens when something goes wrong, eg, the password file gets corrupted or the company goes out of business?
How easy is it to update the username and password if a web site forces you to change them?
Let me first say: if you worry about iCloud Keychain, then don't use it. Use 1Password (or another app) instead. You don't have to sync 1Password via iCloud (or even use the Internet at all) if you don't want to. It stores backups of its data automatically, and you can back it up separately yourself too. And you can download an older version to use on your older Macs. There is Just Nothing To Worry About.
That said, I think your worries are overstated. There are always bugs in software, but it's not like Apple updates regularly have major flaws that result in data loss. Such occurrences are extremely rare. And when big bugs do sneak through, Apple fixes them promptly.
I have never heard of any bug that resulted in the loss of data from Keychain generally or from iCloud Keychain in particular. But if such a thing had occurred or should occur in the future, I would be very happy that I have excellent backups, which are of course always a good idea.
iCloud Keychain won't work with Snow Leopard, that's true. The feature just wasn't added until later, and you can't blame Apple for not inventing time travel yet. (Or DID they?)
To your specific questions:
- If the password file gets corrupted, you use a backup. Boom.
- If the company goes out of business, the software keeps working. Feel free to export your data at any time and move it to a different product if you prefer. No problem.
- If you need to update your username and password for a site, it's really easy with either iCloud Keychain or 1Password. It's even easier with LastPass or Dashlane, which make it a one-step process.
I like the development team at 1Password and the support, but I find the less popular PasswordWallet much easier to use. The main problem with 1Password is that it uses patterns in the forms you fill out and if a page is moved, or if there is an unusual non-standard pattern in the forms, it becomes really unwieldy and things break. I had this happen so much I gave up and went back to PasswordWallet which "just works" because it handles those cases fundamentally differently.