Everyone agrees that passwords are a pain. The idea that each user of a computer, Web site, or online service should gain access using a unique identifier (a username) and a self-selected password must have seemed logical back in the day, but the system hasn’t scaled well. Now we all need passwords for dozens or even hundreds of services, while frequent high-profile security breaches remind us that a password-based infrastructure is inherently fragile and vulnerable.
In response, service providers make ever-harsher demands of their users: create longer, more complex passwords; change them whenever the provider sees fit; answer security questions; add two-step verification; and so on. Frustrated users, in turn, respond in ways that make them far less secure: they often choose easily guessable passwords, and reuse the same password (or one of a few) everywhere.
I’ve been thinking and writing about the password problem for a long time. In the recently published “Take Control of Your Passwords, Second Edition,” I lay out the whole problem from top to bottom and help readers think through a sensible, safe, and sustainable strategy. One key recommendation is to use a password manager whenever possible. This type of software automatically generates, remembers, and fills in passwords as needed, and syncs them across your various devices. Although a password manager alone isn’t a complete solution to anyone’s password woes, it can eliminate a large portion of the hassle while increasing your security tremendously.
There are lots of great password managers out there, and I truly don’t care which one you use, as long as it works well for you. I know that apps like LastPass, Dashlane, Blur, and many others, have lots of fans. In addition, Apple’s own solution, iCloud Keychain, works in Safari for recent versions of OS X and iOS — and it’s free for anyone with an iCloud account. I wrote extensively about iCloud Keychain in another of my books, “Take Control of iCloud.”
My personal favorite, however, is 1Password, which I’ve been using for nearly ten years. I’ve found that it hits the sweet spot of power, usability, and affordability — and it keeps getting better all the time. I like it so much I wrote yet another book about it, “Take Control of 1Password,” which explains how to make the most of the app’s extensive capabilities, many of which aren’t entirely obvious.
But wait a minute! Since iCloud Keychain is free, requires no extra software, and is supported by Apple, why would anyone bother with a third-party product in the first place? I’ve heard this question a number of times. For example, when I covered the latest major release in “1Password 6 for Mac Adds Teams, Expands Sync Options” (18 January 2016), a commenter named Jim inquired:
This would be a great chance to ask the question I’ve always had about 1Password. I hear nothing but praise for it, but… What exactly does it do that Apple’s built-in tools (Keychain, iCloud Keychain, etc.) don’t do?
I’ve read so many glowing reviews of 1Password, yet that’s the part I still don’t get…
I replied by pointing out a number of things 1Password can do that iCloud Keychain can’t, but the question deserves a more extensive answer. After all, 1Password isn’t free and does have a bit of a learning curve — and switching from one password manager to another isn’t always simple. I can understand why this might seem like a Pepsi-versus-Coke choice, but it’s more like pitting a standard can of Pepsi against a Cherry Vanilla Coke float made with artisanal hand-churned organic ice cream — and two straws.
Before I get into the feature differences, let me make two quick disclaimers. First, although I’m talking only about 1Password here, many of the features I point out can be found in other third-party password managers too. And second, I’m not trying to diss iCloud Keychain. In fact, as I’ll explain later, it’s an ideal choice for certain tasks, and there’s no reason you can’t use it alongside a third-party tool.
1Password’s Advantages -- 1Password was developed long before iCloud Keychain was a gleam in Apple’s eye, and over many years it has been refined based in large part on user feedback, an approach that Apple often seems to be allergic to. Here are some of the ways in which 1Password surpasses iCloud Keychain:
Platform Support: If you use only recent-vintage Macs and iOS devices, this might make no difference to you. But if you happen to use Windows or Android devices, or even older versions of OS X (iCloud Keychain was introduced in OS X 10.9 Mavericks), iCloud Keychain won’t help you on those platforms. 1Password, on the other hand, can sync your data to all those locations, although admittedly you’ll need to download a legacy version of the app if you want to run it on Mavericks or earlier.
Browser Support: 1Password works with most popular browsers, so if you prefer to use Chrome or Firefox instead of Safari (or if you switch between browsers from time to time), that’s no problem. iCloud Keychain, on the other hand, works only with Safari (in both OS X and iOS).
Password Strength: iCloud Keychain can generate random passwords for you in Safari, which is undeniably handy. But all those passwords are exactly 15 characters long, following the pattern
XXX-XXX-XXX-XXX, where each X is an alphanumeric character. Because the three hyphens are invariant, all those passwords have an effective length of only 12 characters, and because none of the other characters can be other punctuation, those 12-character passwords are much weaker than ones built from a wider character set. (Also, some Web sites limit passwords to fewer than 15 characters.) 1Password can make random passwords up to 50 characters long, with your choice of attributes; you can even opt for a series of random words instead of random characters, although a password of that type must be considerably longer to be as strong as one composed of random characters.
Additional Data Types: iCloud Keychain can store passwords, username-and-password combinations, secure notes, and credit card numbers, but that’s it. 1Password can also store many other kinds of data, such as software licenses, passports, membership cards, licenses, and bank account numbers. In addition, it can securely store and sync virtually any document you care to drag in, such as a Word document, PDF, or photograph containing confidential data.
CVV Numbers: iCloud Keychain can store credit card numbers and their associated expiration dates, but not CVV (card verification value) numbers. Apple says this is for security, but it means that every time you buy something online, you have to drag your card out of your wallet, look up that number, and type it in. My feeling is that if iCloud Keychain is secure enough to hold my bank account number and login credentials, not to mention passwords that could unlock all kinds of other highly confidential services, it should be secure enough to store and fill in a CVV too. 1Password has no trouble storing and filling in CVV numbers.
iOS App Support: Browsers aren’t the only apps that use passwords. Think of apps like Slack, Buffer, Basecamp, SoundCloud, Instapaper, and dozens of others that connect to online accounts. Using a simple API created by 1Password developer AgileBits, developers can enable their apps to query 1Password directly — it’s much quicker and easier for users than having to switch to 1Password, look up credentials, copy, switch back, and paste. Well over 100 apps have already added this support. And what I find even more interesting is that developers of other password managers can use the same API, so if your app supports 1Password, it also works with other iOS password managers. Although it’s possible for specially modified third-party iOS apps to access saved Safari passwords (which, in turn, may sync via iCloud Keychain), very few apps take advantage of this capability.
One-time Passwords: Many sites now offer two-step verification as an extra security measure. The most common implementation is that after you enter your password, the site prompts you for a second code — a time-based one-time password (TOTP), which is normally generated by a separate app such as Google Authenticator or Authy, and changes every 30 seconds. But 1Password can generate these codes too, meaning you don’t have to install a separate app to obtain them (and you don’t have to switch apps as often either). iCloud Keychain lacks such a feature.
Syncing Options: As you might guess from the name, iCloud Keychain syncs exclusively via iCloud. 1Password can sync via iCloud too, but if you prefer to use Dropbox, direct syncing over Wi-Fi, or even (for iOS devices) syncing your data via a USB cable and iTunes, you can. (Yet another way to sync is to use 1Password for Teams or Families, discussed just ahead.)
Ease of Use: Storing and entering passwords in a browser is one thing, but what if you need to look up a password for some other reason, or make other changes to your secure data? On a Mac, you have to use the ancient Keychain Access app (in
/Applications/Utilities), which is incredibly cumbersome and unintuitive. On an iOS device, no such app exists; you can go to Settings > Safari > Passwords to see and edit your credentials, but even that is a clumsy interface. 1Password’s user interface, by contrast, is far more user-friendly. It’s easy to search, sort, organize, tag, and edit items, and you can even do things like sort your passwords by strength to see which ones might be in need of changing.
Teams and Families: If you want to share certain passwords securely with other people — coworkers or family members, say — you can’t do so with iCloud Keychain. (Like most iCloud features, it’s all about sharing stuff across your own devices, not sharing stuff with other people.) 1Password has long offered a primitive way to share data using Dropbox, but with 1Password for Teams or 1Password Families (each available for a modest monthly fee), your business or family, respectively, has a simple yet secure and versatile mechanism for sharing passwords.
Other Details: 1Password also stores a history of the passwords you’ve used previously for each site. It can alert you to passwords that may need to be changed due to a security breach or because they’re duplicates. And it has quite a few other small conveniences that add up to a much better experience in managing passwords. (If I’ve skipped over anything you find particularly important, please remind me in the comments!)
iCloud Keychain’s Benefits -- Having said all that, let me now change my tune slightly and say some nice things about iCloud Keychain:
Better in Safari for iOS: Because iCloud Keychain is built right into Safari for iOS, it takes at most a tap or two to fill in your credentials and submit a form. Since the advent of extensions in iOS 8, it’s reasonably convenient to access 1Password from within an iOS browser, but you’ll still have to tap an icon to open the Share sheet, tap the 1Password icon, authenticate with Touch ID (or a PIN or your master password, depending on your device and configuration), and tap the desired login item. Of course, 1Password is doing the best it can given the restrictions Apple imposes, but if you want the least possible friction when entering credentials in Safari for iOS, iCloud Keychain is the way to go.
System-level Credential Syncing: iCloud Keychain isn’t just for Web forms. It can also store credentials that are used at a system level, such as Wi-Fi passwords and Internet accounts (Google, Facebook, Twitter, email servers, and so on). So, if you enter the password for a new Wi-Fi network on one of your devices, then as soon as iCloud Keychain syncs to your other devices (usually within seconds), they’ll have that password too and can join the new Wi-Fi network without so much as a password prompt. (For some reason, iCloud Keychain syncs email accounts only with other Macs, not with iOS devices.) Because 1Password doesn’t have the system-level access that would be necessary for such a feat, it can’t perform the same trick.
Reliability: Your mileage may vary, but I’ve found iCloud Keychain to be almost shockingly reliable — it syncs quickly and nearly always does exactly what I expect. I’ve often griped about other types of iCloud synchronization working poorly, but in this case I can’t complain. Because it’s part of OS X and iOS, there’s never any software to update separately, never any data to back up separately, and no worries about compatibility.
Sure, that’s a shorter list of compliments than the one I gave 1Password, but they’re not insignificant. If you use only Safari on Apple devices; have only a modest number of accounts; prefer iCloud syncing; and have no need to store other data types, share credentials, or use one-time passwords, you might be perfectly content with iCloud Keychain. Without question, using iCloud Keychain is a thousand times better than using no password manager at all, and if you like it, more power to you.
However, keep in mind that this isn’t an either/or decision. You can use iCloud Keychain and 1Password together. For example, you might rely on iCloud Keychain to handle your Wi-Fi passwords and the credentials you use most frequently in Safari for iOS, but 1Password for everything else. Or you could try to keep both apps updated with the majority of your passwords, using whatever happens to be easiest at any moment (given your current platform and browser). Or use 1Password to generate new passwords but iCloud Keychain to store and fill them. Although using both together is more work and arguably a bit less secure than picking just one, it’s not an unreasonable approach.