Tonya and I have never had the opportunity to view a total solar eclipse before, so on 8 April 2024, instead of publishing an email issue of TidBITS, we will be driving an hour or two north to be in the path of the totality. The other reason to take that issue off is that I’m directing the Skunk Cabbage Classic 10K and Half Marathon the day before the eclipse, and I need to focus on the final details for an 800-runner race this week.

Once life returns to its usual routines, I’ll get back to publishing articles on our website in advance of our next email issue on 15 April 2024. TidBITS Talk discussions will undoubtedly continue throughout all this. To keep up, visit our site or subscribe to our RSS feed—remember that TidBITS members get a full-text feed.

Apple has announced that its 2024 Worldwide Developer Conference will take place June 10 through June 14. It will again be free and entirely online, although Apple is also hosting a special event at Apple Park on the first day for some lucky developers who request to attend. Unlike last year, Apple doesn’t say how attendees will be selected. Also on the schedule is the traditional Swift Student Challenge for budding developers.

It’s a safe bet that the WWDC keynote will feature macOS 15, iOS 18, iPadOS 18, watchOS 11, and tvOS 18, but it’s anyone’s guess if visionOS will jump from version 1 to 2. Apple has hinted that AI will be a significant focus, and an AI-powered version of Siri would be most welcome, if only for added accuracy when interpreting slightly mis-spoken commands.

Last week, Canva, which specializes in online design for the masses, and Serif, makers of the Affinity suite of professional-level design apps, announced that Canva has acquired Serif for approximately $380 million. We’ve mentioned Canva only once before, but it’s a privately held Australian firm with 3500 employees and $2 billion in revenue. In 2019, Canva also acquired stock photography sites Pixabay and Pexels. Canva had about 100 million active monthly users as of December 2022, while Serif says over 3 million designers use its tools.

The match is a good one. The Affinity suite provides significantly more layout power than Canva’s browser-based tools, but Canva offers cloud and collaboration capabilities that are missing from the Affinity apps. I have long maintained that collaboration tools will win out over other features in the mass market because most modern projects involve multiple people. That’s why I do all my writing in Google Docs instead of the more powerful Nisus Writer Pro or BBEdit.

Similarly, although I wrote glowingly about the Affinity suite in “Consider Switching from Creative Cloud to Affinity V2” (5 December 2022), nearly all my design work has moved to Canva. That’s because the Finger Lakes Runner Club’s communications team standardized on Canva in 2023 because of its collaborative capabilities (the free subscription for nonprofits helped, too). Up to that point, I had been producing flyers, calendars, and forms myself, with comments from others, but once a group took over those tasks, collaboration became king. Now, everything the club generates is in Canva, where anyone on the team can view, comment, and edit designs. We’ve settled on a working style where we trust others to make small changes on their own, but if someone has more radical suggestions, they show what they have in mind on a duplicate page. We’ve even occasionally used Canva’s built-in ordering options when they’re easier than printing locally.

Despite the fluidity of collaboration in Canva, I’ll admit to some annoyance with its design tools. For instance, it doesn’t support tab leaders, those evenly spaced dots that help you connect a right-aligned page number with its left-aligned Table of Contents entry—or, in our case, a right-aligned race date with a left-aligned race name in a calendar list. I also desperately miss arrows like those in Preview, which you can easily curve by dragging a mid-line control.

Nonetheless, Canva is a far more appropriate tool for the level of design the club needs and a better match for my design skills. With luck, Canva’s developers will extract a few of the more subtle features from the Affinity apps.

On the other side of the equation, the Affinity suite didn’t compete well with Adobe’s Creative Cloud in online collaboration. With Canva’s platform, collaborative capabilities are far more likely. Serif wrote:

Many of you would like to see a way to easily sync your Affinity documents and assets to all your devices, and also to be able to share and collaborate on your Affinity files. For us to build the infrastructure required for this was always going to be challenging, but it’s now certainly achievable via Canva’s platform.

Apart from a competitive feature set, what made the Affinity suite so attractive to some Creative Cloud users was the price. Where Adobe went all-in on the monthly subscription model—I was paying $54 per month when I switched to Affinity—Serif maintained traditional licensing with sales and discounts for major updates. Each of the three apps costs just $69.99, and a Universal License gets you all three apps for Mac, Windows, and iPadOS for just $164.99. Affinity currently has a sale that drops the per-app prices to $48.99 and the Universal License to $114.99.

The initial acquisition announcement wasn’t crystal clear about Canva’s plans regarding Serif’s perpetual license model. Canva relies on a subscription model that tries to entice users to move from a generous free account and pay $120 per user annually. Within a day, however, Canva and Serif issued four pledges to the Affinity community that promise to:

• Offer affordably priced perpetual licenses forever
• Expand and enhance the Affinity products
• Provide Affinity for free to schools and nonprofits
• Listen to and be led by the design community

In particular, Canva and Serif say that any future subscription model will be offered alongside the perpetual license, perhaps as a way of introducing the Affinity apps to Canva users or to take advantage of Canva as a collaborative platform.

Of course, there are no guarantees in an acquisition, but the FAQ that accompanied the acquisition announcement made all the right noises—the companies have similar cultures, there will be no layoffs, and so on. With luck, Canva will make good on all these promises and provide designers of all levels with an even more compelling alternative to Adobe’s Creative Cloud. Perhaps that, in turn, will spur Adobe to develop innovative new features and offer solutions to those for whom Creative Cloud is overkill.

We regularly recommend using a password manager like 1Password, and for good reason. Passkeys may eventually take over—and I hope to explore them soon—but until that time, we’re stuck with passwords, and managing them manually is less secure and vastly more work. For many years, solutions like 1Password, BitWarden, Dashlane, and LastPass (which I no longer recommend—see “LastPass Publishes More Details about Its Data Breaches,” 3 March 2023) fell into the must-have category.

Apple’s Keychain Access utility has long provided basic password management capabilities in macOS but has never been particularly convenient to use. With macOS 12 Monterey, iOS 15, and iPadOS 15, Apple gave passwords a better user-facing interface in System Preferences and Safari on the Mac and the Settings app on the iPhone and iPad. Although the settings screens are labeled Passwords and the iCloud-based password syncing feature is called iCloud Keychain, Apple doesn’t seem to have a formal name for the totality of these password management features, making it hard to talk about them in the same sentence as something like 1Password. For this article, I will use the name iCloud Passwords for reasons that will soon become obvious.

Although iCloud Passwords didn’t—and still doesn’t—have full feature parity with third-party password managers, it was pretty good. It offered all the basics, such as auto-fill, editing, searching, and even syncing through iCloud Keychain. Over time, Apple added support for one-time passwords, password sharing, and more. Importantly, it’s also completely free.

Despite these improvements, iCloud Passwords suffered in one significant way: it worked only in Safari. On the iPhone and iPad, that wasn’t a problem because other Web browsers relied on the same WebKit engine as Safari. (Apple also allowed Safari to treat third-party password managers as first-class alternatives.) But Mac users who wanted to use Chromium-based browsers like Arc, Brave, Google Chrome, Microsoft Edge, Opera, and Vivaldi, or Mozilla’s Firefox couldn’t take advantage of iCloud Passwords.

In 2021, Apple released the iCloud Passwords extension for Google Chrome, but only for Windows. In July 2023, Apple updated it to version 2.0, adding support for Mac versions of Google Chrome running in macOS 14 Sonoma. Although I’m happy with 1Password, I’ve been using iCloud Passwords for the past month in Arc to see if I could recommend iCloud Passwords for those who don’t rely on Safari. While I miss features from 1Password, the answer is yes: iCloud Passwords works fine. At least that’s true for me—I see reviews on the Chrome Web Store page that claim it doesn’t work or broke after some update, but I’ve been using it long enough that I’m comfortable saying it’s functional.

Although Apple released iCloud Passwords only for Chromium browsers—and it seems to work equally well in all the variants I’ve tried—the company has done nothing for Firefox users. However, an independent developer named Aurélien recently published a Firefox add-on also called iCloud Passwords, so that’s an option for those running Sonoma or recent versions of Windows—it doesn’t work for earlier versions of macOS. It’s not yet well-known, with only 716 users last I checked (versus 2 million for the iCloud Passwords Chrome extension), but I’ve installed it and verified that it works. Although I’m a little hesitant to recommend an independent add-on that interacts with a system-wide password store, it’s open source, and anyone can view its code on GitHub.

Passwords Settings

Before we get to the specifics of using iCloud Passwords in a Chromium browser, I want to review the basics of password management in macOS. You access your passwords in System Settings > Passwords or Safari > Settings > Passwords—they show the same set of passwords—and you must authenticate every time you go there. Touch ID or Apple Watch authentication makes that a lot easier.

Let’s look at all the options from the top:

• Search field: Use this to find logins in the list below by searching for the site name or username. Unlike 1Password, you can’t search for strings contained in your passwords.
• + menu: Choose New Password or New Shared Group as desired. Most of the time, you’ll create new logins while setting up an account on a website—iCloud Passwords offers to remember the login information for you. More on shared groups shortly.
• ••• menu: Apple puts the Import and Export commands in this unhelpfully labeled menu. The import/export format is CSV, and Apple warns that exported passwords will be stored unencrypted. (As an aside, I think using + and ••• to label menus is borderline criminal interface design, but it’s just one of many decisions in System Settings that will make its designers first up against the wall when the revolution comes.)
• Security Recommendations: If the switch here is enabled, Apple will check your passwords against those from known breaches and warn you if they may have been compromised. The company doesn’t say explicitly, but I imagine it uses Have I Been Pwned, much like 1Password does for its Watchtower feature. Apple also points out logins that have weak passwords.
  
• Password Options: I see no reason to turn off autofill or the option to clean up verification codes automatically, but I’m intrigued by the “Use passwords and passkeys from” section. iCloud Keychain is the only option here, but this setting parallels the iOS Settings > Passwords > Password Options screen that lets you use third-party password managers. Perhaps Apple will open up macOS to others in the future.
  
• Share Passwords with Family: This option triggers an assistant that walks you through creating a Family Passwords shared group, adding family members, and moving passwords from your personal set to the shared set. It’s simple and well done. You can also share passwords with any other group; choose New Shared Group from the + menu at the top.
  
• Edit login: Finally, you can edit any login by clicking its ⓘ button. Happily, double-clicking anywhere on the login item also works, which isn’t true for controls like System Settings > General > Software Update > Automatic Updates. Most of the items here are self-explanatory, though all the Change Password on Website button does is take you to the top level of the site. Note the Verification Code section, which can create and autofill two-factor authentication codes (see “Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15,” 7 October 2021). Unfortunately, the Website section, which shows the domain of the site on which iCloud Passwords will autofill your credentials, is not editable. That’s too bad—I’ve had to edit remembered URLs in 1Password occasionally because the URL used for account creation didn’t sufficiently match the login URL.
  

Nothing in Passwords Settings will set the world on fire, but Apple has provided a solid set of basic features.

iCloud Passwords in a Browser

To autofill your passwords in a Chromium browser like Arc, Brave, or Google Chrome, you need to install Apple’s iCloud Passwords extension from the Chrome Web Store. That’s as simple as clicking the Add to Chrome button and acknowledging that you want to install when prompted.

How you interact with extensions varies a bit by browser, though most let you add them to a toolbar. In Chromium browsers other than Arc (which has a bug in this area), clicking a login form displays a notification that you can click to enable Password AutoFill. Arc has no such toolbar, but choosing Extensions > iCloud Passwords has the same effect as clicking the toolbar button or the notification.

However you invoke it, iCloud Passwords presents you with two dialogs: a system-level dialog with a verification code and a browser-level dialog into which you enter it. If you make a mistake typing, you’re instantly presented with another code.

Although this verification approach is straightforward, it’s required for every launch of the Web browser, so you may end up typing a lot of verification codes. It’s much easier to use biometric authentication via Touch ID or an Apple Watch in 1Password; I presume other password managers also support biometric authentication.

Once you’ve enabled Password AutoFill, it’s trivially easy to use. Just click in a login form, and iCloud Passwords detects that action and presents you with passwords that match the domain of the site you’re on. Click one to enter its information in the login form fields. Typically, only a single password will appear, but if you have multiple logins at different sites within the same domain, as I do in the screenshot below, you get to pick one.

(As an aside, this domain detection is one of the key reasons to use a password manager—they can’t be fooled into helping you enter a password onto a malicious site pretending to be something else. A human might not notice, but app1e.com isn’t apple.com in the eyes of a password manager.)

If a login form has both a username and password field, iCloud Passwords will autofill both. If the login process first requires you to enter your username, followed by the password after a form or page refresh, you’ll likely have to click again to autofill the password separately. 1Password is better at injecting the password into the second field that appears without requiring manual intervention.

One last thing. If you need to create a new account, iCloud Passwords almost always notices and offers to save your credentials. What it doesn’t do, unfortunately, is create a secure password for you. Instead, it suggests creating a strong password in System Settings > Passwords or opening the page in Safari (below left, ignore the broken graphic icon). Indeed, Safari automatically generates strong passwords and saves them to your password collection when you click Use Strong Password (below right). So, the better part of valor is to switch to Safari when creating new accounts and then switch back to log in with the new credentials. If you instead use System Settings > Passwords, you’ll have to click the + menu, choose New Password, click the Create Strong Password button, copy the password, switch back to your browser, and paste the password.

Limitations Compared to Other Password Managers

I’ve mentioned a few ways that iCloud Passwords fails to match up to the likes of 1Password, but let’s collect all of them here so you get a sense of the differences. The iCloud Passwords extension:

• Generates many more verification requests—one per launch of the browser.
• Doesn’t support biometric authentication, so those verification requests can be answered only by typing in a six-digit code. (Although the code may be easier than typing in a master password.)
• Isn’t quite as capable of autofilling login fields separated by a form or page refresh.
• Sometimes fails to offer to save a manual login.
• Supports only logins, unlike other password managers, which can store many other types of private information, such as identity cards, medical record cards, bank accounts, API credentials, secure notes, and even documents.
• Can’t autofill credit card or address information.

You can work around this last limitation using browser features. Chromium browsers can all autofill payment methods and addresses, but by default, iCloud Passwords blocks those features from working, even though it won’t help you in that department. If you circumvent the iCloud Passwords block on browser autofill, you can get the best of both worlds. Follow these steps:

1. In your Chromium browser, navigate to the Extensions page, usually by choosing Window > Extensions. In Arc, it’s Extensions > Manage Extensions.
2. Click the Details button next to iCloud Passwords.
   
3. On the iCloud Password Details screen, click the button next to Extension Options, and in the dialog that opens, deselect Turn Off Chrome AutoFill. That double-negative allows Chrome’s AutoFill to operate independently again.
   
4. Navigate to the browser’s Autofill settings, which are usually accessible from the main Settings page under “Autofill and Passwords,” although Microsoft Edge puts it under Profiles. The URL browsername://settings/autofill will always take you there in Chromium browsers.
   
5. Start with Payment Methods. Make sure “Save and fill payment methods” is turned on. Use the Add button to add your credit card information. It won’t let you save credit card CVV codes for security reasons, so you must remember and enter them manually. When you’re done, click the Back arrow in the upper left to return to the Autofill and Passwords screen.
   
6. Next, in Addresses and More, ensure that “Save and fill addresses” is turned on, and enter any addresses you want to autofill. Click Back to return to the Autofill and Passwords screen.
   
7. Finally, click Password Manager, and then click Settings in the sidebar. Deselect “Offer to save passwords” to prevent your browser from asking you to save passwords every time you log in to a site using iCloud Passwords.
   

Once you’ve done all that, you should be in a situation where iCloud Passwords autofills your login credentials, and your browser autofills credit card information and addresses. The browser-level interface looks a little different but works well—you simply click in a credit card or address field and then click the desired set of information from the pop-up.

Now that I’ve written this article, I fully admit that I’m going to disable iCloud Passwords and revert to 1Password because it’s easier to use and autofills more information. Plus, my nearly 1000 logins are stored in 1Password—I’ve been using 1Password’s Quick Access pop-up to find and enter credentials in Arc logins so iCloud Passwords could remember them. In the past month, I’ve migrated 73 logins to iCloud Passwords, and although those take care of most of my day-to-day logins, I never get through a week without having to bring more over from 1Password.

But it’s clear that with the addition of the iCloud Passwords extension for Chromium browsers and some judicious browser configuration for payment methods and addresses, it’s entirely possible to rely on Apple’s free password management tools.