Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
Show excerpts

#1701: Using iCloud Passwords outside Safari, Canva acquires Affinity, WWDC 2024 scheduled, no TidBITS issue next week, do you use macOS’s versioning?

We’re taking the next issue of TidBITS off to view the total solar eclipse, so TidBITS will appear in your email inbox again on 15 April 2024. Apple has set dates for WWDC, so we can look forward to seeing what’s coming in the next OS versions—perhaps an AI-driven version of Siri that works better? In the news, we look at Canva’s acquisition of Serif, maker of the popular Affinity apps that provide an inexpensive alternative to Adobe Creative Cloud. This week’s feature article delves into Apple’s built-in password management features and how to use them in Web browsers other than Safari. Finally, we warn about a new type of denial-of-service attack aimed at Apple users and ask how frequently you use macOS’s versioning feature. Did you even know that macOS has a versioning feature? Notable Mac app releases this week include Airfoil 5.12, ChronoSync 11.0.2, Hazel 5.3.3, and Safari 17.4.1.

Adam Engst 39 comments

No TidBITS Issue on 8 April 2024 for the Solar Eclipse

Tonya and I have never had the opportunity to view a total solar eclipse before, so on 8 April 2024, instead of publishing an email issue of TidBITS, we will be driving an hour or two north to be in the path of the totality. The other reason to take that issue off is that I’m directing the Skunk Cabbage Classic 10K and Half Marathon the day before the eclipse, and I need to focus on the final details for an 800-runner race this week.

Once life returns to its usual routines, I’ll get back to publishing articles on our website in advance of our next email issue on 15 April 2024. TidBITS Talk discussions will undoubtedly continue throughout all this. To keep up, visit our site or subscribe to our RSS feed—remember that TidBITS members get a full-text feed.

Adam Engst No comments

WWDC 2024 Scheduled for June 10–14

Apple has announced that its 2024 Worldwide Developer Conference will take place June 10 through June 14. It will again be free and entirely online, although Apple is also hosting a special event at Apple Park on the first day for some lucky developers who request to attend. Unlike last year, Apple doesn’t say how attendees will be selected. Also on the schedule is the traditional Swift Student Challenge for budding developers.

WWDC 2024

It’s a safe bet that the WWDC keynote will feature macOS 15, iOS 18, iPadOS 18, watchOS 11, and tvOS 18, but it’s anyone’s guess if visionOS will jump from version 1 to 2. Apple has hinted that AI will be a significant focus, and an AI-powered version of Siri would be most welcome, if only for added accuracy when interpreting slightly mis-spoken commands.

Adam Engst 26 comments

Canva Acquires the Affinity Suite of Professional Design Apps

Last week, Canva, which specializes in online design for the masses, and Serif, makers of the Affinity suite of professional-level design apps, announced that Canva has acquired Serif for approximately $380 million. We’ve mentioned Canva only once before, but it’s a privately held Australian firm with 3500 employees and $2 billion in revenue. In 2019, Canva also acquired stock photography sites Pixabay and Pexels. Canva had about 100 million active monthly users as of December 2022, while Serif says over 3 million designers use its tools.

The match is a good one. The Affinity suite provides significantly more layout power than Canva’s browser-based tools, but Canva offers cloud and collaboration capabilities that are missing from the Affinity apps. I have long maintained that collaboration tools will win out over other features in the mass market because most modern projects involve multiple people. That’s why I do all my writing in Google Docs instead of the more powerful Nisus Writer Pro or BBEdit.

Similarly, although I wrote glowingly about the Affinity suite in “Consider Switching from Creative Cloud to Affinity V2” (5 December 2022), nearly all my design work has moved to Canva. That’s because the Finger Lakes Runner Club’s communications team standardized on Canva in 2023 because of its collaborative capabilities (the free subscription for nonprofits helped, too). Up to that point, I had been producing flyers, calendars, and forms myself, with comments from others, but once a group took over those tasks, collaboration became king. Now, everything the club generates is in Canva, where anyone on the team can view, comment, and edit designs. We’ve settled on a working style where we trust others to make small changes on their own, but if someone has more radical suggestions, they show what they have in mind on a duplicate page. We’ve even occasionally used Canva’s built-in ordering options when they’re easier than printing locally.

Despite the fluidity of collaboration in Canva, I’ll admit to some annoyance with its design tools. For instance, it doesn’t support tab leaders, those evenly spaced dots that help you connect a right-aligned page number with its left-aligned Table of Contents entry—or, in our case, a right-aligned race date with a left-aligned race name in a calendar list. I also desperately miss arrows like those in Preview, which you can easily curve by dragging a mid-line control.

Nonetheless, Canva is a far more appropriate tool for the level of design the club needs and a better match for my design skills. With luck, Canva’s developers will extract a few of the more subtle features from the Affinity apps.

On the other side of the equation, the Affinity suite didn’t compete well with Adobe’s Creative Cloud in online collaboration. With Canva’s platform, collaborative capabilities are far more likely. Serif wrote:

Many of you would like to see a way to easily sync your Affinity documents and assets to all your devices, and also to be able to share and collaborate on your Affinity files. For us to build the infrastructure required for this was always going to be challenging, but it’s now certainly achievable via Canva’s platform.

Apart from a competitive feature set, what made the Affinity suite so attractive to some Creative Cloud users was the price. Where Adobe went all-in on the monthly subscription model—I was paying $54 per month when I switched to Affinity—Serif maintained traditional licensing with sales and discounts for major updates. Each of the three apps costs just $69.99, and a Universal License gets you all three apps for Mac, Windows, and iPadOS for just $164.99. Affinity currently has a sale that drops the per-app prices to $48.99 and the Universal License to $114.99.

The initial acquisition announcement wasn’t crystal clear about Canva’s plans regarding Serif’s perpetual license model. Canva relies on a subscription model that tries to entice users to move from a generous free account and pay $120 per user annually. Within a day, however, Canva and Serif issued four pledges to the Affinity community that promise to:

  • Offer affordably priced perpetual licenses forever
  • Expand and enhance the Affinity products
  • Provide Affinity for free to schools and nonprofits
  • Listen to and be led by the design community

In particular, Canva and Serif say that any future subscription model will be offered alongside the perpetual license, perhaps as a way of introducing the Affinity apps to Canva users or to take advantage of Canva as a collaborative platform.

Of course, there are no guarantees in an acquisition, but the FAQ that accompanied the acquisition announcement made all the right noises—the companies have similar cultures, there will be no layoffs, and so on. With luck, Canva will make good on all these promises and provide designers of all levels with an even more compelling alternative to Adobe’s Creative Cloud. Perhaps that, in turn, will spur Adobe to develop innovative new features and offer solutions to those for whom Creative Cloud is overkill.

Adam Engst 23 comments

Using Apple’s iCloud Passwords Outside Safari

We regularly recommend using a password manager like 1Password, and for good reason. Passkeys may eventually take over—and I hope to explore them soon—but until that time, we’re stuck with passwords, and managing them manually is less secure and vastly more work. For many years, solutions like 1Password, BitWarden, Dashlane, and LastPass (which I no longer recommend—see “LastPass Publishes More Details about Its Data Breaches,” 3 March 2023) fell into the must-have category.

Apple’s Keychain Access utility has long provided basic password management capabilities in macOS but has never been particularly usable. With macOS 12 Monterey, iOS 15, and iPadOS 15, Apple gave passwords a better user-facing interface in System Preferences and Safari on the Mac and the Settings app on the iPhone and iPad. Although the settings screens are labeled Passwords and the iCloud-based password syncing feature is called iCloud Keychain, Apple doesn’t seem to have a formal name for the totality of these password management features, making it hard to talk about them in the same sentence as something like 1Password. For this article, I will use the name iCloud Passwords for reasons that will soon become obvious.

Although iCloud Passwords didn’t—and still doesn’t—have full feature parity with third-party password managers, it was pretty good. It offered all the basics, such as auto-fill, editing, searching, and even syncing through iCloud Keychain. Over time, Apple added support for one-time passwords, password sharing, and more. Importantly, it’s also completely free.

Despite these improvements, iCloud Passwords suffered in one significant way: it worked only in Safari. On the iPhone and iPad, that wasn’t a problem because other Web browsers relied on the same WebKit engine as Safari. (Apple also allowed Safari to treat third-party password managers as first-class alternatives.) But Mac users who wanted to use Chromium-based browsers like Arc, Brave, Google Chrome, Microsoft Edge, Opera, and Vivaldi, or Mozilla’s Firefox couldn’t take advantage of iCloud Passwords.

In 2021, Apple released the iCloud Passwords extension for Google Chrome, but only for Windows. In July 2023, Apple updated it to version 2.0, adding support for Mac versions of Google Chrome running in macOS 14 Sonoma. Although I’m happy with 1Password, I’ve been using iCloud Passwords for the past month in Arc to see if I could recommend iCloud Passwords for those who don’t rely on Safari. While I miss features from 1Password, the answer is yes: iCloud Passwords works fine. At least that’s true for me—I see reviews on the Chrome Web Store page that claim it doesn’t work or broke after some update, but I’ve been using it long enough that I’m comfortable saying it’s functional.

Although Apple released iCloud Passwords only for Chromium browsers—and it seems to work equally as well in all the variants I’ve tried—the company has done nothing for Firefox users. However, an independent developer named Aurélien recently published a Firefox add-on also called iCloud Passwords, so that’s an option for those running Sonoma or recent versions of Windows—it doesn’t work for earlier versions of macOS. It’s not yet well-known, with only 716 users last I checked (versus 2 million for the iCloud Passwords Chrome extension), but I’ve installed it and verified that it works. Although I’m a little hesitant to recommend an independent add-on that interacts with a system-wide password store, it’s open source, and anyone can view its code on GitHub.

Passwords Settings

Before we get to the specifics of using iCloud Passwords in a Chromium browser, I want to review the basics of password management in macOS. You access your passwords in System Settings > Passwords or Safari > Settings > Passwords—they’re the same—and you must authenticate every time you go there. Touch ID or Apple Watch authentication makes that a lot easier.

iCloud Passwords in System Settings

Let’s look at all the options from the top:

  • Search field: Use this to find logins in the list below by searching for the site name or username. Unlike 1Password, you can’t search for strings contained in your passwords.
  • + menu: Choose New Password or New Shared Group as desired. Most of the time, you’ll create new logins while setting up an account on a website—iCloud Passwords offers to remember the login information for you. More on shared groups shortly.
  • ••• menu: Apple puts the Import and Export commands in this unhelpfully labeled menu. The import/export format is CSV, and Apple warns that exported passwords will be stored unencrypted. (As an aside, I think using + and ••• to label menus is borderline criminal interface design, but it’s just one of many decisions in System Settings that will make its designers first up against the wall when the revolution comes.)
  • Security Recommendations: If the switch here is enabled, Apple will check your passwords against those from known breaches and warn you if they may have been compromised. The company doesn’t say explicitly, but I imagine it uses Have I Been Pwned, much like 1Password does for its Watchtower feature. Apple also points out logins that have weak passwords.
    iCloud Passwords Security Recommendations
  • Password Options: I see no reason to turn off autofill or the option to clean up verification codes automatically, but I’m intrigued by the “Use passwords and passkeys from” section. iCloud Keychain is the only option here, but this setting parallels the iOS Settings > Passwords > Password Options screen that lets you use third-party password managers. Perhaps Apple will open up macOS to others in the future.
    iCloud Passwords options
  • Share Passwords with Family: This option triggers an assistant that walks you through creating a Family Passwords shared group, adding family members, and moving passwords from your personal set to the shared set. It’s simple and well done. You can also share passwords among any other group; choose New Shared Group from the + menu at the top.
    iCloud Passwords Shared Passwords
  • Edit login: Finally, you can edit any login by clicking its ⓘ button. Happily, double-clicking anywhere on the login item also works, unlike other controls like System Settings > General > Software Update > Automatic Updates. Most of the items here are self-explanatory, though all the Change Password on Website button does is take you to the top level of the site. Note the Verification Code section, which can create and autofill two-factor authentication codes (see “Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15,” 7 October 2021). Unfortunately, the Website section, which shows the domain of the site on which iCloud Passwords will autofill your credentials, is not editable. That’s too bad—I’ve had to edit remembered URLs in 1Password occasionally because the URL used for account creation doesn’t always closely match the login URL.
    iCloud Passwords edit login

Nothing in Passwords Settings will set the world on fire, but Apple has provided a solid set of basic features.

iCloud Passwords in a Browser

To autofill your passwords in a Chromium browser like Arc, Brave, or Google Chrome, you need to install Apple’s iCloud Passwords extension from the Chrome Web Store. That’s as simple as clicking the Add to Chrome button and acknowledging that you want to install when prompted.

iCloud Passwords Chrome extension

How you interact with extensions varies a bit by browser, though most let you add them to a toolbar. In Chromium browsers other than Arc (which has a bug in this area), clicking a login form displays a notification that you can click to enable Password AutoFill. Arc has no such toolbar, but choosing Extensions > iCloud Passwords has the same effect as clicking the toolbar button or the notification.

iCloud Passwords enable autofill

However you invoke it, iCloud Passwords presents you with two dialogs: a system-level dialog with a verification code and a browser-level dialog into which you enter it. If you make a mistake typing, you’re instantly presented with another code.

iCloud Passwords verification code

Although this verification approach is straightforward, it’s required for every launch of the Web browser, so you may end up typing a lot of verification codes. It’s much easier to use biometric authentication via Touch ID or an Apple Watch in 1Password; I presume other password managers also support biometric authentication.

Once you’ve enabled Password AutoFill, it’s trivially easy to use. Just click in a login form, and iCloud Passwords detects that action and presents you with passwords that match the domain of the site you’re on. Click one to enter its information in the login form fields. Typically, only a single password will appear, but if you have multiple logins at different sites within the same domain, as I do in the screenshot below, you get to pick one.

iCloud Password autofill

(As an aside, this domain detection is one of the key reasons to use a password manager—they can’t be fooled into helping you enter a password onto a malicious site pretending to be something else. A human might not notice, but app1e.com isn’t apple.com in the eyes of a password manager.)

If a login form has both a username and password field, iCloud Passwords will autofill both. If the login process first requires you to enter your username, followed by the password after a form or page refresh, you’ll likely have to click again to autofill the password separately. 1Password is better at injecting the password into the second field that appears without requiring manual intervention.

One last thing. If you need to create a new account, iCloud Passwords almost always notices and offers to save your credentials. What it doesn’t do, unfortunately, is create a secure password for you. Instead, it suggests creating a strong password in System Settings > Passwords or opening the page in Safari (below left, ignore the broken graphic icon). Indeed, Safari automatically generates strong passwords and saves them to your password collection when you click Use Strong Password (below right). So, the better part of valor is to switch to Safari when creating new accounts and then switch back to log in with the new credentials. If you instead use System Settings > Passwords, you’ll have to click the + menu, choose New Password, click the Create Strong Password button, copy the password, switch back to your browser, and paste the password.

iCloud Passwords generate strong passwords elsewhere

Limitations Compared to Other Password Managers

I’ve mentioned a few ways that iCloud Passwords fails to match up to the likes of 1Password, but let’s collect all of them here so you get a sense of the difference. iCloud Passwords:

  • Generates many more verification requests.
  • Doesn’t support biometric authentication, so those verification requests can be answered only by typing in a six-digit code. (Although the code may be easier than typing in a master password.)
  • Isn’t quite as capable of autofilling login fields separated by a form or page refresh.
  • Sometimes fails to offer to save a manual login.
  • Supports only logins, unlike other password managers, which can store many other types of private information, such as identity cards, medical record cards, bank accounts, API credentials, secure notes, and even documents.
  • Can’t autofill credit card or address information.

You can work around this last limitation using browser features. Chromium browsers can all autofill payment methods and addresses, but by default, iCloud Passwords blocks those features from working, even though it won’t help you in that department. If you circumvent the iCloud Passwords block on browser autofill, you can get the best of both worlds. Follow these steps:

  1. In your Chromium browser, navigate to the Extensions page, usually by choosing Window > Extensions. In Arc, it’s Extensions > Manage Extensions.
  2. Click the Details button next to iCloud Passwords.
    iCloud Passwords Chrome extension Details
  3. On the iCloud Password Details screen, click the button next to Extension Options, and in the dialog that opens, deselect Turn Off Chrome AutoFill. That double-negative allows Chrome’s AutoFill to operate independently again.
    iCloud Passwords extension enabling Chrome autofill
  4. Navigate to the browser’s Autofill settings, which is usually accessible from the main Settings page under “Autofill and Passwords,” although Microsoft Edge puts it under Profiles. The URL browsername://settings/autofill will always take you there.
    Chromium browser autofill choices
  5. Start with Payment Methods. Make sure “Save and fill payment methods” is turned on. Use the Add button to add your credit card information. It won’t let you save credit card CVV codes for security reasons, so you must remember and enter them manually. When you’re done, click the Back arrow in the upper left to return to the Autofill and Passwords screen.
    Chromium browser payment methods autofill
  6. Next, in Addresses and More, ensure that “Save and fill addresses” is turned on, and enter any addresses you want to autofill. Click Back to return to the Autofill and Passwords screen.
    Chromium browser address autofill
  7. Finally, click Password Manager, and then click Settings in the sidebar. Deselect “Offer to save passwords” to prevent your browser from asking you to save passwords every time you log in to a site using iCloud Passwords.
    Chromium browsers turn off password tracking

Once you’ve done all that, you should be in a situation where iCloud Passwords autofills your login credentials, and your browser autofills credit card information and addresses. The browser-level interface looks a little different but works well—you simply click in a credit card or address field and then click the desired set of information from the pop-up.

Chromium browsers autofilling payment and address info

Now that I’ve written this article, I fully admit that I’m going to disable iCloud Passwords and revert to 1Password because it’s easier to use and autofills more information. Plus, my nearly 1000 logins are stored in 1Password—I’ve been using 1Password’s Quick Access pop-up to find and enter credentials in Arc logins so iCloud Passwords could remember them. In the past month, I’ve migrated 73 logins to iCloud Passwords, and although those take care of most of my day-to-day logins, I never get through a week without having to bring more over from 1Password.

But it’s clear that with the addition of the iCloud Passwords extension for Chromium browsers and some judicious browser configuration for payment methods and addresses, it’s entirely possible to rely on Apple’s free password management tools.

Watchlist

Airfoil 5.12 Agen Schmitz No comments

Airfoil 5.12

Rogue Amoeba has released its wireless audio broadcasting app Airfoil 5.12 with a new Audio Routing Kit (ARK) audio capture backend and a warning for those who use the System Audio source (which has been renamed System-Wide Audio). Due to an issue with macOS 14.4 Sonoma, use of this source may lead to audio dropouts, and users may want to delay updating Airfoil until fixes come in a forthcoming update to macOS. You can also work around this bug by selecting a specific application as your source.

The ARK audio capture backend can be set up quickly on a new Mac with no restarts or passwords required, and the Permissions window has been updated with a new System Audio Access option that enables you to record audio from applications you specify. Airfoil now allows standard macOS user accounts (not just administrators) to stream audio, banishes the erroneous orange microphone-in-use indicator, updates the Sources menu to alphabetize using the on-disk name, and now requires macOS 14.4 Sonoma or higher. ($35 new, free update, 39.7 MB, release notes, macOS 14.4+)

ChronoSync 11.0.2 Agen Schmitz No comments

ChronoSync 11.0.2

Econ Technologies has published ChronoSync 11.0.2, adding workarounds to address changes in macOS 14.4 Sonoma that broke File Provider support. The synchronization and backup tool also adds logic to the Readiness test to better determine whether the target should use iCloud or File Provider, correctly draws the navigation buttons for task group hierarchies in the Organizer window, and fixes a bug that didn’t allow drag-and-drop on the icons in the Organizer window. ($49.99 new for ChronoSync with a 20% discount for TidBITS members, free update, 100.1 MB, release notes, macOS 10.14+)

Hazel 5.3.3 Agen Schmitz No comments

Hazel 5.3.3

Noodlesoft has issued Hazel 5.3.3, a maintenance release for the file automation and cleanup utility. The release fixes a bug that prevented buttons from appearing in the in-app store for macOS 14 Sonoma users, addresses wonkiness with the options button sometimes enabling actions when it shouldn’t, resolves issues for moving items in cloud folders to the trash, and works around a Spotlight bug that prevented finding files it should have. While Hazel 5.3 was reworked to use newer Apple APIs to import into Photos, that functionality has been partially reverted due to the APIs not working as expected. ($42 new or $65 for a five-member family pack, free update, 22.3 MB, release notes, macOS 10.14+)

ExtraBITS

Adam Engst 56 comments

Do You Use It? Versions

In macOS 14.4.1 Sonoma, Apple fixed a bug introduced in 14.4 that caused iCloud Drive files evicted from the local drive to lose their version data (see “macOS 14.4.1 Sonoma and macOS 13.6.6 Ventura Fix Bugs and Vulnerabilities,” 25 March 2024). The bug was problematic in that it caused data loss, but I had trouble believing that many people were affected, given that you had to:

  • Run macOS 14.4
  • Use apps that support Apple’s versioning system
  • Store those files in iCloud Drive
  • Enable Optimize Mac Storage
  • Have files with versions evicted, either automatically or manually
  • Care that version data was lost

For that last requirement to be true, you would have to know that versioning exists and use it frequently enough to notice the loss of the version data. I turn to it a few times per year to recover from an undesirable edit in Preview because File > Revert To is easier than retaking a screenshot. But am I representative of TidBITS readers?

That triggers the question for this week’s Do You Use It? poll: How often do you use macOS’s versioning feature? Did you even know that macOS had built-in versioning? And if you use it frequently, tell us more in the comments.

Adam Engst 7 comments

Beware of Attacks Using Password Reset Request Notifications

At his KrebsOnSecurity site, security journalist Brian Krebs writes:

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Although all three people covered in the article were sufficiently persistent and savvy to fight off the attacks, it’s easy to imagine someone giving up and approving one of the prompts. Don’t do that, even though it’s unclear how the attackers would retrieve the new password. Also, remember that no company’s tech support representatives will ever call you unless you’ve called them first and requested a callback.

It seems likely that the attackers are exploiting a bug in the online Apple ID password reset process. At a minimum, Apple will have to rate-limit the requests for a password change.