In the summer of 2020, a Brazilian man whose iPhone was stolen right out of his hand. Despite his best efforts to lock it up, he still lost over $30K because, once the thieves easily bypassed his 6-digit passcode, they had automatic access to all of his banking, user accounts, and app store purchasing because of the way iCloud Keychain - the default password manager used by every single iPhone and Mac since 2013, is designed. So, let’s explore how iCloud Keychain works and how you can keep your digital life safe.
According to a recent study, the average internet user has over 100 user accounts and passwords to manage. That’s insane. So, what most of us do is use the same, or nearly the same password, for everything. This is not good because it leaves you vulnerable to getting stuffed.
Credential stuffing is when a hacker buys a database of logins from a compromised site, like, say when Yahoo got hacked in 2016 with a 3 billion user breach. And then they try those logins on hundreds of other sites, like your bank or iTunes.
The best solution to avoid this is to have a different, unique password for each one of your accounts. But how on earth are we to remember over 100 strings of passwords each with its own numbers and special characters? Enter iCloud Keychain. It’s Apple’s solution to this very pernicious problem. If you use any of Apple’s devices, you’re probably already using it. You have probably seen the pop-up on your phone or iPad or Safari browser asking if you want to save your password. If you tap, yes, it’s saved to your Keychain. Better still, if you’re creating a new account, the feature can help you create really secure passwords and you can save credit card and address info for online shopping.
And all of these credentials are synced between your devices, through the iCloud, which you may have switched on during your iPhone set up. Simply put, iCloud Keychain is Apple’s implementation of what’s known more broadly as a password manager. There are many options in the world of password managers e.g., 1Password, LastPass, Zoho Vault, etc. The services are quite a bit more fully featured than iCloud Keychain, but they also cost money, ranging from $1.50 to $4 a month for individual plans.
They work on all the platforms and with all the browsers, and individual credentials can even be shared with others. All that info is encrypted behind a master passphrase, which is the password you make incredibly long, strong, and ideally nonsensical, like FlightComedyJawCar or ClockCoalBasketballVision. What’s convenient is that you can always have the right password when you need it, no matter where you are and it’s all behind that master password.
But critically, that’s not how iCloud Keychain works. Your Keychain master password is the same as your device’s password. So, the weak password you’ve been using for years on your MacBook or the convenient passcode you use to quickly get onto your iPhone could be all that stands between would-be thieves and your treasure trove of passwords. This is why the victim of our earlier story was so brutally compromised. The thieves cracked his iPhone passcode and thus had access to his entire library of passwords, including the one for his Apple ID.
So, if you’re using your iPhone or iPad with a 6-digit numeric password, you should probably consider an alphanumeric password as you use on your computer. Which, for FaceID users in the middle of a messed up COVID pandemic is a massive inconvenience. iCloud Keychain is also not as flexible as the big password managers. On your Mac, it only autocompletes on Safari and, though we are pleased to report it’s now available on Windows PCs, it only works on Chrome and there are hoops. First, you need to install Apple’s iCloud software before you can even get the Chrome extension. And then every time you freshly open Chrome, you have to input a 2-factor code that you get from the same device. And before you get too excited, it doesn’t work on Chrome for Mac.
So, should you keep using iCloud Keychain? A lot of times we hear people say that having all your passwords stored in the cloud is a big risk. And we understand. Your passwords are somewhere you don’t control and you just have to just trust that they’re not going to be compromised like they have been everywhere else. But that’s the reason why you should get a password manager. You can have a hundred different passwords for all of your accounts and password managers like iCloud Keychain, will store and transfer those passwords behind encryption, which is only unlocked with your master passwords.
It a tough choice with whether or not to use iCloud Keychain since it came out in 2013. But there are two factors that have us rethinking things. First, Apple opening up to Windows users, as we mentioned earlier, does make it significantly more viable, should your digital life fit within those limitations. Then starting March 16th, the LastPass free tier, which has been arguably the best option for a while now, will be restricted to either all-PC access or all mobile access, but not between the two.
As a free option, iCloud Keychain is now the best of the bunch. But if you care about maximum security, flexibility, and features, paying for a password manager might be the better option.
Whatever the case, we think it’s important to practice good password hygiene by ensuring you don’t reuse passwords. And if you do choose to use a password manager, make sure that its passphrase is long, strong, and memorable.