Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,244
4,931
Safari/Keychain has at times not saved password additions, changes.

And in the case of iOS, password managers generally are more feature-rich re: generating passwords (length, yes/no special).

Some password managers have functions to create backups, csv exports.

So, if needing to create a new password on iOS, I'll create an entry in my password manager first and copy the password from there, then Keychain will update when I enter it on the website. On Mac, will probably use Keychain to generate a password and then create an entry in password manager.
 
Last edited:
  • Like
Reactions: circatee

Apple_Robert

Contributor
Sep 21, 2012
35,573
52,307
In a van down by the river
Since I use a password manager, I don't bother using KeyChain for the same kinds of things. It seems rather redundant. I also don't trust Keychain as I have found it to be unreliable for many of the same reasons NoBoMac mentioned.

Strongbox has a much better password generator than Keychain, in my opinion. it gives me much more control over what kind of password I want to use for just one site or all websites.
 
  • Like
Reactions: circatee

VineRider

macrumors 65816
May 24, 2018
1,419
1,251
I use LastPass exclusively. I turn off autofill for keychain and allow LastPass to autofill. LastPass (and other password managers) have much more flexibility than keychain. Allowing multiple fields, cross platform usage etc.
 
  • Like
Reactions: circatee

Apple_Robert

Contributor
Sep 21, 2012
35,573
52,307
In a van down by the river
Interesting. I just learned that 1Password keeps certain passwords in plain text, in memory.
Curious if LastPass does the same thing...

A tad bit worrying: https://www.reddit.com/r/1Password/comments/ntbf2m/_/h0t4a88
I read over several of the posts and it sounds like Reddit users are talking about 1password on Windows. Storing the password as plaintext in RAM means relying on the OS not to give your secrets away to third parties etc.

The following article is from 2019

 

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,244
4,931
I read over several of the posts and it sounds like Reddit users are talking about 1password on Windows. Storing the password as plaintext in RAM means relying on the OS not to give your secrets away to third parties etc.

Was thinking same.

Though not good to have the master key in plaintext in RAM, and it becomes exposed, one has more problems going on as they have some spyware/malware on their machine scraping info.

Personally, I would not go with Lastpass as they appear to be using their own cloud solution that has potential to be hacked. That, to me, is a bigger (potential) issue than master key being plaintext in my machine's RAM.
 
  • Like
Reactions: circatee

Apple_Robert

Contributor
Sep 21, 2012
35,573
52,307
In a van down by the river
Was thinking same.

Though not good to have the master key in plaintext in RAM, and it becomes exposed, one has more problems going on as they have some spyware/malware on their machine scraping info.

Personally, I would not go with Lastpass as they appear to be using their own cloud solution that has potential to be hacked. That, to me, is a bigger (potential) issue than master key being plaintext in my machine's RAM.
One could use the Yubi Key option with LastPass. I do agree with you, though, that one shouldn't
rely on LastPass cloud to keeping's account secure.

I haven't been able to find mention of problems in RAM on MacOS thus far.
 

circatee

Contributor
Nov 30, 2014
4,492
3,048
Georgia, USA
Personally, I would not go with Lastpass as they appear to be using their own cloud solution that has potential to be hacked.

Hmm, interesting point. Thus far, it seems to me that all password manager tools have at least 'one issue', of sorts.
I suppose the thing to really consider, is using one that is the lesser of the evils of issues...
 

circatee

Contributor
Nov 30, 2014
4,492
3,048
Georgia, USA
One could use the Yubi Key option with LastPass. I do agree with you, though, that one shouldn't
rely on LastPass cloud to keeping's account secure.

I haven't been able to find mention of problems in RAM on MacOS thus far.
Yes, sorry, I should have mentioned that the details from the link were in reference to Windows, versus Mac OS.
Alas, for someone like me, covering all aspects (Windows, Mac, Android, etcetera), I want to be 'fully' covered.

At this rate, I feel I simply need to find the right balance in an app, and go with it. At the same time, not succumbing to Security failings.

I will add, I feel me having MFA on quite a few things (especially main things like financials, email and hardware access), I have confidence in LastPass or even 1Password, too.
 

VineRider

macrumors 65816
May 24, 2018
1,419
1,251
Even if the lastpass database was hacked, the data is encrypted. All of the encryption/decryption is done on the local device and the keys are not sent to lastpass. So, while a private cloud might have a vulnerability to get hacked, I don't see that as any more vulnerable than being hosted on AWS. The important thing is data encryption and local keys to encrypt/decrypt the data.

From the lastpass website:
Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.
 

JD2015

macrumors 6502a
Sep 16, 2014
849
526
Use a combination of Lastpass and Authy to secure accounts. All password managers are in general great but do not use any 2FA within the password manager so as not to make it easy if someone was able to get into your password manager account.
 
  • Like
Reactions: circatee

VineRider

macrumors 65816
May 24, 2018
1,419
1,251
Use a combination of Lastpass and Authy to secure accounts. All password managers are in general great but do not use any 2FA within the password manager so as not to make it easy if someone was able to get into your password manager account.
Lastpass offers multiple 2fa options. Even offer yubikey...
 
  • Like
Reactions: circatee

bakerzdosen

macrumors regular
Apr 11, 2006
133
164
Long story short: a little over a year ago we got slammed by a really nasty ransomware attack. Say, 20 months ago I was firmly in the "security just gets in the way of me doing my job" camp. EVERYTHING along those lines changed for me with regards to security.
At the time we were using Password State for our passwords. Chances are good that was not hacked, but we still changed.
Currently we use 1password. And honestly it isn't bad.
But I still use keychain. Yes, I end up duplicating some passwords. But I still prefer keychain in most scenarios - even though 1password gives me a "free" personal vault for things with the corporate account we have with them, I don't use that aspect of it.

But that's just me. And frankly I don't truly trust anything any more. So I simply do the best I can, and overly complex passwords with a mixture of keychain and 1password is currently what fills that (in addition to different types of MFA.)
 
  • Like
Reactions: circatee

circatee

Contributor
Nov 30, 2014
4,492
3,048
Georgia, USA
Curious why you recommend not using lastpass authenticator?
I am wondering if its a case of LastPass having an authentication issue, you would not be able to log in.
Whereas, using an alternative, like Authy or Microsoft, etcetera, you're not fully unable to access your data.

Merely a guess on my part...
 

VineRider

macrumors 65816
May 24, 2018
1,419
1,251
Yes, not clear to me either. I use the lastpass authenticator, which is a google/microsoft compliant auth app. The thing I like about it is that with the Apple Watch, you get the notification to authenticate pushed on your watch and can approve without even getting your phone out. But, if there are issues I'm not aware of, I'm all ears:)
 
  • Like
Reactions: circatee

circatee

Contributor
Nov 30, 2014
4,492
3,048
Georgia, USA
Yes, not clear to me either. I use the lastpass authenticator, which is a google/microsoft compliant auth app. The thing I like about it is that with the Apple Watch, you get the notification to authenticate pushed on your watch and can approve without even getting your phone out. But, if there are issues I'm not aware of, I'm all ears:)
PS: the Authenticator app does the same thing. I use it on my Apple Watch. So many choices - LOL
 

circatee

Contributor
Nov 30, 2014
4,492
3,048
Georgia, USA
FYI all - for the record, I am working on increasing the Security Score on my LastPass account.
Earlier today, around 12:00 Eastern, my score was 69.3%. I am now at 81.4%. PROGRESS! :cool:
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.