iCloud Keychain decisions, is it safe enough?

[Populus]

TL;DR: Would you save the password of the email account associated to your Apple ID on your iCloud Keychain? In case you lose access to your Apple ID, would I still be able to access to the iCloud Keychain on my devices without the need of my Apple ID password?

Thank you

*****
​

Hello everyone.

I didn’t know where to post this, I think this is the right subforum to ask about some decisions regarding storing my passwords on iCloud Keychain service.

I am starting to accumulate too many passwords, sometimes complex passwords, and my memory isn’t as good as 15 years ago. Every day I run the risk of losing some accounts because I forgot the password. I usually don’t provide my phone number to mail companies like Microsoft (outlook) or Google, therefore, if I lose a password, I lose the account. I’ve already lost my FaceBook and they don’t want to unlock my account... But that’s a whole other story, I’m perfectly fine without a Facebook account (actually I wanted to log in in order to delete my account).

First of all, I want to know if iCloud Keychain is secure enough. Yes, I have the two factor authentication, with several devices and phone number. I wholeheartedly trust Apple, therefore, I give them all (Lol). I don’t like third party alternatives, yeah, I know there’s onepassword and enpass and others... I don’t trust them to hold all my passwords. Great, I’m glad you do, but please don’t suggest me those alternatives because I won’t go with them.

The only service I’d trust my passwords is iCloud Keychain, and sometimes it isn’t the most accessible service, but it is integrated on all my devices, and secured by the two step verification of my Apple ID account.

Now the questions: How smart (or dumbass) do you think it is to store the password of my email associated with my Apple ID on the iCloud Keychain? I ask this because soon, I will forget the password of my email associated with my Apple ID. If I store it on my iCloud Keychain but I forget my Apple ID pass (also stored on my memory), then I won’t be able to access my email account associated with my Apple ID? Or it won’t be a problem because I will be logged in my Apple ID on other devices and will be easy to look it up?

Would you store the password of your email associated with your Apple ID on the iCloud Keychain? How about other important passwords?

Second: How about storing them under a note, in the notes app? How secure would that be? Again, I have the two auth factor on my Apple ID. What about storing them under a password secured note, on the notes app?

I have more questions regarding iCloud Keychain but right now that’s my only concern. Forgetting all my passwords would be terrible.

Thanks for your patience.

 

[Weaselboy]

Second: How about storing them under a note, in the notes app?

That is what I do and from what I can tell, that note is just as secure as the Keychain itself.

I just looked, and it does not appear the Keychain app stores the iCloud login password (unless I am looking for the wrong thing).

What I did find is the Keychain stored my AppleID password from when I logged in at appleid.apple.com. So it looks like if you go to that site and login, Keychain will remember your AppleID and the password so you get it from that entry if you ever forgot it.

 

[Populus]

That is what I do and from what I can tell, that note is just as secure as the Keychain itself.

I just looked, and it does not appear the Keychain app stores the iCloud login password (unless I am looking for the wrong thing).

What I did find is the Keychain stored my AppleID password from when I logged in at appleid.apple.com. So it looks like if you go to that site and login, Keychain will remember your AppleID and the password so you get it from that entry if you ever forgot it.

True, the Apple ID password stored on my iCloud Keychain is only used to log in through the website. It also asks for Face ID, Touch ID or the Code of the device, but if the thief got access to the device and cracked the code, they can get in...

[Everyone: Excuse me if I sound excessively paranoid, I’m just resetting my passwords and the way I manage them for the next years, and I want to think about every possibility.]

If they can read your Apple ID on your device they can deactivate Find My iPhone, they can change the credentials, they can make in app purchases for you... And definitely they can access all your stored Passwords. I’m not sure how safe is everything if nobody can access any of my devices physically.

Basically what I don’t want me to happen is something like this (read the thread):

https://twitter.com/i/web/status/1291366907271151616

I just want to set up my passwords in a way that they are truly secure. And using password protected notes seems like a good alternative.

 

[NoBoMac]

Did not go through all possible scenarios mentally, but, this Twitter thread is missing some key information, imo (bio-metrics on, two-factor on accounts, etc). And even if things setup correctly, thief has a head start on getting things switched (read: different system processes are crossing paths at slightly different times).

Last I've read, gray box crackers would need days to find a 6-digit device passcode, since each guess needs to be done on the phone, and each check takes a fair amount of time. Need the code to access Keychain items, so at first glance, more likely something like shoulder surfing to get a device passcode.

Someone else can provide more detail on possibility re: how a SIM swap might open things for a reset.

Set a device lock to something other than "Never". Setup Notifications to limit or not go to lock screen (though if I recall, approval for a new trusted device requires unlock: back to shoulder surfing if no bio-metrics involved for unlock and or phone never locks). Back to SIM swap, maybe possible to get a reset on Apple ID password as now the "new" device is a trusted device re: phone number.

If you forgot your Apple Account password - Apple Support

Here's how to reset your Apple Account password and regain access to your account.

support.apple.com

One needs to report phone stolen with telco first, then lock via Find My is probably the proper sequence, though Apple says to do telco contact last in their instructions. Also reset the password on email account(s) to help prevent reset emails being sent to email account. At that point, hopefully, alternate access routes have been shut.

This is old, but an example of how a cascade of weaknesses can compromise one's digital life. Most folks don't think about what could go wrong, and if they just want to turn on and use, asking for trouble.

Picking up the pieces after the @N Twitter account theft

A detailed look at how it happened and how to keep it from happening to you.

arstechnica.com

Personally, not concerned, as I have two-factor everywhere. 12-character passcode of upper/lower, digits, special character and use Touch ID (only need to enter passcode once a week). Keep my phone pocketed unless actively using, and do not use actively while on a street. Lock after two minutes set. Manually lock when done using. Passcodes on financial apps have a different passcode set to access the app. Yet a different code on authenticator app.

Then again, from what I've seen over the years, the SIM seems to be a weakness, where they are stolen, cloned. If a newish device that accepts eSIMs, might be good idea to get that and make it your main SIM: nothing to swap unless thief has someone on the inside of the telco.

(All speculation, as I've been fortunate in that I've never had a phone lost/stolen, and have not had to try to lock down everything on the fly)

 

[holtz500]

I got a ? And this may be a dumb one but here we go so I had to reset my iPhone yesterday and when I went to log in to Instagram which i have 2 Instagram accounts it had my accounts saved from iCloud Keychain but I removed them to log in manually but now I’m concerned for some reason that my account get deleted can that happen or no all I did was remove the accounts to log in manually sorry if this is a dumb ?