New Passwords App

[steve62388]

So, effectively, your Passwords in the Passwords.app are ultimately locked only by your 4 or 6 digit phone PIN? That does not seem very safe at all! And this coming from a guy who actually wants to switch from 1Pw to APw. 😢

To be fair if somebody is the type of person to have a 4 digit pin they're probably not that serious about security anyway. I'd also say the same for a 6 digit.

I use a device password that will take centuries to crack and it's not that much of a burden to type it in when biometrics do not work because the vast majority of the time they do.

Make your choice and roll the dice. 🤷‍♂️

 

[Cinimod1000]

Looks like iOS 18 b5 still allows phone PIN after 2 failed attempts of Face ID.

Checked in wife’s 13PM (still on iOS 17), and in Settings, Passwords - it gives a reminder that access is protected behind “Stolen Device Protection”….

 

[k.alexander]

Looks like iOS 18 b5 still allows phone PIN after 2 failed attempts of Face ID.

Checked in wife’s 13PM (still on iOS 17), and in Settings, Passwords - it gives a reminder that access is protected behind “Stolen Device Protection”….

I'm sorry, can you expand on that second paragraph? So what does that mean.
And yes I can confirm that iOS18b5 still allows a PIN after 2 failed attempts of FaceID. How in the world does apple thing that this is acceptable?

 

[Cinimod1000]

I'm sorry, can you expand on that second paragraph? So what does that mean.
And yes I can confirm that iOS18b5 still allows a PIN after 2 failed attempts of FaceID. How in the world does apple thing that this is acceptable?

Stolen Device Protection does not allow the PIN to be entered after two failed attempts of Face ID when trying to access “Settings > Passwords” on an iPhone 13PM with release version iOS 17.5.1 installed.

 

[k.alexander]

Stolen Device Protection does not allow the PIN to be entered after two failed attempts of Face ID when trying to access “Settings > Passwords” on an iPhone 13PM with release version iOS 17.5.1 installed. View attachment 2404054

Oh ok, will check on an iOS17 device later today. Seems like if that's an option in iOS17, then I would think it's just a matter of Passwords still being in beta and thus not including the same feature/option.

No Stolen Device Protection on MacOS, but then again, MacOS passwords are generally not 4/6 digit PINs.

 

[Cinimod1000]

Hmm, still the same behavior in 18 db6.
Wonder if they will actually fix this….🤷

 

[Ansath]

Hmm, still the same behavior in 18 db6.
Wonder if they will actually fix this….🤷

There’s nothing to fix. It’s working in line with their intended behaviour.

What you want is a change in intended behaviour.

Only way out will change is if enough people feed back.

 

[fsfty]

Can anyone confirm that the verification codes also transfer to the new Passwords app?

 

[Cinimod1000]

There’s nothing to fix. It’s working in line with their intended behaviour.

What you want is a change in intended behaviour.

Only way out will change is if enough people feed back.

Could well be.
However, that’s not how access to passwords works in iOS 17. It is secured behind Stolen Device Protection.
But I understand it may be intended behaviour, as it may well be that the average Joe would at least be using the app to generate good passwords - so the world will be a better place for all 😎

 

[Ansath]

Could well be.
However, that’s not how access to passwords works in iOS 17. It is secured behind Stolen Device Protection.
But I understand it may be intended behaviour, as it may well be that the average Joe would at least be using the app to generate good passwords - so the world will be a better place for all 😎

Intended function of the passwords section in settings on iOS 17 =/= passwords app on iOS 18.

 

[Cinimod1000]

Intended function of the passwords section in settings on iOS 17 =/= passwords app on iOS 18.

But that’s my point. It is NOT the same behavior in iOS17 as iOS 18 - IF Stolen Device Protection is on.
On iOS 17, if Face ID fails twice then Stolen Device Protection does not allow the PIN to be entered:

On iOS 18, if Face ID fails twice, you can enter the phone PIN, even with Stolen Device Protection on.

 

[Ansath]

But that’s my point. It is NOT the same behavior in iOS17 as iOS 18 - IF Stolen Device Protection is on.
On iOS 17, if Face ID fails twice then Stolen Device Protection does not allow the PIN to be entered:
View attachment 2407018

On iOS 18, if Face ID fails twice, you can enter the phone PIN, even with Stolen Device Protection on.

You’re missing my point. It’s not the same thing. Passwords is a new app in iOS 18, it’s not the same as the settings menu in iOS 17, therefore intended function of how it’s meant to work in iOS 18 is what we are seeing now.

Therefore it is not a bug to be fixed, it would be a change to intended function.

 

[NYCValkyrie]

Unless you can export your passwords (doubtful) I'll pass.

You can export them as .csv.

 

[NYCValkyrie]

Are you able to import 1password passwords, notes etc into the new app?

You can import .csv, It's passwords only. No notes, other types of docs like ID, passport etc etc. No attachments. But I think they are heading that way.

 

[Cinimod1000]

You’re missing my point. It’s not the same thing. Passwords is a new app in iOS 18, it’s not the same as the settings menu in iOS 17, therefore intended function of how it’s meant to work in iOS 18 is what we are seeing now.

Therefore it is not a bug to be fixed, it would be a change to intended function.

I get your logic Ansath, just hoping, that’s all 😎

 

[P_Watt]

On iOS 17, if Face ID fails twice then Stolen Device Protection does not allow the PIN to be entered:

If you have stolen device protection set to Always rather than Away from familiar locations then passwords should be protected by biometrics both in 17 and 18. If not then it's a bug.

 

[Cinimod1000]

If you have stolen device protection set to Always rather than Away from familiar locations then passwords should be protected by biometrics both in 17 and 18. If not then it's a bug.

And a big Thank You for your suggestion!! Changed SDP to “Always”, did a hard restart and voila. Two failed attempts of Face ID and I get the pop up telling me SDP is on.

 

[k.alexander]

And a big Thank You for your suggestion!! Changed SDP to “Always”, did a hard restart and voila. Two failed attempts of Face ID and I get the pop up telling me SDP is on.

Ok so follow up questions:
Q1. So what happens if you let FaceID fail twice? I understand SDP message comes on, but what's next -- are you locked out of accessing the passwords for an hour? two hours?
A1: Well just tried it, and looks like you're not locked out of the Passwords app, the app will allow you to keep trying your face over and over until it unlocks.

2. Does this mean that if you have SDP set to Away from Familiar Locations, AND you are actually away from home or another familiar location, then will two failed FaceID attempts NOT give you the option to unlock with a phone PIN?

 

[Cinimod1000]

Ok so follow up questions:
Q1. So what happens if you let FaceID fail twice? I understand SDP message comes on, but what's next -- are you locked out of accessing the passwords for an hour? two hours?
A1: Well just tried it, and looks like you're not locked out of the Passwords app, the app will allow you to keep trying your face over and over until it unlocks.

2. Does this mean that if you have SDP set to Away from Familiar Locations, AND you are actually away from home or another familiar location, then will two failed FaceID attempts NOT give you the option to unlock with a phone PIN?

Hmm. For #1 I am going to say yes it keeps you locked out. At least, I cannot get it to let me in. Yes can rinse and repeat no Face ID - and still not get into see passwords.
Following the link on the pop up message, I believe it will follow the rules set for SDP. So, one hour.
But I haven’t been able to check, as am stuck at a familiar location until tomorrow 😎

SDP “rules” link:

About Stolen Device Protection for iPhone - Apple Support

Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as home or work.

support.apple.com

 

[k.alexander]

Ok so follow up questions:
Q1. So what happens if you let FaceID fail twice? I understand SDP message comes on, but what's next -- are you locked out of accessing the passwords for an hour? two hours?
A1: Well just tried it, and looks like you're not locked out of the Passwords app, the app will allow you to keep trying your face over and over until it unlocks.

2. Does this mean that if you have SDP set to Away from Familiar Locations, AND you are actually away from home or another familiar location, then will two failed FaceID attempts NOT give you the option to unlock with a phone PIN?

So I've now tested it. In either situation, when SDP is set to Always, you can continue trying FaceID until you're blue in the face . The device never locks you out of trying over and over again, at least not after 6-7 times that I tried, and never offers to fall back on the device 4/6 digit PIN. And this is true whether you're in a Familiar location or not.

So that settles that big issue. I guess the next question is -- is it really worth moving away from 1PW to AP?

One of my biggest problems, besides AP's inability to store attachments, or entries like CC, Banks, Passports, etc (i.e. things other than just passwords), is the way Group Sharing works. You can only put one login/pw entry into one group, not multiple groups. As someone who manages pws for the entire family, I'm not sure how I would work around that. May just be easier to just pay the $60/yr to 1PW and that be that.

 

[Cinimod1000]

So I've now tested it. In either situation, when SDP is set to Always, you can continue trying FaceID until you're blue in the face . The device never locks you out of trying over and over again, at least not after 6-7 times that I tried, and never offers to fall back on the device 4/6 digit PIN. And this is true whether you're in a Familiar location or not.

So that settles that big issue. I guess the next question is -- is it really worth moving away from 1PW to AP?

One of my biggest problems, besides AP's inability to store attachments, or entries like CC, Banks, Passports, etc (i.e. things other than just passwords), is the way Group Sharing works. You can only put one login/pw entry into one group, not multiple groups. As someone who manages pws for the entire family, I'm not sure how I would work around that. May just be easier to just pay the $60/yr to 1PW and that be that.

Perfect. Tested this as well, and I see the same results.
Also agree about the 1Password convenience. I only have to share some with my wife, so I think we are all set with the Passwords app, as we each have our CCs in Wallet.

 

[k.alexander]

Perfect. Tested this as well, and I see the same results.
Also agree about the 1Password convenience. I only have to share some with my wife, so I think we are all set with the Passwords app, as we each have our CCs in Wallet.

Trying to figure out how to make it work for me, where I largely manage my own plus 3 other family vaults.

Don't know if the idea is create Shared Groups in APw, one for each vault/family member, and move their respective pw items into each one. I believe each member of a Shared Group has full view/edit access to anything in that Shared Group.
What's driving me crazy is that you can only put each pw entry into one, and one only, Shared Group, i.e. the shared groups work like folders as opposed to tags I guess.

Just installed Sequoia today, will maybe play with it some more.

 

[k.alexander]

Yeah so I don't know, I exported about 1,300 items to APasswords.
I created a few Shared Groups, mind you, for now I am the only member of those groups.
Any or most edits to an item (changing name, username, password) or the action of deleting an item from a Shared Group, locks up the app and takes about 25-45 seconds (I'm on a new MBP M3Pro and fast wifi). Doesn't seem to be happening on items that are not in a Shared Groups.

In fact, just moving the roughly 1,000 pw entries to one shared group, of which, again, I am the only member, took 2-3 hours. What the hell?

 

[k.alexander]

Has anyone figured out if you can remove the first/original website that is associated with every password entry?
Looks like you can add additional websites to each entry, and you can delete them, but you can't delete the first entry.

 

[hj8ag]

Has anyone figured out if you can remove the first/original website that is associated with every password entry?
Looks like you can add additional websites to each entry, and you can delete them, but you can't delete the first entry.

You can't remove the original website on macOS or iOS.

I've sent feedback on this as I have a few services that have changed name (& therefore URL) and I want to remove the original entries. The only way to do this at the moment is to delete the entry and set it up fresh which isn't really practical.