I’m full-in on the Apple ecosystem. I use the native Apple Keychain/Passwords app exclusively and it works great for everything I need.
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Password Managers - what are you using?
- Thread starter maflynn
- Start date
- Sort by reaction score
I'm using the built-in password manager in Google Chrome. It works fine, also in iOS for Safari, which I use there. It's free and since I use Chrome a lot, it's convenient across all operating systems (I also use Android, ChromeOS, Linux and Windows). I don't know what it could do better, can it do anything besides remembering and filling in the credentials?
I use BitWarden.
Or more precisely, I use Apple Keychain and Bitwarden (but since I could only choose one in the poll I chose the external one).
Used to use 1Password for many years, but - for a multitude of reasons, the change to subscription model only one of them - changed to Bitwarden a (good) while back.
Or more precisely, I use Apple Keychain and Bitwarden (but since I could only choose one in the poll I chose the external one).
Used to use 1Password for many years, but - for a multitude of reasons, the change to subscription model only one of them - changed to Bitwarden a (good) while back.
1Password: for pretty much everything.
Strongbox: in some cases + for some 2FA.
*Have tried full export from 1Password to Strongbox last year to see how well it works and discovered that sections are not transferred at all (all entries in an item end up in one long list). Have discovered that apparently Keepass database file format does not yet support sections. Thus - if you do use sections quite extensively (as I do), than switching fully from 1Password to Strongbox (or any other Keepass client) might be problematic.
I am not planning switching from 1Password anytime soon, since it has been great throughout all the years and I am now 100% happy with v8 (which was quite a disaster at the beginning, so I was rocking v7 for a long while).
Strongbox: in some cases + for some 2FA.
*Have tried full export from 1Password to Strongbox last year to see how well it works and discovered that sections are not transferred at all (all entries in an item end up in one long list). Have discovered that apparently Keepass database file format does not yet support sections. Thus - if you do use sections quite extensively (as I do), than switching fully from 1Password to Strongbox (or any other Keepass client) might be problematic.
I am not planning switching from 1Password anytime soon, since it has been great throughout all the years and I am now 100% happy with v8 (which was quite a disaster at the beginning, so I was rocking v7 for a long while).
I really don't have any complaints with V8 of 1PW. I held onto V7 on the Mac for a while, but I've since then downloaded the app on my mac and its fine.
My desire for this thread is not say what people should use, but rather what are you using.
I was using Bitwarden for a while and its a great app, but I think I'll be embracing the family package of 1PAssword and I think that's one area that is under served by other password managers
Keychain. I’ve never even considered trying anything else.🤷♂️
I had 1PW v6 years ago at work. It was fine, but like others, I was driven away by the subscription only model. Used LastPass free for a while personally, then paid so I could use it on both my iPhone and PC. After the LP debacle a while back, I switched to 1PW for both personal and work. Since I was used to paying for LP at that time, I just ponied up for 1PW.
- I can't install the icloud app on my work PC but I can access 1Password via browser.
- I don't think Keychain supports 2FA, only passkeys.
- Keychain is not as organized and doesn't allow you to (easily) share passwords with family members.
I really don't understand why it's not a standalone app. The fact that it's buried in settings makes me hesitant to recommend it to my less technically inclined relatives.
Enpass works very well for my GF and I.
I can store passkeys, 2FA codes, pictures of ID's, etc and I choose where!
Is not like 1Password server (than can be compromised anytime: https://blog.1password.com/okta-incident/),
but my vault is stored on my iCloud Drive.
I hate when companies monthly charge users "the infrastructure costs" (ie servers)...I don't need your servers, thank you.
Is just a money grabbing tactic. I should trust that the 1Password folks have better security than Apple?
I can store passkeys, 2FA codes, pictures of ID's, etc and I choose where!
Is not like 1Password server (than can be compromised anytime: https://blog.1password.com/okta-incident/),
but my vault is stored on my iCloud Drive.
I hate when companies monthly charge users "the infrastructure costs" (ie servers)...I don't need your servers, thank you.
Is just a money grabbing tactic. I should trust that the 1Password folks have better security than Apple?
Yeah but see, I can't just vote for 1, because Apple has made that impossible. I have to use both 1Password and Apple Keychain, because neither of them works 100% of the time. Neither of them reliably offers to create a new password/login when it should, and neither of them reliably offers to autofill the correct thing 100% of the time. I can't afford to have an account that gets lost, so if only 1 is working that's the one I need to use.
They just aren't good enough. It seems incomprehensible that there are still enough ways for web forms and app forms to circumvent the data detectors for autofill, but what few ways do exist should be conquered by now.
1Password's Safari extension is also terrible, and routinely stops working altogether. Has for years. Impossible to use without requiring constant babysitting.
They just aren't good enough. It seems incomprehensible that there are still enough ways for web forms and app forms to circumvent the data detectors for autofill, but what few ways do exist should be conquered by now.
1Password's Safari extension is also terrible, and routinely stops working altogether. Has for years. Impossible to use without requiring constant babysitting.
I don't know how it stacks up against popular password managers, but I really like the Google Password Manager that's built into Google Chrome. It's cross-platform and pretty good about warning if a password's been found in a data leak... also it's very convenient overall.
Apple Keychain is also pretty good, though I hardly use Safari any more.
Apple Keychain is also pretty good, though I hardly use Safari any more.
I use Strongbox. It’s open source, based on Keepass, has very strong encryption and the most features I have ever seen in any password manager. You can host your vault locally or in the cloud service of your choice, you can pay annually or make a one time purchase. You get extremely robust password generating options, plus 2FA codes, passkey support, and a ton of ways to customize the settings to your liking, use case, and security needs. The app is universal for Mac/iphone/ipad and the Mac app uses the built in OS autofill feature.
It lacks the last bit of polish that some of the bigger name password managers have (although it looks better to me and is easier to use than Bitwarden), and it doesn’t have the spotlight-esque keyboard shortcut tool on Mac that 1Password has. I haven’t looked into it, but I wonder if I could replicate that functionality with Strongbox and Alfred, I’ll have to check.
The feature it does better than others is its sheer level of customization. You can truly tailor this to be your personal best password app and once you have all the settings locked in the way you want, it runs as you expect it to every single time. The devs are also extremely responsive so any issue that does come up can be resolved quickly and easily. I highly recommend it.
It lacks the last bit of polish that some of the bigger name password managers have (although it looks better to me and is easier to use than Bitwarden), and it doesn’t have the spotlight-esque keyboard shortcut tool on Mac that 1Password has. I haven’t looked into it, but I wonder if I could replicate that functionality with Strongbox and Alfred, I’ll have to check.
The feature it does better than others is its sheer level of customization. You can truly tailor this to be your personal best password app and once you have all the settings locked in the way you want, it runs as you expect it to every single time. The devs are also extremely responsive so any issue that does come up can be resolved quickly and easily. I highly recommend it.
I have never used 1Password, nor do ever plan to. However, I can’t resist responding to your post.
Your statement, “Is not like 1Password server (than can be compromised anytime: https://blog.1password.com/okta-incident/)” can be most charitably described as misleading. From the link you provided: “...We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
Given that 1Password offers a $1 million bug bounty reward, which I doubt has ever been claimed, I don’t think I would have any trouble trusting 1Password.
For security reasons, I wouldn’t use any browser password manager. Here are two articles that address this subject:
https://www.keepersecurity.com/blog/2022/11/04/are-browser-password-managers-safe/
https://www.techradar.com/features/browser-based-password-managers-are-they-worth-it
As Im all Mac it's Apple Keychain. I did use lastpass before it became "greedy", and Bitwarden, which I would go back to if ever I changed platforms.
1Password.
I used iCloud Keychain for years, but it is simply not as good as the competition. 1Password blows it out of the water. One of the only subscriptions I am happy to pay for (have a family account).
I used iCloud Keychain for years, but it is simply not as good as the competition. 1Password blows it out of the water. One of the only subscriptions I am happy to pay for (have a family account).
Misleading how exactly?
From AgileBits own report:
A member of the IT team was engaged with Okta support, and at their request, created a HAR file from the Chrome Dev Tools and uploaded it to the Okta Support Portal.
This HAR file contains a record of all traffic between the browser and the Okta servers, including sensitive information such as session cookies. In the early morning hours of Friday, Sept. 29th, an unknown actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal, and performed the following logged actions:
● Attempted to access the IT team member’s user dashboard, but was blocked by Okta.
● Updated an existing IDP tied to our production Google environment.
● Activated the IDP.
● Requested a report of administrative users.
The final action in that list resulted in an email being sent to the member of the IT team, and alerted them to this event. At this point it is known that the unknown actor performed other less sensitive actions (such as viewing groups) that did not result in log entries; Okta is working to pull log entries for these actions for us to review.
The HAR file was created on the team member’s macOS laptop and uploaded via hotel provided WiFi, as this event occurred at the end of a company event. Based on an analysis of how the file was created and uploaded, Okta’s use of TLS and HSTS, and the prior use of the same browser to access Okta, it is believed that there was no window in which this data could have been exposed to the WiFi network, or otherwise subject to interception.
The IT team member’s macOS laptop that was used is currently offline, and was scanned with the free version of Malwarebytes, which reported no findings. At this point, malware or some other compromise of this device is the leading theory for how this session data was exposed; though this is complicated by the fact that no other unusual activity tied to this team member’s accounts have been identified.
Read it carefully, a member of the IT team of a supposed highly security company, uses the hotel WiFi to upload a file with sensitive login information (in form of cookies) responding to the request of a third company.
They only noticed the intrusion after a request for a report generated an email.
They know that the intruder performed other actions, but not sure what.
Doesn't scream confidence to me.
The problem is not just 1Password, is ANY company that insists in charging users for syncing across devices using their own servers. It's a excuse to grab money and not a technical need. They can use iCloud, Dropbox, Google Drive...
They add a weak link in the most confidential information available to make more money.
Ditto. I'd be very interested to hear what's been fixed with v8 that's made you be happy with it now. Am on v7 Teams.
I think it is perfectly reasonable to think that someone reading your statement, “...than can be compromised anytime...” would be led to think that 1Password has creaky security. The reality is that 1Password is a prominent password manager that has been around a long time, and as far as I know, nobody has ever stolen their customers’ passwords off their servers.
Apple keychain, I stay away from browser based password managers for security reasons.
I'm using C2 Password. It's free and good enough. Had dashlane and 1password. Both those are good, but why not offer one time fee, instead of monthly subscription?
