Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

WarmWinterHat

macrumors 68040
Original poster
Feb 26, 2015
3,186
9,933
I'm currently a 1Password subscriber, and have been for years and I'm considering moving to the new Apple passwords app for various reasons, but I have some security concerns and wanted to see what everyone else thinks:

  • It's only secured behind your iPhone passcode and/or Face ID. That seems kinda risky
  • On Mac, it's the same password as your login. Again, seems kinda risky.
  • If someone steals your phone and screen lock passcode, they have access to all your passwords to change as they wish.
  • Getting locked out of your Apple account will lock you out of your passwords app? Then what?
I'm thinking that maybe I would leave out my Apple ID, and email login info? That way if something happens, those two accounts are immune. Thoughts?

🤔
 
Last edited:
  • Like
Reactions: southnorth
I can definitely see where you are coming from in being concerned about security and especially your Apple ID. The problem with removing your AppleID is that you then have to remember it for the occasions you might need it.

The password app itself needs your Face/PIN to get in so there is that extra layer of security but then again if someone has your PIN, they are in. I guess you have to weigh up the pros and cons.

Personally im sticking with the password app. Crucially I won’t store financial account details, these are in a standalone password manager.

One thing I’d recommend is looking at Screen Time and then Accounts where you can block anyone from changing Passcodes and disabling FaceID. Really worth doing.

https://apple.news/A2AFAVmudRwiLpKxLLJ-4PQ This is a good read!

sorry this isn’t a very specific answer but there is no really easy answer.
 
Is it risky? yes a little, but the passwords app is not designed to replace things like 1Password, instead its giving all those people that just store passwords in Notes or some other less secure place something better.
 
If you enable stolen device protection then unlocking the Passwords app using your passcode is removed as an option, leaving only Face ID.

You should enable this regardless.

I disagree, this feature is fragile. You accidentally lock your device you lost all your data.
 
  • Like
Reactions: southnorth
I'm currently a 1Password subscriber, and have been for years and I'm considering moving to the new Apple passwords app for various reasons, but I have some security concerns and wanted to see what everyone else thinks:
My 1Password subscription stays with me a few more year at least. I don't mess with the security that I have 1P to. Apple is nowhere near anything that can replace 1Password, imho, so definitely not for me.
But I follow what the 'testpilots' come up with curiosity.
 
  • Like
Reactions: WarmWinterHat
I can definitely see where you are coming from in being concerned about security and especially your Apple ID. The problem with removing your AppleID is that you then have to remember it for the occasions you might need it.

The password app itself needs your Face/PIN to get in so there is that extra layer of security but then again if someone has your PIN, they are in. I guess you have to weigh up the pros and cons.

Personally im sticking with the password app. Crucially I won’t store financial account details, these are in a standalone password manager.

One thing I’d recommend is looking at Screen Time and then Accounts where you can block anyone from changing Passcodes and disabling FaceID. Really worth doing.

https://apple.news/A2AFAVmudRwiLpKxLLJ-4PQ This is a good read!

sorry this isn’t a very specific answer but there is no really easy answer.

My Apple ID password is quite long and complicated, but I do have it memorized. Same goes for my main gmail account, so I could just remove those. I also have a copy of keepass xc on my Mac that I store oddball passwords that I don’t want in my main 1password database.. I could use it as a backup.

Seems pretty convoluted compared to sticking with 1password… hmm
 
  • Like
Reactions: southnorth
My Apple ID password is quite long and complicated, but I do have it memorized. Same goes for my main gmail account, so I could just remove those. I also have a copy of keepass xc on my Mac that I store oddball passwords that I don’t want in my main 1password database.. I could use it as a backup.

Seems pretty convoluted compared to sticking with 1password… hmm

I have a standalone Strongbox password manager which always remains on local storage and never on iCloud.

The idea of activating Stolen iPhone Protection is very helpful especially as there is the option for familiar and/or other locations. I’ve got it activated.

I suppose the question is iCloud any different in terms of security compared to say 1Password. Which do you trust the most?
 
I have a standalone Strongbox password manager which always remains on local storage and never on iCloud.

The idea of activating Stolen iPhone Protection is very helpful especially as there is the option for familiar and/or other locations. I’ve got it activated.

I suppose the question is iCloud any different in terms of security compared to say 1Password. Which do you trust the most?

I guess I don't really have any feelings on iCloud vs 1Password's cloud storage, as they are both encrypted. My issue is with being able to access my passwords via just my iPhone or Mac passcode, instead of a sperate password specifically for the Passwords app.
 
  • Like
Reactions: southnorth
I disagree, this feature is fragile. You accidentally lock your device you lost all your data.
The only way for that to happen is if you don‘t remember your passcode, which is also an issue without stolen device protection enabled.

What stolen device protection for the Passwords app does is to block the fallback to PIN entry, you can only use FaceID to unlock it.

PIN entry remains an option to unlock the phone in general (in case FaceID doesn‘t work).
 
  • Like
Reactions: southnorth
My daughter was locked out of her Apple ID a while back. She couldn’t access anything connected to her Apple ID (photos, iCloud, Apple Kwychain, or anything else). She at least could access her 1Password on a different computer.

The only way for that to happen is if you don‘t remember your passcode, which is also an issue without stolen device protection enabled.

What stolen device protection for the Passwords app does is to block the fallback to PIN entry, you can only use FaceID to unlock it.

PIN entry remains an option to unlock the phone in general (in case FaceID doesn‘t work).
Not true. My daughter got locked out because someone was trying to get into her Apple ID. So Apple locked her account and she had to verify who she was. This too almost 2 weeks.
 
Last edited:
If you enable stolen device protection then unlocking the Passwords app using your passcode is removed as an option, leaving only Face ID.

You should enable this regardless.


This is a great suggestion, although I haven't tested it yet on my iPhone, however, stolen device protection is not really available on macOS.
 
I will add that most Apple users are probably using Standard iCloud data storage encryption, which is not zero knowledge on Apple's part. You can opt into Advanced Data protection for iCloud for a zero-knowledge storage of your data, but read up on the caveats before you do, of course. For some of my credentials, that's just not good enough.

Additionally, the usability on macOS does not seem to be on par with the efforts they've put into automatic login in iOS, so I'm not sure I'd be ready to adopt the Apple Passwords app even if I didn't have concerns about some of it's security.
 
  • Like
Reactions: southnorth
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.