Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security of new Passwords app?

WarmWinterHat

WarmWinterHat

macrumors 68030
Original poster
Feb 26, 2015
2,991
9,208
I'm currently a 1Password subscriber, and have been for years and I'm considering moving to the new Apple passwords app for various reasons, but I have some security concerns and wanted to see what everyone else thinks:

  • It's only secured behind your iPhone passcode and/or Face ID. That seems kinda risky
  • On Mac, it's the same password as your login. Again, seems kinda risky.
  • If someone steals your phone and screen lock passcode, they have access to all your passwords to change as they wish.
  • Getting locked out of your Apple account will lock you out of your passwords app? Then what?
I'm thinking that maybe I would leave out my Apple ID, and email login info? That way if something happens, those two accounts are immune. Thoughts?

🤔
 
Last edited:
  • Like
Reactions: southnorth
southnorth

southnorth

macrumors regular
Jul 22, 2018
180
141
I can definitely see where you are coming from in being concerned about security and especially your Apple ID. The problem with removing your AppleID is that you then have to remember it for the occasions you might need it.

The password app itself needs your Face/PIN to get in so there is that extra layer of security but then again if someone has your PIN, they are in. I guess you have to weigh up the pros and cons.

Personally im sticking with the password app. Crucially I won’t store financial account details, these are in a standalone password manager.

One thing I’d recommend is looking at Screen Time and then Accounts where you can block anyone from changing Passcodes and disabling FaceID. Really worth doing.

https://apple.news/A2AFAVmudRwiLpKxLLJ-4PQ This is a good read!

sorry this isn’t a very specific answer but there is no really easy answer.
 
bamf-hacker

bamf-hacker

macrumors regular
Jul 17, 2012
119
114
Is it risky? yes a little, but the passwords app is not designed to replace things like 1Password, instead its giving all those people that just store passwords in Notes or some other less secure place something better.
 
  • Like
Reactions: WarmWinterHat and Lioness~
I

ifxf

macrumors 6502a
Jun 7, 2011
623
1,024
palemonkey said:
If you enable stolen device protection then unlocking the Passwords app using your passcode is removed as an option, leaving only Face ID.

You should enable this regardless.

About Stolen Device Protection for iPhone – Apple Support (UK)

Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as your home or workplace.
support.apple.com support.apple.com
Click to expand...
I disagree, this feature is fragile. You accidentally lock your device you lost all your data.
 
  • Like
Reactions: southnorth
L

Lioness~

macrumors 68040
Apr 26, 2017
3,408
4,247
WarmWinterHat said:
I'm currently a 1Password subscriber, and have been for years and I'm considering moving to the new Apple passwords app for various reasons, but I have some security concerns and wanted to see what everyone else thinks:
Click to expand...
My 1Password subscription stays with me a few more year at least. I don't mess with the security that I have 1P to. Apple is nowhere near anything that can replace 1Password, imho, so definitely not for me.
But I follow what the 'testpilots' come up with curiosity.
 
  • Like
Reactions: WarmWinterHat
WarmWinterHat

WarmWinterHat

macrumors 68030
Original poster
Feb 26, 2015
2,991
9,208
southnorth said:
I can definitely see where you are coming from in being concerned about security and especially your Apple ID. The problem with removing your AppleID is that you then have to remember it for the occasions you might need it.

The password app itself needs your Face/PIN to get in so there is that extra layer of security but then again if someone has your PIN, they are in. I guess you have to weigh up the pros and cons.

Personally im sticking with the password app. Crucially I won’t store financial account details, these are in a standalone password manager.

One thing I’d recommend is looking at Screen Time and then Accounts where you can block anyone from changing Passcodes and disabling FaceID. Really worth doing.

https://apple.news/A2AFAVmudRwiLpKxLLJ-4PQ This is a good read!

sorry this isn’t a very specific answer but there is no really easy answer.
Click to expand...

My Apple ID password is quite long and complicated, but I do have it memorized. Same goes for my main gmail account, so I could just remove those. I also have a copy of keepass xc on my Mac that I store oddball passwords that I don’t want in my main 1password database.. I could use it as a backup.

Seems pretty convoluted compared to sticking with 1password… hmm
 
  • Like
Reactions: southnorth
southnorth

southnorth

macrumors regular
Jul 22, 2018
180
141
WarmWinterHat said:
My Apple ID password is quite long and complicated, but I do have it memorized. Same goes for my main gmail account, so I could just remove those. I also have a copy of keepass xc on my Mac that I store oddball passwords that I don’t want in my main 1password database.. I could use it as a backup.

Seems pretty convoluted compared to sticking with 1password… hmm
Click to expand...

I have a standalone Strongbox password manager which always remains on local storage and never on iCloud.

The idea of activating Stolen iPhone Protection is very helpful especially as there is the option for familiar and/or other locations. I’ve got it activated.

I suppose the question is iCloud any different in terms of security compared to say 1Password. Which do you trust the most?
 
WarmWinterHat

WarmWinterHat

macrumors 68030
Original poster
Feb 26, 2015
2,991
9,208
southnorth said:
I have a standalone Strongbox password manager which always remains on local storage and never on iCloud.

The idea of activating Stolen iPhone Protection is very helpful especially as there is the option for familiar and/or other locations. I’ve got it activated.

I suppose the question is iCloud any different in terms of security compared to say 1Password. Which do you trust the most?
Click to expand...

I guess I don't really have any feelings on iCloud vs 1Password's cloud storage, as they are both encrypted. My issue is with being able to access my passwords via just my iPhone or Mac passcode, instead of a sperate password specifically for the Passwords app.
 
  • Like
Reactions: southnorth
T

TimFL1

macrumors 68020
Jul 6, 2017
2,008
2,416
Germany
ifxf said:
I disagree, this feature is fragile. You accidentally lock your device you lost all your data.
Click to expand...
The only way for that to happen is if you don‘t remember your passcode, which is also an issue without stolen device protection enabled.

What stolen device protection for the Passwords app does is to block the fallback to PIN entry, you can only use FaceID to unlock it.

PIN entry remains an option to unlock the phone in general (in case FaceID doesn‘t work).
 
  • Like
Reactions: southnorth
Mr. Heckles

Mr. Heckles

macrumors 65816
Mar 20, 2018
1,461
1,921
Around
My daughter was locked out of her Apple ID a while back. She couldn’t access anything connected to her Apple ID (photos, iCloud, Apple Kwychain, or anything else). She at least could access her 1Password on a different computer.

TimFL1 said:
The only way for that to happen is if you don‘t remember your passcode, which is also an issue without stolen device protection enabled.

What stolen device protection for the Passwords app does is to block the fallback to PIN entry, you can only use FaceID to unlock it.

PIN entry remains an option to unlock the phone in general (in case FaceID doesn‘t work).
Click to expand...
Not true. My daughter got locked out because someone was trying to get into her Apple ID. So Apple locked her account and she had to verify who she was. This too almost 2 weeks.
 
Last edited:
  • Like
Reactions: southnorth
E

everglade9441

macrumors newbie
Oct 28, 2024
3
4
palemonkey said:
If you enable stolen device protection then unlocking the Passwords app using your passcode is removed as an option, leaving only Face ID.

You should enable this regardless.

About Stolen Device Protection for iPhone – Apple Support (UK)

Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as your home or workplace.
support.apple.com support.apple.com
Click to expand...

This is a great suggestion, although I haven't tested it yet on my iPhone, however, stolen device protection is not really available on macOS.
 
E

everglade9441

macrumors newbie
Oct 28, 2024
3
4
I will add that most Apple users are probably using Standard iCloud data storage encryption, which is not zero knowledge on Apple's part. You can opt into Advanced Data protection for iCloud for a zero-knowledge storage of your data, but read up on the caveats before you do, of course. For some of my credentials, that's just not good enough.

Additionally, the usability on macOS does not seem to be on par with the efforts they've put into automatic login in iOS, so I'm not sure I'd be ready to adopt the Apple Passwords app even if I didn't have concerns about some of it's security.
 
  • Like
Reactions: southnorth
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom