Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Why Apple's Passwords app is huge security risk
- Thread starter Jtte
- Start date
-
- Tags
- passwords app security
- Sort by reaction score
Agile Bits will quote standard security practices like any other vendor.
Apple should have a separate master password for Passwords and not default back to the account one, but if someone has access to your master password - by brute force or social engineering - it doesn't matter.
Per 1Password's documentation (https://support.1password.com/touch-id-mac/), and based on my experience with 1Password on Sonoma 14.7.2, the 1Password account password (formerly, called the "master password")--NOT the macOS user password--is required to unlock 1Password when Touch ID fails or if you just click the "Use Account Password..." button.
The 1Password documentation states:
Sometimes you’ll need to enter your account password instead of using Touch ID:If the amount of time in Settings > Security > “Confirm my account password” has elapsedIf Touch ID isn’t available, like when the built-in display is closed on your MacIf you add or delete a fingerprint from your device
@svenmany: Can you confirm 1Password biometric unlock works the same on Sequoia 15.2? (Maybe that's what you were saying, but I'm just trying to verify macOS 15 didn't actually break something.)
They might add a bit of perspective, but I agree that it will represent standard security practices.
There's a standard concept of data security risk levels. Some data is more sensitive than others. It's probably standard practice to provide additional restrictions on more sensitive data. The master password of 1Password is that additional restriction on the more sensitive password data.
This experience with Sonoma is the same that I experience on Sequoia 15.2. I haven't tried deleting a fingerprint, but I'm willing to test it if you want me to.
You mean you have set Passwords app to use Biometrics only and NOT the user password.
This sounds a very good idea, but I can't see a way of doing this. How do you do it?
Last edited:
In App Library, I long pressed the app and then chose require Face ID.
Thanks. I have done that on my iPhone, but on my Mac I still get the same screenshot. Which means my Mac Passwords app can be opened with the user password.
Typos edited
Last edited:
There's also the whole "all your eggs in one basket" issue. I still remember one evening last spring when I spontaneously got booted off of iCloud on every single Apple device I owned -- along with untold thousands of others. Apple of course never offered a peep of explanation.
I got lucky and was able to reset my iCloud password within like half an hour. But there were others on these very forums saying they were locked out for a week or more. If I'd had all my passwords and auth codes in iCloud, not hard to imagine some scenarios (travelling, for one) where I'd be totally f****ed.
So, I continue keep all my passwords in 1Password, and once a month or so I now do a full export to a file I keep on an encrypted disk image saved to multiple places. Seems paranoid, but the stakes are pretty high at this point.
I got lucky and was able to reset my iCloud password within like half an hour. But there were others on these very forums saying they were locked out for a week or more. If I'd had all my passwords and auth codes in iCloud, not hard to imagine some scenarios (travelling, for one) where I'd be totally f****ed.
So, I continue keep all my passwords in 1Password, and once a month or so I now do a full export to a file I keep on an encrypted disk image saved to multiple places. Seems paranoid, but the stakes are pretty high at this point.
Do you mean to say "Don't put personal passwords on a company computer!". I am sure people put personal passwords on their company computer just because they're lazy.
This thread is the macOS Sequoia forum, so we're talking about macOS here. It's not possible to do what you described in macOS.
I don't use password managers, I don't care about Apple's Passwords app, I thought you might be interested in:
"Broken isolation: Draining your Credentials from Popular macOS Password Managers" W. Regula
PDF Slides https://objectivebythesea.org/v7/talks/OBTS_v7_wRegula.pdf
"Broken isolation: Draining your Credentials from Popular macOS Password Managers" W. Regula
PDF Slides https://objectivebythesea.org/v7/talks/OBTS_v7_wRegula.pdf
Mainly my memory. I don’t stay logged in, so I have to log in every time, thus refreshing my memory every day
I'm curious to know why 1Password wasn't part of this talk. Chances are good that it's the most popular 3rd party Mac password manager.
Mainly my memory. I don’t stay logged in, so I have to log in every time, thus refreshing my memory every day
You have a LOT better memory than me and I would expect at least 99.9% of people that use good password practices. I have literally hundreds of unique, long and complex passwords and even taking the time to memorize a few would be a fool's errand. And the vast majority I only use occasionally which means they would be forgotten well before time I needed them.
After a couple of attempts to authenticate with FaceID, it fails over to the phone's passcode.
Yep. This is another reason I use 1Password. In absence of biometrics, it requires a password I set that's totally different from the device PIN. Making the unlock code the master key to the entire iPhone (including your Passwords app) is just a massive security hole. If someone peeps your PIN and gets hold of your phone, you are potentially very, very screwed.
Probably because it's Electron based and vulnerable in the same way as the others.
"The problem with Electron applications"
Does no one use 2 factor authentication? I’m not leaving my phone with my laptop if I bring it in for repair. Also, as mentioned in an earlier post, I do a Time Machine backup, erase the SSD and install clean macOS. Beyond passwords, I don’t want anyone seeing documents on my computer like tax returns and such.
Only had to do this once, when I had to get a replacement top case for my 2017 MBP.
Only had to do this once, when I had to get a replacement top case for my 2017 MBP.
Isn't the problem with memorised passwords is that they are easy to crack?Mainly my memory. I don’t stay logged in, so I have to log in every time, thus refreshing my memory every day
So the modern way is to let them be computer generated (very hard to crack but impossible to remember) and then store them in keychain/1 password etc.
Then have 2FA for as many of these as possible.
Also companies like google / apple will alert you via email if someone is logging in on an different ip address / location.
If you create a new guest user cant the repair shop just use that?IT consultant here.
Apple's Passwords app is a huge security risk, pontentially a disaster.
Here's why:
Unlike a 3rd-party password manager, Apple's Passwords app doesn't use a unique master password and instead uses your Mac user account password.
Any computer technician, IT dept personnel, any other admin account on your Mac (any admin can reset any user's password), scammer with remote access (common), thief who guesses or cracks your weak password (rare), familiy member or friend with your Mac's user password (common) can open the Passwords app and see and use all the passwords and open and use but not see the passkeys in the Passwords app. When biometric fails, the Passwords app asks for your Mac's password.
For example, say you take your Mac in for repair to any computer shop. They need your Mac user password to login and work on it. If you had any 3rd-party password app with its own master password, no technician could access your password vault. And if they asked for your password manager password, you'd say no! But they can access your Apple Password app with your Mac password.
The track record of computer repair shops honoring privacy is poor.
Study: "No Privacy in the Electronics Repair Industry" https://arxiv.org/pdf/2211.05824
Thinking about taking your computer to the repair shop? Be very afraid
Not surprisingly, female customers bear the brunt of the privacy violations.arstechnica.com
Imagine leaving your company Mac with your employer's IT dept. Even without your Mac password, they could reset your user password then have access to your Password app info. Under no circumstance would you normally give your employer all your passwords!
Would you give a copy of your house or apartment key to a cleaning person, roommate, dog walker or house sitter if that same key unlocked all your email accounts, banks & brokerages accounts, government accounts, healthcare and shopping accounts, social media accounts, et al.? NO! Well your Mac password is like a house key that does all that and more.
I've helped dozens of victims of scammers who tricked victims into calling them and giving remote access for technical help. The criminals either pushed a pop-up ad that looked like a computer warning ("your device is infected") or paid for Google search result ads that impersonated a tech company (e.g., XInfiity instead of Xfinity, fake Epson and fake Facebook support).
In all those cases, victims gave the scammers remote access to get help. Often, the criminal with remote access went to System Settings and fussed with settings to put on a show and make a setting change that required the Mac's password. Victims either typed their Mac password or told the scammer. Also often, the criminal with remote access started Terminal and typed showboating commands starting with "sudo," which prompts for the Mac password (no biometric option). Many victims gave their Mac user passwords to scammers to help such fake adjustments / repairs.
Not even the most naive victims I've helped would ever give a scammer or real technician their password manager's master password because there's absolutely no pretense for a real or imposter tech to ask for it. But all techs and scammers who get your Mac password also have keys to your kingdom.
Dashlane, 1Password and Bitwarden, for example, not only require a master password but offer separate 2-step verification (either only for "new" devices or every time) that uses an token-generating app instead of less-secure SMS texting. This master password should be unique, including never being your Mac's password!
If you can handle a 3rd-party password manager, stick with that instead and save yourself from possible total disaster.
If Apple allowed a separate password for its Passwords app, it'd be a safe contender. Apple already allows a separate password to lock Notes and for Screen Time, so Apple should also offer that for its Passwords app. I suspect they fear millions of tech support calls from people locked out of their Password app, though.
EXCEPTIONS: for people who don't currently use a 3rd-party password manager but use a browser's built-in password manager (Chrome, Firefox, Brave), Apple's Passwords app would be better because browsers' built-in password managers also unlock with you Mac password; plus, every couple of years hackers figure out how to steal passwords from browsers' built-in password managers (usually through a dangerous browser extension).
A 3rd-party password manager is best. For maximum security, use a 3rd-party password manager like BitWarden (w/2FA) without its browser plugin, but you'd have to copy/paste into a browser (not using the password manager's browser add-on enhances security but at the expsense of convenience; I only know one person doing this).
Why would they need an admin user?
If its a tech problem rather than repair then you should be on the call with them.
I follow the XKCD route of making my passwords easily remembered short phrases. Also use 2FA for most everything.
