Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Why Apple's Passwords app is huge security risk
- Thread starter Jtte
- Start date
-
- Tags
- passwords app security
- Sort by reaction score
Agile Bits will quote standard security practices like any other vendor.
Apple should have a separate master password for Passwords and not default back to the account one, but if someone has access to your master password - by brute force or social engineering - it doesn't matter.
Per 1Password's documentation (https://support.1password.com/touch-id-mac/), and based on my experience with 1Password on Sonoma 14.7.2, the 1Password account password (formerly, called the "master password")--NOT the macOS user password--is required to unlock 1Password when Touch ID fails or if you just click the "Use Account Password..." button.
The 1Password documentation states:
Sometimes you’ll need to enter your account password instead of using Touch ID:If the amount of time in Settings > Security > “Confirm my account password” has elapsedIf Touch ID isn’t available, like when the built-in display is closed on your MacIf you add or delete a fingerprint from your device
@svenmany: Can you confirm 1Password biometric unlock works the same on Sequoia 15.2? (Maybe that's what you were saying, but I'm just trying to verify macOS 15 didn't actually break something.)
They might add a bit of perspective, but I agree that it will represent standard security practices.
There's a standard concept of data security risk levels. Some data is more sensitive than others. It's probably standard practice to provide additional restrictions on more sensitive data. The master password of 1Password is that additional restriction on the more sensitive password data.
This experience with Sonoma is the same that I experience on Sequoia 15.2. I haven't tried deleting a fingerprint, but I'm willing to test it if you want me to.
You mean you have set Passwords app to use Biometrics only and NOT the user password.
This sounds a very good idea, but I can't see a way of doing this. How do you do it?
Last edited:
Thanks. I have done that on my iPhone, but on my Mac I still get the same screenshot. Which means my Mac Passwords app can be opened with the user password.
Typos edited
Last edited:
There's also the whole "all your eggs in one basket" issue. I still remember one evening last spring when I spontaneously got booted off of iCloud on every single Apple device I owned -- along with untold thousands of others. Apple of course never offered a peep of explanation.
I got lucky and was able to reset my iCloud password within like half an hour. But there were others on these very forums saying they were locked out for a week or more. If I'd had all my passwords and auth codes in iCloud, not hard to imagine some scenarios (travelling, for one) where I'd be totally f****ed.
So, I continue keep all my passwords in 1Password, and once a month or so I now do a full export to a file I keep on an encrypted disk image saved to multiple places. Seems paranoid, but the stakes are pretty high at this point.
I got lucky and was able to reset my iCloud password within like half an hour. But there were others on these very forums saying they were locked out for a week or more. If I'd had all my passwords and auth codes in iCloud, not hard to imagine some scenarios (travelling, for one) where I'd be totally f****ed.
So, I continue keep all my passwords in 1Password, and once a month or so I now do a full export to a file I keep on an encrypted disk image saved to multiple places. Seems paranoid, but the stakes are pretty high at this point.
Do you mean to say "Don't put personal passwords on a company computer!". I am sure people put personal passwords on their company computer just because they're lazy.
This thread is the macOS Sequoia forum, so we're talking about macOS here. It's not possible to do what you described in macOS.