How secure is a locked Apple Note?

[Mark F]

I've been storing my passwords in locked Notes. Each password protected site has its own Note. Since Notes are accessible on my iPhone and iPad, I'm wondering if they are ever stolen or lost how secure the locked Notes are.
When I google this many people seem to suggest getting a password manager but that has always seemed dangerous to me, like "keeping all one's eggs in a single basket". Others suggest using Apple's built-in password manager.
I'm wondering what this community thinks?
Thanks.

 

[MacInWin]

I have done both third-party apps and now the Apple app. Both ways are pretty good. I don't keep passwords anywhere else. Both my third party (1Password) and Apple's Password syncs through my iCloud account to my iPhone and iPad. And both will create strong passwords for me when I open a new account somewhere. I don't even know most of my passwords, just let either 1Password or Passwords fill in the login when needed. The advantage of 1Password is that it also can store software license and credit card information. The disadvantage is that it is a subscription service, so I have to pay every year while the Apple app is free. I've been slowly migrating from 1Password to Passwords so that I can stop the subscription soon.

So that's one vote.

 

[Rod]

They are as secure as your iPhone access and password be that a PIN, finger biometric or face ID. BUT Apple now has it's own Password Manager called, you guessed it, "Passwords". I would for convenience alone be using that and it still requires your device password or Face ID to open.

 

[ferrarr]

I used to use a password manager, but stopped a few years ago. Now I strictly use the build in Passwords app on all my Apple devices.

 

[IWT]

I've been storing my passwords in locked Notes.

I think the only problem with Notes and its Password is that you can only have one PW for all the Notes - at least, that is the case with my Notes App - I'm still on Sonoma - maybe it's different with Sequoia.

In other words, you can't - or at least I can't - have separate PWs for each Note. If your situation is the same, then if someone breaks that PW, they have access to all of the Notes.

Ian

 

[Mark F]

I think the only problem with Notes and its Password is that you can only have one PW for all the Notes - at least, that is the case with my Notes App - I'm still on Sonoma - maybe it's different with Sequoia.

In other words, you can't - or at least I can't - have separate PWs for each Note. If your situation is the same, then if someone breaks that PW, they have access to all of the Notes.

Ian

Ian,wouldn't that also be true with any pw manager? If anyone manages to access that then they will have access to all the passwords.

 

[Mark F]

When I used Windows I used to keep all my passwords on a program called InfoSelect which encrypted all entries. But that is not available on the Mac. About a year or two ago I asked here if anyone knew an equivalent program for the Mac but the closest I came was Notes. Always in the back of my mind is the fear that since my only hacking protection is Malwarebytes, which does not seem to me to be as robust as Norton or the others, that I somehow get a key logging thing installed. That would be disastrous.
And I really do not have any protection at all on my iPhone or iPad.

 

[Mark F]

I have done both third-party apps and now the Apple app. Both ways are pretty good. I don't keep passwords anywhere else. Both my third party (1Password) and Apple's Password syncs through my iCloud account to my iPhone and iPad. And both will create strong passwords for me when I open a new account somewhere. I don't even know most of my passwords, just let either 1Password or Passwords fill in the login when needed. The advantage of 1Password is that it also can store software license and credit card information. The disadvantage is that it is a subscription service, so I have to pay every year while the Apple app is free. I've been slowly migrating from 1Password to Passwords so that I can stop the subscription soon.

So that's one vote.

Thanks Jake but my concern isn't the individual passwords, although stronger is always better, but the ability of someone to access the locked Notes. I am wondering if anyone knows just how hard or easy it is to break into a locked Note.

 

[MacInWin]

Ian,wouldn't that also be true with any pw manager? If anyone manages to access that then they will have access to all the passwords.

Yes. And that is why the password to any password manager needs to be very robust. I use a pass phrase of multiple words, with symbols in some places.

When I used Windows I used to keep all my passwords on a program called InfoSelect which encrypted all entries. But that is not available on the Mac. About a year or two ago I asked here if anyone knew an equivalent program for the Mac but the closest I came was Notes. Always in the back of my mind is the fear that since my only hacking protection is Malwarebytes, which does not seem to me to be as robust as Norton or the others, that I somehow get a key logging thing installed. That would be disastrous.
And I really do not have any protection at all on my iPhone or iPad.

You don't need Malwarebytes. Apple has built in protections in the form of Xprotect Remediator. Here are a series of articles on Xprotect Remediator. It gets regular updates from Apple, including one this week.

Search Results for “xprotect” – The Eclectic Light Company

Macs, painting, and more

eclecticlight.co

Thanks Jake but my concern isn't the individual passwords, although stronger is always better, but the ability of someone to access the locked Notes. I am wondering if anyone knows just how hard or easy it is to break into a locked Note.

Bear in mind that by default your internal storage on that Mac Studio is encrypted. It is protected by your account login. You can also increase security by turning on File Vault, which adds another layer of security by excrypting the key that unlocks the drive, kind of a password for your password. All you need to do is log in and the rest happens in the background. But if someone steals your Mac and tries to get in, without your password they cannot get to the keys to the drive area and the drive is fully encrypted, so they can't bypass it either. And because the drive is already encrypted, there is no performance hit from having FV turned on.

 

[Mark F]

Thank you Jake. Obviously I'm totally out of touch and have never even heard of Xprotect Remediator. I will read the articles you referred me to and also look into File Vault.
But are these protections also available in IOS? I think I'd be more vulnerable there to loss or theft.
Thanks again.

 

[MacInWin]

But are these protections also available in IOS? I think I'd be more vulnerable there to loss or theft.

In iOS and iPadOS the key is to have a stronger password. Not too many folks are aware that if you go to Settings>Face ID & Passcode>Change Passcode there are multiple options there. Here is a screenshot:

From there you can create a stronger passcode than the default 4-Digit, even exending to alphanumeric. So if you are concerned about security on them, set a stronger passcode. Of course, when it's time to unlock you have to type in the longer passcode, but security isn't free, after all. And if you have FaceID turned on, then you can unlock most of the time with your face and not have to use the passcode very often. Anybody who steals your iDevice will have a harder time getting in. You can also turn on "Stolen Device Protection" that adds another layer of security in that you can set it to provide additional limits: About Stolen Device Protection for iPhone - Apple Support

Now, if you are sufficiently paranoid, then no level of security is sufficient, but for most of us, Apple provides quite a bit of internal security.

 

[Mark F]

In iOS and iPadOS the key is to have a stronger password. Not too many folks are aware that if you go to Settings>Face ID & Passcode>Change Passcode there are multiple options there. Here is a screenshot:
View attachment 40037


Now, if you are sufficiently paranoid, then no level of security is sufficient, but for most of us, Apple provides quite a bit of internal security.

That's me for sure. I've got financial stuff there that would be disastrous to lose.
But I will take advantage of all the good advice I've gotten here. Thanks Jake and everyone.

 

[Rod]

Sorry Mark F, I missed the fact that you had already been suggested Apple's built-in password manager.

Honestly, I think a lot of people overthink the Security thing. As Jake has pointed out Apple devices already have a lot of built in security. If you take advantage of all of that eg. Hide My Email, Private Relay, Two Factor Authentication, Trusted Devices, Biometric recognition and Face ID, complex passwords and Stolen Device Protection you are not a "soft" target. It's my impression that there are still lots of "soft" targets out there.

My opinion is that chances are you will never be hacked and lets face it, if a hacker got access to say, a bank account login, there is still the difficulty of transferring any substantial amount of money to another account or spending much from a credit card if you have, like me, set daily limits and transaction notifications. These days most online theft is through phishing and deception although identity theft is often a part of that.

To deserve a complex plot to steal your identity for the purposes of property theft you need to be a worthwhile target. You're much more likely to be the victim of an investment scam where you voluntarily give you money away.

Personally I have been the victim of credit card fraud once where a couple of thousand dollars was gambled away over night at a location in another state. I caught it the next day, put a block on my card, the bank did not question the illegitimacy of the transactions, I received a new card within a week and my money was refunded.

So, I use Apple's Passwords app for pretty much all my online passwords and Enpass for government, banking and financial apps and sites because Apple's Passwords app does not have specific Categories or Templates for things like credit cards, passports, driving licenses, insurance documents ect, whereas Enpass Password Manager does. It's not a subscription based app, stores all my passwords/passkeys locally and syncs them to Enpass on my other devices via iCloud. Face ID or biometrics are required to open it on any device. I might also add that I use a full time VPN on all my devices so my IP address is hidden, my activity is not logged and all my data is encrypted both ways.

Of course nothing is completely foolproof, thats impossible but keeping yourself informed, staying safe online and utilising advances in security is a big part of it. Passkeys are of course a recent example of this, all my social media sites are now accessed with passkeys, this includes Google, Facebook, PayPal, WhatsApp MyGov and more.

To sum up I don't think using secure Notes is a good (safe) way to store your online passwords long term. It's not designed for that purpose and I have heard of users loosing all their Notes from time to time during System Upgrades and data transfers. It's not protected like the Passwords app where you receive notifications and ID verification is required for changes and edits.

 

[Mark F]

Sorry Mark F, I missed the fact that you had already been suggested Apple's built-in password manager.

Honestly, I think a lot of people overthink the Security thing. As Jake has pointed out Apple devices already have a lot of built in security. If you take advantage of all of that eg. Hide My Email, Private Relay, Two Factor Authentication, Trusted Devices, Biometric recognition and Face ID, complex passwords and Stolen Device Protection you are not a "soft" target. It's my impression that there are still lots of "soft" targets out there.

My opinion is that chances are you will never be hacked and lets face it, if a hacker got access to say, a bank account login, there is still the difficulty of transferring any substantial amount of money to another account or spending much from a credit card if you have, like me, set daily limits and transaction notifications. These days most online theft is through phishing and deception although identity theft is often a part of that.

To deserve a complex plot to steal your identity for the purposes of property theft you need to be a worthwhile target. You're much more likely to be the victim of an investment scam where you voluntarily give you money away.

Personally I have been the victim of credit card fraud once where a couple of thousand dollars was gambled away over night at a location in another state. I caught it the next day, put a block on my card, the bank did not question the illegitimacy of the transactions, I received a new card within a week and my money was refunded.

So, I use Apple's Passwords app for pretty much all my online passwords and Enpass for government, banking and financial apps and sites because Apple's Passwords app does not have specific Categories or Templates for things like credit cards, passports, driving licenses, insurance documents ect, whereas Enpass Password Manager does. It's not a subscription based app, stores all my passwords/passkeys locally and syncs them to Enpass on my other devices via iCloud. Face ID or biometrics are required to open it on any device. I might also add that I use a full time VPN on all my devices so my IP address is hidden, my activity is not logged and all my data is encrypted both ways.

Of course nothing is completely foolproof, thats impossible but keeping yourself informed, staying safe online and utilising advances in security is a big part of it. Passkeys are of course a recent example of this, all my social media sites are now accessed with passkeys, this includes Google, Facebook, PayPal, WhatsApp MyGov and more.

To sum up I don't think using secure Notes is a good (safe) way to store your online passwords long term. It's not designed for that purpose and I have heard of users loosing all their Notes from time to time during System Upgrades and data transfers. It's not protected like the Passwords app where you receive notifications and ID verification is required for changes and edits.

Hi Rod,
First, thank you for your thoughtful reply.

In January of 2024 my adult son sent a frantic email at about 11:00pm in a panic. He had begun receiving emails on his laptop from his phone carrier, bank and brokerage firm acknowledging that his passwords had been successfully changed. He couldn't even call because the hacker had taken over his phone account and his phone was now useless. Fortunately I was still awake and on my computer to see the email so I was able to contact his bank and broker and freeze his accounts. He did not lose any money but it took months to straighten things out. All his passwords were stored on his phone. We still do not know how the hacker was able to obtain his phone's password as he is very careful with this.

About two years ago I received a notice from the Internal Revenue Service that I owed several thousand dollars in taxes. When I investigated it turned out that someone in a different state had somehow obtained my tax identification number (Social Security number) and had been employed using that number without paying tax. It took me a year + to straighten that out, including filing court papers.

I am retired and rely on savings kept in bank and brokerage accounts. While I agree that it is unlikely that these could be hacked, it is not impossible. Others have already suffered losses this way. For me it would be catastrophic. In my view, you do not gamble what you cannot afford to lose. No matter what the odds, if you cannot afford the loss do not gamble. Someone always wins the lottery, despite the odds.

So perhaps others will see me as overly cautious, maybe even paranoid, and security is a nuisance. But it lets me sleep better.

Mark

 

[Rod]

You are welcome Mark, obviously online security is very important to us all, it's essential to keeping us safe in what has become a hostile environment. I do believe that a purpose made password manager is the best method of keeping passwords safe even in the event that your device is lost, stolen, hacked or cloned.

In the first two examples apart from Find My iPhone/Computer/Watch you also have the option of erasing the device remotely as well as the "locked" device function which kicks in after too many failed attempts to login. In the latter cases unusual activity on the device would be the alarm bell but again a P/W manager still requires ID verification to open as does a cloned iPhone.

So, the example of your son is an interesting one, this does sound like an instance of cloning or mirroring but in both cases I think the PIN for the phone would be required. Once entered the first thing the criminal does is change the PIN and probably face ID if used. Stolen Device Protection, if on, prevents this by delaying the action if not in a recognised location, notifying all other devices on the same account and requiring 2FA from a secondary device after 30min, plus a biometric or face ID. Of course none of this works if you don't have 2FA which is why it's so strongly recommended.
If you get a notification as above you can check "My Devices" in Find My... and if you see an unfamiliar device remove it. This effectively renders that device useless. The next step would be to change your PIN.

In Australia we don't have "burner" phones, to purchase a mob phone you need proof of ID, usually in the form of a drivers licence which also has your photo and address on it, a credit card in the same name and proof of address, usually a utility bill for that address in the same name. Even if you were to buy a second hand phone online you still need a SIM card which requires the same above ID details.
Our banks here require a One Time Password (OTP) sent to the mob number of the account holder to make changes to their account like transaction limits, large transfers, passwords or user details. It's a real pain when updating to a new phone but it means even a cloned phone cannot do much with a bank account, even from a browser much less the bank's app which is usually not transferable anyway without that OTP. The same thing goes for Authenticator apps, you can't transfer them to a new phone without the old phone in front of you because like eg. Google Authenticator you need to scan a QR Code off the app on the old phone.

As for getting a job here in Australia a Tax File number would be inadequate on it's own but I suppose if you used all of your own ID details but someone else's TFN it would take a little while before it was uncovered. If you used it as a part of ID here you would still need other documents to support it. Here you would need a Medicare number as well as photo ID of some sort and usually a bank account in the same name for wage payment to get a job long term, maybe they were payed by check. So, I suppose what you are saying is they used your ID to get the job and your TFN for their tax records. In Australia it's not that easy, your employer deducts your taxes before payment via a system called PAYG. After you file your tax return you either get a refund of those taxes, nothing, or a debit depending on your circumstances. Not much point in that.

 

[Rod]

Accidental duplication

 

[Mark F]

You are welcome Mark, obviously online security is very important to us all, it's essential to keeping us safe in what has become a hostile environment. I do believe that a purpose made password manager is the best method of keeping passwords safe even in the event that your device is lost, stolen, hacked or cloned.

In the first two examples apart from Find My iPhone/Computer/Watch you also have the option of erasing the device remotely as well as the "locked" device function which kicks in after too many failed attempts to login. In the latter cases unusual activity on the device would be the alarm bell but again a P/W manager still requires ID verification to open as does a cloned iPhone.

So, the example of your son is an interesting one, this does sound like an instance of cloning or mirroring but in both cases I think the PIN for the phone would be required. Once entered the first thing the criminal does is change the PIN and probably face ID if used. Stolen Device Protection, if on, prevents this by delaying the action if not in a recognised location, notifying all other devices on the same account and requiring 2FA from a secondary device after 30min, plus a biometric or face ID. Of course none of this works if you don't have 2FA which is why it's so strongly recommended.
If you get a notification as above you can check "My Devices" in Find My... and if you see an unfamiliar device remove it. This effectively renders that device useless. The next step would be to change your PIN.

In Australia we don't have "burner" phones, to purchase a mob phone you need proof of ID, usually in the form of a drivers licence which also has your photo and address on it, a credit card in the same name and proof of address, usually a utility bill for that address in the same name. Even if you were to buy a second hand phone online you still need a SIM card which requires the same above ID details.
Our banks here require a One Time Password (OTP) sent to the mob number of the account holder to make changes to their account like transaction limits, large transfers, passwords or user details. It's a real pain when updating to a new phone but it means even a cloned phone cannot do much with a bank account, even from a browser much less the bank's app which is usually not transferable anyway without that OTP. The same thing goes for Authenticator apps, you can't transfer them to a new phone without the old phone in front of you because like eg. Google Authenticator you need to scan a QR Code off the app on the old phone.

As for getting a job here in Australia a Tax File number would be inadequate on it's own but I suppose if you used all of your own ID details but someone else's TFN it would take a little while before it was uncovered. If you used it as a part of ID here you would still need other documents to support it. Here you would need a Medicare number as well as photo ID of some sort and usually a bank account in the same name for wage payment to get a job long term, maybe they were payed by check. So, I suppose what you are saying is they used your ID to get the job and your TFN for their tax records. In Australia it's not that easy, your employer deducts your taxes before payment via a system called PAYG. After you file your tax return you either get a refund of those taxes, nothing, or a debit depending on your circumstances. Not much point in that.

Stolen Device Protection, if on, prevents this by delaying the action if not in a recognised location, notifying all other devices on the same account and requiring 2FA from a secondary device after 30min, plus a biometric or face ID. Of course none of this works if you don't have 2FA which is why it's so strongly recommended.
If you get a notification as above you can check "My Devices" in Find My... and if you see an unfamiliar device remove it. This effectively renders that device useless. The next step would be to change your PIN.

Excellent advice Rod. I've forwarded this to my son and will follow it myself. Thanks.