Password Manager Question

Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
Hello-

I hope everyone is doing well. I am looking at using a password manager instead of Keychain. I was wondering, will I still be able to use my finger to log into sites on my MacBook Pro and iPad? Can I use the facial recognition on my iPhone? Or will it work differently? Also I was wondering, I read some directions on one of the password managers sites and it said to turn off Keychain after somehow getting the passwords exported into the new password manager. Do I also have to delete all the passwords from Keychain?

I thought Keychain was safe but I saw a video about a lady who was scammed, someone looked over her shoulder when she keyed in her iPhone password and later, the accomplice stole her phone and immediately changed her iCloud password and from there she was screwed. This got me a bit nervous and I think it's time to be safer. Keychain works really well, I hate to give it up but sadly, I guess it's the times we live in that force us to examine these things in our lives.

Thanks for your help!
Allison
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
So... I use 1Password 7. I personally don't recommend them anymore since they have gone all-in on subscription pricing and syncing over their cloud service, which I personally am extremely averse to. I'm still on a version that I paid for once a few years ago and syncs over iCloud.

That said... TouchID/FaceID works fine with 1P on Mac and iOS. On my iPhone, when prompted for a password, I get a choice to use 1P or Keychain.

You absolutely do NOT have to stop using Keychain. I know 1Password recommends you do, but there's no GOOD reason to not use both. I'm of the opinion that you shouldn't keep all your eggs in one basket. Plus... if you go the subscription route, you are now indentured to them. Decide to stop using their service or fail to pay? Wellllll.... it's a shame you can't access your own data now.

As for the video you refer to... well that seems to be correct. I just tested this myself and was surprised how easy this could be. I think it may be worth using a 3rd party password manager to store passwords since that manager can have its own unique password. Maybe keep using Keychain but NOT store your Apple credentials in it. Or take their advice and use the password manager exclusively, and delete your Keychain entries. Of course this is worth mentioning... one could be watching patiently enough; learn the iPhone passcode; then watch more and learn the password for the password manager, if lucky enough to spot them manually entering it if the FaceID/TouchID methods expire and require re-authentication. The better practice is to be aware of your surroundings and not enter these details if there is a risk of being observed. This includes the potential for security cameras to see you.
 
Joined
Jan 1, 2009
Messages
15,455
Reaction score
3,809
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
Allison, if your iPhone supports it (and it does), use facial recognition to open the phone. That way you don't have to type in a code. Nothing for anybody to see. And if somehow someone gets your iPhone, they won't be able to use it because they won't have your face.

As for password keepers, I agree with Lifeisabeach, pretty much. I use Enpass, used to have 1Password and left for exactly the same reason he cited. But keep Keychain going, it's free, it works, and it syncs to all your Apple devices through iCloud.

I'm not sure what LIAB means by:
As for the video you refer to... well that seems to be correct. I just tested this myself and was surprised how easy this could be.
Not disputing it, just don't know what video he is talking about. I heard the story about thieves stealing unlock codes and then stealing the iPhone and locking others out before they can react. I haven't seen any video on it, though. Looking over someone's shoulder to see a code being typed in is easy if the victim is unaware of surroundings, I suppose, but again, use facial recognition and don't type the code. If, for any reason, you DO need to type in the code, be aware of your circumstances and hide the code as well as you can. Even put your back to a wall, not a window, to enter the code, if you are really worried. But most times just cupping the phone in your hand, holding it close to your body, and typing with multiple fingers can make peeking pretty difficult.

As for passwords to my password application, mine is currently 35 letters, numbers and characters. It's basically a string of words I obtained from a navigations site called What 3 Words, based on a location that is of interest to me, but no one else, plus some numbers and sprinkled in characters. Yes, it's hard to enter, but it was designed that way. I had to type it in on my iPhone once, then authorized facial recognition and now don't have to enter it again. But anybody who steals my phone and tries to get into it will face a very long, very hard password to break.

So, don't get paranoid about it, stay vigilant, use facial recognition, turn on 2FA as much as you can for as many sites as you can. If you decide to get a keyword app, the greatest use is to generate really hard passwords, use them, then turn on facial recognition to get to them. And keep Keychain.

I will say one thing about using a password app with Keychain. In Safari, and in other browsers that store passwords, when you move to the login block, you will get a prompt to see if you want to use the stored data for that website. What I find is that Keychain pushes in in front of Enpass with the offer. If I know Keychain has the latest data, I'll use it. But if I know that Keychain doesn't yet have that password because I just created it with Enpass, I'll reject the Keychain and open Enpass to get the account in. Then, as the end, Keychain offers to store that password, which I allow. Now both have the same data on the same account. It sounds more confusing than it really is, but did want to mention that it's important to keep both Keychain and your password keeper up to date.
 

IWT


Joined
Jan 23, 2009
Messages
10,218
Reaction score
2,175
Points
113
Location
Born Scotland. Worked all over UK. Live in Wales
Your Mac's Specs
M2 Max Studio Extra, 32GB memory, 4TB, Sonoma 14.4 Apple 5K Retina Studio Monitor
I understand that this is a rare occurrence, but it’s worth mentioning in respect of Keychain if that is the only means of storing passwords-

If you ever have to reset your Mac’s Admin Password, the process for doing this creates a new Keychain and the old one becomes inaccessible.

Ian
 
OP
D
Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
Thank you so much for this very good advice. I do have facial recognition and generally use it in public. Once in a while it seems to require the passcode but I agree it’s probably good to stay with Keychain and be super careful when using the passcode in public. iPhone Stolen Story. This is a link to the video, really eye opening how they acted as a team to pull this off. The original story was in the Wall St Journal I think, but the video explains it really well.
 
OP
D
Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
I understand that this is a rare occurrence, but it’s worth mentioning in respect of Keychain if that is the only means of storing passwords-

If you ever have to reset your Mac’s Admin Password, the process for doing this creates a new Keychain and the old one becomes inaccessible.

Ian
I did not know this. Thank you.
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
Not disputing it, just don't know what video he is talking about. I heard the story about thieves stealing unlock codes and then stealing the iPhone and locking others out before they can react. I haven't seen any video on it, though. Looking over someone's shoulder to see a code being typed in is easy if the victim is unaware of surroundings, I suppose, but again, use facial recognition and don't type the code. If, for any reason, you DO need to type in the code, be aware of your circumstances and hide the code as well as you can. Even put your back to a wall, not a window, to enter the code, if you are really worried. But most times just cupping the phone in your hand, holding it close to your body, and typing with multiple fingers can make peeking pretty difficult.

The OP is the one who mentioned a video. I personally don't know what video exactly they are referring to, but the tactic is what I confirmed. I masked my FaceID camera, forcing my iPhone to require me to enter my passcode to get in. Unlocking the Passwords required that same passcode, and VOILA! All passwords exposed, including the one stored for iCloud.
 
Joined
Jan 1, 2009
Messages
15,455
Reaction score
3,809
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
The OP is the one who mentioned a video. I personally don't know what video exactly they are referring to, but the tactic is what I confirmed. I masked my FaceID camera, forcing my iPhone to require me to enter my passcode to get in. Unlocking the Passwords required that same passcode, and VOILA! All passwords exposed, including the one stored for iCloud.
Ah, OK on the video. I thought maybe you had seen a video of someone actually stealing an unlock code.

Yes, if the iPhone is unlocked, either with facial recognition or by passcode, the keychain is available. But again, you have to have the code AND the phone. So, using facial recognition removes having to use the code, taking one away. If someone steals the iPhone, they can't get in.
 
OP
D
Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
The OP is the one who mentioned a video. I personally don't know what video exactly they are referring to, but the tactic is what I confirmed. I masked my FaceID camera, forcing my iPhone to require me to enter my passcode to get in. Unlocking the Passwords required that same passcode, and VOILA! All passwords exposed, including the one stored for iCloud.
The video can be found here:
it just explains how the scam went down, not the actual stealing of an unlock code.
 
Joined
Jan 1, 2009
Messages
15,455
Reaction score
3,809
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
So, having watched the video:

1. Stay out of bars.
2. Use facial recognition or finger print to open the phone.
3. Set a stronger passcode, preferably alphanumeric, but the downside here is that if it is so difficult that you have to slow down to type it it, it may actually be easier to steal that a shorter code you can enter quickly with multiple fingers.
4. Don't put embarrassing stuff, or critical financial stuff, on the phone. OK, hard to do if you want to do banking, but maybe the phone isn't the best way to do that? Maybe restrict banking to your Mac?
5. Don't sweat it too much because it's really rare at this point.

I had read the WSJ article he refers to and while it was bad for the victim, a degree of prudence can reduce your exposure.

One thing he didn't point out is that 2FA doesn't HAVE to go to SMS to the phone. You can use other ways, including email, for many companies. Then set the email up NOT to be on the iPhone, just on some other device (your Mac). Again, not using the iPhone for banking.

BTW, One thing he missed is that if you have a third party password keeper and set it up for facial recognition and you go through the sequence the victim did and have the passcode to the phone stolen and then the phone stolen, if you have the third party password keeper set up for facial recognition to open it, the thieves can get into that by replacing your face with theirs using that same stolen passcode. Now the facial recognition will authorize the password keeper to open because the face matches what it's programmed for. So, if you DO get a password keeper, don't authorize any biometric access (facial or fingerprint recognition). It will be a really painful process to have to enter a strong password for the password keeper, in that case.

But I would say unless you hang out in bars, or other locations like that, where your code can be stolen by somebody getting really close and looking over your shoulder without you noticing, it's not something to really sweat over too much. Just use the biometrics in those risky locations.
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
BTW, One thing he missed is that if you have a third party password keeper and set it up for facial recognition and you go through the sequence the victim did and have the passcode to the phone stolen and then the phone stolen, if you have the third party password keeper set up for facial recognition to open it, the thieves can get into that by replacing your face with theirs using that same stolen passcode. Now the facial recognition will authorize the password keeper to open because the face matches what it's programmed for. So, if you DO get a password keeper, don't authorize any biometric access (facial or fingerprint recognition). It will be a really painful process to have to enter a strong password for the password keeper, in that case.

Good catch!
 
OP
D
Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
So glad for this forum! I was headed down a rabbit hole after seeing the video but after reading all your individual takes on this situation, I can say I am not going to get a password keeper. I will only use my facial recognition in public, I won't put in the code. That is major. Also I can do other things like make the 2FA an email or phone that is not on my phone (like my husbands number/email). All great suggestions that I will incorporate in my safety plan. What a world we live in now!
 
Joined
Jan 1, 2009
Messages
15,455
Reaction score
3,809
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
One thing to be a bit careful of is the setting the 2FA to your husband's email/number is that when YOU want to use the account, you'll need to be with HIM for that 2FA to work. As long as that is OK for you, it's a good approach. But that means if you are by yourself and want to access whatever is using HIS email/number for 2FA you won't get the 2FA information.

I would say that unless you live in a really dangerous area, just let 2FA come to you, but don't use the passcode to open the phone, just use biometrics.

Apple is working on new approaches to security, including something called a passkey. Basically, the passkey is saved, encoded, on your iPhone. You use biometrics to get to it, and it handles the secure negotiation with the other end to allow access. These passkeys would replace 2FA, eventually. As an example, let's say your bank takes passkeys. You would login to your bank account, then set in that account that you want to use a passkey. The phone/Mac now negotiates over an encrypted connection to agree on the passkey to use to verify that it's you on the other end. Once the negotiations are done, the account will now accept that encrypted key from your iPhone or Mac. On the iPhone, use biometrics to authorize the use of the passkey. On the Mac, use either biometrics if your Mac supports, or your login password if it doesn't and the passkey is then sent to the bank and the account opens. No username/login pair, just the iPhone/Mac security and passkey. Much simpler, and much more secure.

Passkey is available now, for some institutions and accounts. Here is Apple's explanation: Sign in with passkeys on iPhone

The standards body for passkey is FIDO. There is a website that shows where passkeys are active:


There may be others, but those two are a good place to start.
 
OP
D
Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
One thing to be a bit careful of is the setting the 2FA to your husband's email/number is that when YOU want to use the account, you'll need to be with HIM for that 2FA to work. As long as that is OK for you, it's a good approach. But that means if you are by yourself and want to access whatever is using HIS email/number for 2FA you won't get the 2FA information.

I would say that unless you live in a really dangerous area, just let 2FA come to you, but don't use the passcode to open the phone, just use biometrics.

Apple is working on new approaches to security, including something called a passkey. Basically, the passkey is saved, encoded, on your iPhone. You use biometrics to get to it, and it handles the secure negotiation with the other end to allow access. These passkeys would replace 2FA, eventually. As an example, let's say your bank takes passkeys. You would login to your bank account, then set in that account that you want to use a passkey. The phone/Mac now negotiates over an encrypted connection to agree on the passkey to use to verify that it's you on the other end. Once the negotiations are done, the account will now accept that encrypted key from your iPhone or Mac. On the iPhone, use biometrics to authorize the use of the passkey. On the Mac, use either biometrics if your Mac supports, or your login password if it doesn't and the passkey is then sent to the bank and the account opens. No username/login pair, just the iPhone/Mac security and passkey. Much simpler, and much more secure.

Passkey is available now, for some institutions and accounts. Here is Apple's explanation: Sign in with passkeys on iPhone

The standards body for passkey is FIDO. There is a website that shows where passkeys are active:


There may be others, but those two are a good place to start.
Passkeys looks interesting, I will have to read it a few times to understand it completely. I don't understand how it's too different than Keychain with respect to the convenient login and if you type in your password, I assume this can also be changed over to the thieves like in the video? This is not my forte obviously, so why I need to read this a few times. The FAQ on the Fido site was extremely informative.

In my family we share an Amazon account and several streaming sites. We are used to getting passcodes, and it generally works ok for us. It's not a perfect system but at least we get to share accounts. I don't live in a particularly dangerous part of South Florida, actually, my city was named safest city every year for about the past 10 years or more so it's quite safe, but I do not want to tempt fate. Thank you for this passkey info, its very interesting!
 
Joined
Jan 1, 2009
Messages
15,455
Reaction score
3,809
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
Passkeys looks interesting, I will have to read it a few times to understand it completely. I don't understand how it's too different than Keychain with respect to the convenient login and if you type in your password, I assume this can also be changed over to the thieves like in the video? This is not my forte obviously, so why I need to read this a few times. The FAQ on the Fido site was extremely informative.

In my family we share an Amazon account and several streaming sites. We are used to getting passcodes, and it generally works ok for us. It's not a perfect system but at least we get to share accounts. I don't live in a particularly dangerous part of South Florida, actually, my city was named safest city every year for about the past 10 years or more so it's quite safe, but I do not want to tempt fate. Thank you for this passkey info, its very interesting!
I think that the difference is that where you have set up passkeys for a site that requires login, you don't even need to present the login information at all. So, for example, if you go to your bank and it has passkeys set up, as soon as you open the site, you get access to your account. The security is in the pre-negotiated keys and the idea that the biometrics on your iPhone guarantee that you are you. At least that is how I see it.

Now, if that is right, a stolen phone passcode becomes easier to use. The thief just has to change your iCloud password, the biometrics (facial recognition) and the phone now becomes a trusted (albeit incorrect) device to open those accounts. So, when I go to passkeys, I plan to strengthen my iPhone passcode to be long and alphanumeric, not just the six numbers it is now. That will be a PITA each time I have to key that passcode in, but it will also be hard to be stolen. The bottom line is that your security has to be at some level, and with passkeys, that is at the access to the iPhone/Mac. But with biometrics, you don't face that stiff security as much as you might need, say, 2FA to work.
 
OP
D
Joined
Sep 14, 2018
Messages
108
Reaction score
14
Points
18
Location
South Florida
Your Mac's Specs
MacBook Pro (15-inch, 2018), Apple Watch: IPad Mini 3: Iphone 12 Pro
I think that the difference is that where you have set up passkeys for a site that requires login, you don't even need to present the login information at all. So, for example, if you go to your bank and it has passkeys set up, as soon as you open the site, you get access to your account. The security is in the pre-negotiated keys and the idea that the biometrics on your iPhone guarantee that you are you. At least that is how I see it.

Now, if that is right, a stolen phone passcode becomes easier to use. The thief just has to change your iCloud password, the biometrics (facial recognition) and the phone now becomes a trusted (albeit incorrect) device to open those accounts. So, when I go to passkeys, I plan to strengthen my iPhone passcode to be long and alphanumeric, not just the six numbers it is now. That will be a PITA each time I have to key that passcode in, but it will also be hard to be stolen. The bottom line is that your security has to be at some level, and with passkeys, that is at the access to the iPhone/Mac. But with biometrics, you don't face that stiff security as much as you might need, say, 2FA to work.
This makes sense to me. So I will do the same as you and strengthen my passcode and use the face recognition whenever possible.
 
Joined
May 21, 2012
Messages
10,703
Reaction score
1,158
Points
113
Location
Rhode Island
Your Mac's Specs
M1 Mac Studio, 11" iPad Pro 3rdGen, iPhone 13 ProMax, Watch S7, 2018 15" MBP, AirPods Pro
preferably alphanumeric
I usually choose this option, even if I were to set a passcode with just numbers, or only 4 digits.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top