OS X Mavericks preview: iCloud Keychain promises relief from password hell

OS X Mavericks preview: iCloud Keychain promises relief from password hell

Few features in OS X Mavericks will fundamentally change your computing experience as much as iCloud Keychain. It promises to fix Web password management once and for all on both Mavericks and iOS 7.

You need secure login credentials to be able to engage in e-commerce and other online activities, but keeping passwords straight can stump even the most advanced computer user. At best, you forget and need to reset your password every time you visit an infrequently-accessed site. At worst, you end up using an insecure password that opens you up to identity theft and other modern problems. Apple's fix for this problem is new in OS X Mavericks, and it's called iCloud Keychain.

iCloud Keychain - post its

"These solutions are not recommended," said Apple senior vice president of Software Engineering Craig Federighi during his keynote presentation at WWDC, showing a slide of an iMac covered in Post-It notes with passwords hand-scrawled on them.

Apple provides a handy and secure way to deal with this problem already, but it's somewhat hidden from view: the Keychain app in the Utilities folder. Keychain, integrated well into the operating system itself, keeps track of credentials like AirPort passwords, root certificates, RSA encryption keys and more. Now Apple's extending the Keychain concept in OS X Mavericks by making it iCloud-based, secure, and best of all, synchronized between your iOS 7 and OS X Mavericks devices.

iCloud Keychain will remember AirPort passwords just like the Keychain app does now, but that only scratches the surface. Web-based passwords are now front and center in iCloud Keychain. Safari will help you generate secure passwords that you don't have to remember - iCloud Keychain fills them in for you whenever they're needed.

iCloud keychain - credit cards

iCloud Keychain also retains credit card information, so you don't have to haul your card out from your wallet (or commit its number to memory) to place an online order anymore. The only piece of information you will have to remember is the security code that's imprinted on the back side of your card.

Web site password utilities are nothing new to OS X - they've been around for years, but they require users to know of their existence. By offering iCloud Keychain as an alternative, Apple is exposing the same kind of technology to everyone who downloads OS X Mavericks when it comes out this fall. It's another way that Apple is trying to keep Mac users safe and secure when they're online, and that's a good thing.

Are you going to use iCloud Keychain when you download Mavericks, or is this more control than you're willing to give the operating system? Do you already use a password manager that you're happy with? Please tell me in the comments! And make sure to check out these links for more information about OS X Mavericks.

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Peter Cohen

Mac Managing Editor of iMore and weekend Apple Product Professional at a local independent Apple reseller. Follow him on Twitter @flargh

More Posts



← Previously

Great keyboard debate - Talk Mobile Hangout

Next up →

Do you want 3rd party software keyboards on your iPhone? [Poll]

Reader comments

OS X Mavericks preview: iCloud Keychain promises relief from password hell


Could you guys do a pros v. cons between this and password manager apps? I've been holding off on apps like 1password. Will this feature negate the need for password manager apps?

That's an outstanding suggestion, thanks! In short, I think there's still a place for password apps, but the dust hasn't settled yet. Once Mavericks is out in the world I think we'll be able to do a more balanced look at iCloud Keychain vs. password managers.

I like RoboForm. It works on all platforms mobile (iOS and Android apps) and desktop (supports Safari, Chrome, FIrefox, IE). It has a great password generator tool and has a form completion tool. On top of all this you can save notes and other items securely and sync across all your devices with ease. It is very secure and has a master password which encrypts all of your passwords so that only you can unlock access to your password saved data on top of your account password.

Synching would be incredible, hopefully this works as it seems it's being described.. I bought one password when I got my iPad because people wouldn't stop raving about it, then found my super complex passwords I setup in os x weren't synced. What's worse, I had to use their in- app browser to even take advantage. What's the point of setting up nutso passwords if it renders your mobile browsing impossible?

The greatest strength and security flaw with both cloud based and password managing apps is they use one master password to encrypt all the rest of your passwords. So loose or forget it, you've lost 'em all. However the benefit to using a password managing app is the private encrypted keychain is stored locally on your personal machine...unless it syncs with the cloud (like 1Password). In that case generate the longest password the site allows and store it someplace safe (within the password managing app for example). So even if the site does get hacked and looses their hash salts, the hackers still have to compare their guess against the salted passwords they've stolen, so the longer and more complex the better.

Initially the idea of iCloud stored passwords was appealing. But the more I thought about it the less I liked it. I have a 25 character long password for my password managing app (Excessive? Maybe but it's will take over 500 years at current computing speeds to crack), but the one I use for iCloud (my AppleID password) is much shorter, only 14 characters long, and easy to enter into my computers & iOS devices when making purchases. Also easy for someone to shoulder surf and view using any means at their disposal. Coupled with the plethora of high profile security hacks hitting the media over the past year or two (even Apple closed down to re-secured their developer portal after a security breach) - no one is safe! So why would I want to store my digital life where it could be compromised as easily as watching me type using a security camera?

So will I end up using iCloud password managing, not likely. Do I put too much trust into my password managing app? Maybe but I have over 350 unique passwords for each and every site I've ever been required to register for over the past 3 years. And I change, quarterly or semi-annually, the ones I use regularly.

So I basically upload all my passwords to Apple?
That's like forwarding them to the NSA directly.
(in case I'm wrong, just tell me... I actually wish to be wrong about that)

Why so sarcastic?

I read that many americans agree with the way how the government is handling that stuff, but if you break it to the core, the message is that "everybody" is an enemy. I really don't understand how anybody could be fine with such an assumption.

As I understand it, under this setup your passwords and login data and credit card numbers are encrypted on your devices. The encrypted data passes through iCloud as a necessary step in being synchronized on all your devices, but Apple never sees that data and couldn't read it unless you gave them the password needed to decrypt it. It's the same as it would be if you used 1Password or LastPass or any other password manager that shares info among your devices.

How secure this is will have to wait until we actually see it in practice and people have had a chance to try and hack it. I would certainly be willing to use it, but maybe not for everything right away, and I'll also continue using LastPass.

Edit: how safe this is from the NSA partly depends on how secure 256-bit AES encryption really is, and if it isn't safe we've got other problems besides the NSA.

What I'd like to know is, can i add my already existing passwords to it, or will it ONLY allow syncing / auto-entering of passwords that IT generates?

Won't work for me, as I use a Windows PC at work that won't let me install the iCloud Control Panel. I'd be SOL once I tried to input one of those crazy long passwords.

Couldn't agree more. I also can't seem to find anyone in the Apple journalism/blogging community that is willing to stand up and say, "So what Apple, LastPass has been doing this for years. Who cares if it baked in to the OS? Give us something we can use that actually is novel and not just white-washed with the Apple koolaid." I love my Mac, but until my employer decides to go Apple (not likely for a Fortune 200 company), this feature has limited utility for me which isn't compelling me to switch from LastPass.

I'm using 1PASSWORD on my MBA / iPad / iPhone and Windows PC - the passwords are stored in Dropbox and are synced to all my devices. Even the 3 character security codes for the credit cards are stored in 1PASSWORD. I don't think I'll be using anything else - it's a great app.

I feel like iCloud keychain could become a one stop shop for the government trying to get access to our data. The pros are outweighed by the cons for me. Pros would be convenience and reliable backup. Cons would be as I mentioned Apple having a lot of my information which could easily be given up to the government leaving all my accounts vulnerable. Not only the government but also against hacks.

The problem with 1Password is that, on an iOS device, it can't work from within Safari like it can on the Mac. So in iOS you have to first get out of Safari and launch 1Password and look up the login info then go back to Safari to input that information. It sounds like with iCloud keychain it will all work seamlessly from within Safari whether you are on a Mac or an iOS device. This would be a significant improvement over 1Password.

I typically just visit the website from within 1password. But the problem is that these apps are now fragmenting my web viewing experience.

When apple successfully integrates this feature into safari, I can see myself giving 1password up altogether.

Sent from the iMore App

I currently use mSecure to store my login credentials, credit card information, and other data on my Mac and iOS mobile devices. However, I'm am looking forward to using iCloud Keychain. It's a natural evolution for Keychain, where one's credentials for services are securely and automatically synchronized across devices in the ecosystem. And having my devices keep track of Airport network login changes automatically is a welcomed advantage.

I'm uncomfortable putting all my passwords into any cloud. Knowing the existing tech I have assumed for years that the gov could get at most things they wanted and I have no reason to fear the Feds. My fear is from hackers or just some mistake made on the cloud side that dumps my info into public domain.

Also, when password management becomes too convenient you have to wonder just how safe it is. Each company/app you trust to hold your keys is just another potential weak link in your personal security.

The cloud just means 1-stop-hacking. My home Mac is too small a target, but Apple or any other corp is a lovely little prize.

Can you guys add to the article about the actual experience of using it? As in, does it really work (at least in B2) on all sites? Any issues you ran into? Etc. Or are you avoiding all that until the actual release due to NDA and, well, bugs?

In any of our OS X and iOS preview pieces, we're going to limit ourselves to discussing info that's been made publicly available.

I'm a big LastPass fan, and I use it on PC as well as Mac. So would be hard to switch. But the integration in mobile Safari on iOS would be killer. Decisions, decisions... Also, highly skeptical the NSA is after the passwords of the nerds on this site (myself included)! :)

When one must use several platforms to conduct business and manage their lives, (iOs, android, windows, osx) giving up the convenience of keychain to go cross platform is a small trade-off, even when one feels most at home on iOs and Osx. Msecure for me, and until someone builds a better cross platform mouse trap.

Haven't seen straightforward answer, but can keychain be used only on ios, or do you need OS X to have the function?

It will work independently. It's designed to make it easier for people like me who have both OS X computers and iOS devices, but if you only have one or the other, the functionality will still work.

i still need 1password for all my passwords outside of safari, the iCloud keychain won't remember passwords i need for apps, game logins, software keys, all the info (login ip,...) from my router and my family's routers, FTP logins, logins/passwords from work,... the list is soooo long, too long to drop 1 password!

After reading these comments, I do wonder exactly what all this data is that everybody's so scared the government might get to see. Maybe I'm innocent here, but a rational explanation of what we need to hide or what we fear the government would do with it would help

Well, everyone has something to hide, and obviously it doesn't always mean something of a criminal nature. However, I think the concern people may have is not about whether they may have something to hide, but rather about their right to privacy against unreasonable search and seizure without probable cause by government. It's about, as Justice Louis Brandeis stated, "the right to be left alone."

Needless and unconstitutional collection and aggregation of information by the state is a tool of intimidation often employed against individuals and groups who exercise their right to protest their government. (As we have learned from recent news events, unjustified surveillance isn't limited to activists alone.) Moreover, the government risks irreparable harm to individuals whose information they've mistakenly associated with people suspected of involvement in unlawful activities.

I will use use both 1Password and iCloud Keychain. I really love 1Password, but I don't like having to use its browser all the time. I'll use iCloud for regular surfing/login needs. I'll use 1Password for ecommerce since I don't want to have to remember the 3-digit security code. Remembering my debit card's code isn't a problem, but remembering my credit card's code is since I rarely ever use it.

I'll also use 1Password to copy/paste logins in apps. Side note, apps that don't allow you to paste in logins drive me nuts. AFAIK, iCloud Keychain doesn't address this use case.

Can someone explain how this will work with ios apps? If it does not work with apps all apps are basically useless unless you remember a crazy complex PW. Could always use safari and Mobil sit version. But dedicated apps are clearly better

Here is my conundrum. This is my Mac computer. I am the administrator. i do not have an iCloud account. i do have an iTunes account. Recently I upgraded my mountain lion operating system to the free Maverick system. My step-daughter has, at some time, logged into her iCloud account, her gmail, her hotmail and her FaceTime accounts on my computer. After I upgraded my computer to maverick, I have a perpetual pop-up asking for her passwords. Also, Safari just shuts down with an error message that says: "Safari quit unexpectedly while using the SpeechSynthesis plug-in." I cannot seem to get rid of the popups or this message and it is completely ruining my experience on my computer. How do I rid myself of this problem?