iCloud Keychain and why it's not going to improve security habits... yet

Why iCloud Keychain in its current form can't change years of bad password habits

iCloud Keychain, which ships as part of iOS 7 and OS X Mavericks, is Apple's attempt to help mainstream iPhone, iPad, and Mac owner get better at managing and protecting their passwords and credit cards, and with minimal inconvenience. With a random password generation, autofill, and iCloud sync, it holds a lot of promise. Unfortunately, it may not be enough for everyone, at least not yet. Here's why...

Obviously, iCloud Keychain is completely tied into the Apple ecosystem. Unfortunately, this is exactly what will cause it to break down for many people, and almost immediately. Let's start with the random password generator. In theory, when you need to create a new password, you simply let iCloud Keychain pick a secure, strong one for you and you get on about your business. But lets say you do that in Safari on your iPhone, and then go to Chrome or Firefox on your Mac, what happens? If you go to Windows at work? As you've probably guessed, nothing. You'll have to jump back to your iPhone and retrieved the password iCloud Keychain generated for you, which is cumbersome to say the least.

For Mac users that are strictly dedicated to Safari, the password generator feature of iCloud Keychain may be a perfectly acceptable, and free option. For people that use other browsers, or other platforms, it's going to be a non-starter.

Same with the autofill. Safari can remember your existing passwords as you enter them, but once you've saved them to iCloud Keychain, they're still only usable in Safari. You can't use them with Web.app (the framework that pins websites and web apps to your Home screen), or with embedded web views in other apps.

Some websites also prevent passwords from being remembered - a security feature intended to prevent people from having their passwords saved on public machines. That can sometimes be overcome by toggling "Allow AutoFill even for websites that request passwords not be saved", sometimes not.

Consistency is a feature. For iCloud Keychain to really take off, and really help more people be more secure, it has to be almost everywhere and work almost all the time. Right now, that's simply not the case. Right now, iCloud Keychain is only in Safari, and only works most of the time there.

For some, that might be enough. For many, I suspect, it'll be a show stopper, and they'll stick to third-party apps like 1Password or Lastpass, or worse, stick to the same, simple, insecure old password everywhere.

I'll be doing the former. 1Password doesn't get the same Apple-level access, which would be ideal, but it works 100% of the time on 100% of the platforms I use and that's more valuable to me than anything iCloud Keychain currently has to offer.

At least on the Mac Apple has the standalone Keychain app that other apps can tie into for password storage. Maybe some form of Keychain app or system-level service on iOS could provide similar functionality? After all, if there's one thing that benefits people almost as much as security, it's ubiquity.

Are you using iCloud Keychain? If so, let me know how it's working for you. If not, let me know why not!

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Allyson Kazmucha

Senior editor for iMore. I can take apart an iPhone in less than 6 minutes. I also like coffee and Harry Potter more than anyone really should.

More Posts



← Previously

How to generate a password with iCloud Keychain in OS X

Next up →

iPad Air reservations go live October 30 in Hong Kong and China

Reader comments

iCloud Keychain and why it's not going to improve security habits... yet


I don't use iCloud Keychain for one simple reason: No master password.

I need something between unlocking the device and my passwords. I may want to let a friend or associate use my iPhone, iPad, or Mac, but I don't want them having access to all my passwords or credit cards.

Unless/until that's addresses (and TouchID would be great!) I'm also locked to 1Password.

That is my problem with it. I use 1Password for the same reason. I am surprised that iCloud Keychain did not do this from the outset. It would be so simple.

I think you could make such a scenario work if you let your friend use another browser on your device, granted you are present. If you are not, you could use restrictions to make Safari not available...

I'm using keychain, but not for password generator. I already have my own system for generating strong passwords that I (theoretically) can't forget without ever having had to remember in the first place, and my method is more robust than the random generator in Safari that manages not to even generate a strong password to Apple ID standards. LOL

All your points are valid. I am just chiming in to say I'm using iCloud keychain for exactly the main reason you ding it. When I'm on any device other than *my* MacBook Pro, iPhone, or iPad, I DO use a browser other than Safari, and I don't want my passwords to be remembered. I don't want my credit card information accessible to me (or anyone else). It's a bit of a boon at work on Chrome because, as you point out, it is a trusted computer of mine so I would be ok with my iCloud information being accessible, but at work I'm usually not without my wallet to need my credit card to be remembered, and because of my password system, I can recall my passwords with not too much difficulty and just also save them in Chrome if desired. And in general, at work, I shouldn't be visiting sites to recall my saved passwords anyway (LOL). I use Windows everyday, and so far I haven't felt like I *wanted* my iCloud keychain available to me on all my platforms (2 trusted windows PCs). It would be different if I had an Android phone or table though.

I agree, Apple has to do something otherwise, just like with so many of their products, their solutions are only really helpful for the people who are "All Apple All The Time" which for many is just not the world we live in.

first off I love the idea of Keychain and was ready for this from day one. Second I didn't realize there was no master password, I use firefox and they have a master password (even though there's can be handled way better by asking the user to re-enter it after a few minutes) either way apple should at VERY least request an apple ID password.
Third, a separate app should of been created for this. I'd love to be able to enter such information into the keychain on my iPhone like how I can with msecure (my current option) I see Apple improving on this in the future.

I'll be staying with Lastpass. When Apple can make the iCloud Keychain just as robust I'll take another look at it.

I turned off iCloud Keychain because I don't know how to use it. It seemingly doesn't do anything.

I've noticed the iCloud Keychain (or other new pieces of iCloud with Mavericks) has changed some behaviors, specifically, syncing of account settings. When my iMac and MBP were running Mountain Lion, they each had a set of "Mail, Contacts, and Calendars" accounts. I upgraded my MBP first and did not notice any change. I upgraded my 5S to iOS 7.0.3 and I was happy to start sharing passwords between Safari on each device. But when I upgraded my iMac to Mavericks, I suddenly got popups on each machine saying the account ABC was added from the other Mavericks machine. That is a plus and a minus. I missed .Mac/MobileMe's settings syncing between machines, but I was unaware that it was being reintroduced. Caught me off guard!

1Password is also my answer to the less-convenient (in my case) iCloud Keychain. Thanks
Allyson for bringing this subject up.

I'm currently using iCloud Keychain, but I do get slightly annoyed when the feature isn't used EVERYWHERE. I'm strictly a Safari user so that wouldn't bring up any problems, but using the cumbersome password that Keychain gives me and having to use another browser would be horrible! Also, does anyone actually use the "store credit card information" setting?

Sent from the iMore App

I am checking out keychain and 1password but rely in roboform that I have used for years. Now that we have moved off the web to apps, it would be nice to have a password manager to fill the passwords for all the apps that I use. Any suggestions.

I guess I'm an oddball but I've been using iCloud keychain and loving it, credit cards and all. I'm not terribly concerned about my phone getting stolen because I literally have it with me at all times. And I use Safari on every device, so the sync is a godsend.

I'm enjoying keychain. Not worried about someone getting my passwords. I don't let anyone use my iPhone unless a friend needed to make a call and I'm right there. I don't let anyone use my iPad or Mac. I'm still going to use 1password. Keychain is another level of connivence.

Sent from the iMore App

Right now I think iCloud Keychain is just beginning. I use 1Password and on my Mac I now use a combination of both. I use 1Password 95% of the time and the other 5% of the time when iC Keychain does it's thing it's convenient for me. There are some people who use nothing along with simple passwords and iC Keychain will be miles better than what they have been using, nothing. The reason I doubt I will ever depend entirely on iC Keychain is because it is and I feel will always be hidden away. It will just work but it will not allow me access to what is stored inside unless I'm specifically filling out something that needs the info. In 1Password I have serial numbers stored for software I install for work, I have user passwords for family and friends whose computers I fix regularly. So while iC Keychain will hold my info what will I do when I go over to a friend's house to work on their computer and need to login? With 1Password I can open it up and find the password or info I need while iC Keychain will probably never let you look inside. It will inevitably get better and more robust and will cover the needs of more users but it will still most likely only cover the needs of basic users.

I'm in the same boat. All Apple at home, all Windows, Chrome & Safari at work. I'm also disappointed Apple quit development of Safari for Windows at 5, as this would at least give us an option on Windows. I get the notion of platform lock-in, but sometimes think Apple doesn't understand the value of cross-platform, beyond iTunes.