How to securely manage your passwords on your Apple devices
Let’s face it: you know you need to do a better job of managing your personal password security. Fortunately Apple provides some great tools for doing so.
I am a recovering password re-user. Yep, like probably everyone reading this, I’ve used the same password (or a couple of variations of it) for scores of online accounts in the past. It’s not hard to understand why this is dangerous: If a bad actor knows your email address, and they compromise your password on one online service, they can get access to a whole bunch of your private online data. And chances are at least one (and probably several) of your accounts have been compromised due to a data breach. Let’s be better about that!
Fortunately Apple provides a lot of tools to improve online account security. One of them is sign-in with Apple where you can use your Apple ID to login to most prominent web services. Or more recently there’s Passkeys, which eliminate the need for the traditional username/password paradigm entirely. While those are slowly starting to roll out across the web, it’s still a technology in its infancy.
For your existing accounts, you need to be using iCloud Keychain. It’s part of Apple’s iCloud suite of products, and it’s part of the free tier of iCloud services. It works on iPhone, iPad, and Mac, but here’s how to enable it on iPhone:
Go to Settings and tap on your name/photo at the top of the screen. Then tap “iCloud” and then “Passwords and Keychain.” Enable “Sync this iPhone.” It’ll be a similar process on all of your other Apple devices to make sure it’s enabled and syncing everywhere.
Now when you type in your username and password in Safari, those credentials will be stored in iCloud Keychain. That means when you go to login to that website or app on your other Apple devices, you’ll be able to autofill those credentials using Touch ID or Face ID instead of having to manually type them in again. Also, when you create new online accounts, your device will suggest a new strong password and save that credential in iCloud Keychain.
If you ever want to go through and look at all of your stored credentials, you can find them in Settings > Passwords. You’ll be required to use Face ID or Touch ID to unlock that part of the Settings app, so even if someone snatches your phone out of your hands, they won’t be able to access that part of Settings.
When you go to Settings > Passwords at the top of the list you may see a section called “Security Recommendations.” This will show you a list of accounts where you’ve re-used the same password and will also show you passwords that have been exposed via a data leak. When you tap on any of these accounts, there will be a button you can use to go to the website of the service in question and reset your password, which will then be saved back to iCloud Keychain.
I was talking about this the other day with a friend who thought it was kind of creepy that Apple “knows” which of your passwords have been re-used or are part of a data leak. I agree it would be, but there’s a nice, secure catch:
Apple doesn’t actually know any of your passwords.
Here’s what Apple says about that: “Your account information is encrypted on your device, and cannot be viewed by Apple.” Ok, so how can they tell you that you’ve re-used a password or that one of your passwords has been compromised in a data leak? Because your iPhone knows, but doesn’t share that information back with Apple.
That sounds confusing, I know. Here’s some more from Apple on how this works (emphasis mine):
Your device may suggest actions for you to take to improve the strength of your passwords. For example, your device may inform you that a saved password is weak, is reused across multiple accounts, or is a commonly used password. These suggestions are based solely on processing that occurs on your device.
Your device may also inform you of passwords that may have been compromised in a data leak. This feature uses strong cryptographic techniques to regularly check derivations of your passwords against a list of leaked passwords in a secure and private way that doesn’t reveal to Apple your accounts or passwords. Apple will send to your device a list of common passwords that are present in data leaks. For your passwords that are not in this list, your device will send information calculated from your passwords to Apple to check if the passwords may be present in a data leak. You will be warned about your passwords determined to possibly be in a data leak. Your actual passwords are never shared with Apple, and Apple does not store the information calculated from your passwords. You can disable this feature at any time by going to Settings > Passwords > Security Recommendations.
You should check in Settings > Passwords regularly just in case one of your passwords is later determined to have been compromised or re-used and change those passwords if they have.
I want to tell you about another related way to secure your accounts using iCloud Keychain, but as this has already gone long I’ll bring that to you later this week!