Thursday, January 27, 2022

Notes in Apple’s Password Manager

Ricky Mondello:

Notes for Passwords are available in the iOS, iPadOS, and macOS betas. I know a lot of you have asked for this; it’s really versatile. :-)

The password manger’s search field searches them. The Mac password manager can import and export them.

I’m loving the built-in password manager’s support for verification codes, and a freeform notes field was my number one feature request.

Filipe Espósito:

Passwords stored in iCloud can be accessed through the Passwords menu in the Settings app. Once you tap to edit a password, there’s now a new option to add a note text alongside the login details.

[…]

As expected, the notes you add to your passwords can only be accessed after you authenticate with Touch ID or Face ID.

Unfortunately, Apple still insists on keeping iCloud Keychain as a menu within the iOS Settings app rather than making it a standalone app[…]

And, on the Mac, it’s available in System Preferences and Safari’s Preferences, both of which have single-window, non-resizable interfaces. (The notes do not appear in the Keychain Access app.)

Ricky Mondello:

And here’s a simple shortcut I made that you can use to put the password manager on your home screen, if you’re into that sort of thing.

John Gordon:

There’s no secondary password, so this demonstrates that anyone with access to phone has full access to all your passcodes including iCloud. Always true but now inescapable. You need super strong phone passcode.

Previously:

Update (2022-01-31): Ricky Mondello:

An iOS 15.4 change that I adore: Sign into the Amazon app. You’ll get a beautiful account picker that includes passwords from your password manager of choice.

The deprecated SecRequestSharedWebCredential API is now implemented with the modern ASAuthorizationPasswordRequest.

11 Comments RSS · Twitter

"I’m loving the built-in password manager’s support for verification codes, and a freeform notes field was my number one feature request."

I'm kind of confused by password managers who also offer a second factor. Doesn't that defeat the purpose of having two factors, if you put both of them in the same system?

"There’s no secondary password"

So if somebody has access to your unlocked phone, they have access to all of your passwords, *and* can receive authentication codes, too?

(The notes do not appear in the Keychain Access app.)

Sure would be nice to know what the plan is here. Is keychain deprecated? Is this newer metadata on top of keychain that the old Keychain Access app doesn’t know how to handle? Is the concept of multiple keychains deprecated? Was the old notes field too limiting in some way?

(I think a good argument can be made that Keychain Access was too nerdy for the general user. But judging from Apple’s recent track record, the path to something newer will take five years, and in the meantime, the old will be abandoned, and the new incomplete.)

So if somebody has access to your unlocked phone, they have access to all of your passwords, and can receive authentication codes, too?

Yes and no. (John’s tweet confused me here as well.)

If they can unlock your phone, they can also unlock your passwords. But if your phone is already unlocked (but they didn’t do it themselves), you need to unlock again to get to the passwords.

So, I think John is saying there’s no distinct auth. But auth does happen a second time. (I just tried it with Ricky’s shortcut. On my iPhone 13, the Face ID happens so fast I barely noticed it, but when I held the phone at an angle and ran the shortcut a second time, it stopped to wait for auth.)

@plume, that's exactly what I was thinking.

@Sören, it's pretty much unavoidable to have the 2FA on your phone, but the point is that you don't want the 2FA on your computer. One compromise and the attacker has your passwords and your 2FA codes.

@ Goz:

> it's pretty much unavoidable to have the 2FA on your phone

I'm guessing John's point was that there ought to be two separate passcodes — one for the phone (your "Unix user account") and one for the keychain. This is possible in macOS with classic keychains, but not with iCloud Keychain. And it is, of course, also possible with something like 1Password.

@Plume Yes, currently for sites with 2FA I’m only putting the 2FA codes in Apple Passwords and keeping the actual passwords in PasswordWallet. You can autofill passwords with an unlocked device, but seeing them or exporting them requires unlocking first via Touch ID/Face ID/passcode.

I think John’s point was that there should be separate login and keychain passcodes.

Still no import/export of TOTP secrets? :(

@Sebby I think they added that in the previous release.

@Sebby, you can always save them in the notes field. :-)

@Sebby, the current version of macOS passwords allows you to import TOTP codes and they work fine. I haven't tried export, though obviously it's important as well.

My real hangup for this is that there's no secondary password. I understand you have to authenticate again, but I think it's likely not enough. My family member recently had an episode where he lost his phone in an Uber, and they were able to get his passcode (4 digit pin, of course) - he thinks by using a camera in the Uber. They were able to get all his passwords, do some mischief, and get some $$$. If they had real technical knowledge (or were better at their "job") they could really have made his life miserable.

While I use an alphanumeric passcode, making it much more difficult, it's clearly possible - especially with something like a camera trained on you. Using 1password, I would at least have never used my master password in an Uber. Probably overkill, but still - too high risk to not have a separate authentication password.

@Michael Blimey, you're right! Both import and export of TOTP secrets in the CSV works now. Awesome. I'll just round up my most important passwords and see how difficult it would be to move them from 1pw ...

After many years of relying on 1Password I moved to another app, and it's not iCloud Keychain.
I have tried many different solutions, both free and commercial and the winner is: enPass.

They offer both lifetime purchase and monthly subscriptions,
support all browsers and all main platforms, offer many ways to sync and have pretty much all major features of 1Password, including TFA codes.
I was able to import my entire 1Password lib to enPass without issues.
I am still keeping both just incase something goes wrong, but I am using enPass now.
UI is not as polished as 1Password's, but it's totally usable.

Leave a Comment