hoakley September 12, 2023 Macs, Technology

Using a third-party password manager alongside keychains

Although Apple has greatly improved password management in macOS over the last couple of years, many still prefer a third-party substitute. By far the most popular was 1Password 7, which is still in wide use two years after it was replaced by version 8. One of the greatest attractions of version 7 and earlier were standalone vaults, stored locally, and independently of 1Password’s servers. As a follow-up to my recent series about keychains in macOS, I have been looking at third-party substitutes, and think I have finally come across a successor for those still using 1Password 7.

Password Managers are intensely competitive, with products sold hard against one another. The commercial rewards are customers, ideally businesses or organisations, who are prepared to pay substantial subscriptions. Vendors know that once someone has committed to a Password Manager, they’re hooked, and unlikely to want to go through the trauma of migrating all their passwords and other secrets to another product. What they sell is less of an app and more a vault-hosting service.

Most of the major commercial products operate in a similar way, with near-identical features. There are two notable exceptions that support macOS and Apple’s devices: Bitwarden, which is built around open source and has always had a strong free tier in their pricing, and Strongbox, which is based on open source KeePass. While Bitwarden offers the cheapest Premium version at a mere $10 per year, and organisations can self-host, it still uses a paid-for service model. Strongbox is different, though, in that it requires you to host your own vault, and simply provides the software to make that work.

Strongbox only handles passwords (and SSH keys), although you can add extensive metadata to them. Phoebe Code, its vendor, doesn’t offer any hosting service for its vaults, but leaves you to choose whether to keep them local and private, or to share them using the cloud system of your choice, or from your own local server. Options include iCloud Drive, Dropbox, OneDrive, or others. In this example, I’ll show you how I set up a shared vault in my iCloud Drive.

I first installed the app from the App Store, and created a local vault by importing a CSV file exported from macOS passwords. You can also migrate from other vaults if you wish. I set that vault up in a folder within ~/Documents, then created a folder in iCloud Drive named Strongbox, and copied the vault into that. I added the shared vault to the list accessible to the Strongbox app, giving me the choice when I start it up.

These could of course be different vaults, perhaps one shared between partners with shared iCloud access, the other a private vault.

The paid-for Pro level supports biometric access, including Touch ID and Watch Unlock on Macs, and both Touch ID and Face ID on devices.

This isn’t an Electron app, unlike 1Password 8 and others, but a fully native macOS (iOS or iPadOS) app that makes excellent use of the screen space available. It has one of the best interfaces of all the Password Managers I have used.

It has proper Settings, and full support for auto-fill in Safari, Firefox, Chrome and other browsers based on Chromium. The Pro level also has excellent support for 2FA and other ‘time-based one-time passcodes’ (TOTP). The only significant feature that it doesn’t yet offer is support for passkeys, but those are coming (and are still poorly supported among Password Managers). Strongbox, through its KeePass core, has the widest options for encryption, including standard AES256, TwoFish, ChaCha20, and Argon2 KDF, sufficient to satisfy even the cryptographic nerds among us.

Full details of Strongbox are here, and it’s available free from the App Store. For those who don’t like the idea of paying rent, it offers a lifetime purchase for the Pro level, as well as an annual subscription.

Finally, a note on passkeys. Although these aren’t yet widely supported by Internet services and websites, they are steadily becoming more available. Passkey support in third-party Password Managers is still limited, with more promising them shortly than supporting them already. One problem we’re going to face as passkeys become more widespread is their lack of mobility. While you can export all your passwords from macOS and other Password Managers in JSON or CSV files, passkeys aren’t included, and I suspect won’t be for the foreseeable future.

iCloud Keychain shares passkeys across Macs and devices that share in iCloud. Third party services share passkeys similarly. But there doesn’t appear to be any way to transfer a passkey from your iCloud keychain to a third-party vault. At the moment, the only way that I can see of dealing with this would be to create a new passkey when you migrate to or from a different Password Manager. That would require you to revoke the passkey stored in your previous vault, then create a new passkey for your new vault. There has to be a better way.

58Comments

Add yours

1

Graham Pugh on September 12, 2023 at 7:15 am

Thanks Howard. I’ve been using KeePassXC for a long time. I wonder if you have too, and if you consider that Strongbox is better? KeePassXC has biometric support built in, though I must admit the browser integration has never felt mature.

LikeLiked by 1 person
- 2
  
  Ralf on September 12, 2023 at 7:21 am
  
  The browser integration of strongbox has made great progress lately. It also works with exotic browsers like Librewolf. Not so difficult to integrate like KeePassXC.
  
  LikeLiked by 1 person
- 3
  
  hoakley on September 12, 2023 at 8:41 am
  
  As KeePassXC doesn’t support Safari, it’s of no use to me.
  Howard
  
  LikeLiked by 1 person
4

Ralf on September 12, 2023 at 7:18 am

I also use strongbox. I like the table view. Only KeePassXC and Strongbox offer a table view. It helps a lot to clean up the passwords in and keep them up to date.
Since I still have an old lifetime license that is limited to Mac, I combine that with Keepassium on iOS.

LikeLiked by 1 person
5

Alan on September 12, 2023 at 8:26 am

1Password’s indispensable features for me are sharing vaults with family members and acting as an administrator. They find remembering strong passwords and using the services quite challenging, and I’m looking forward to seeing Apple’s take on password sharing in iOS17. Might convince me to switch everything to iCloud Keychain!

LikeLiked by 1 person
- 6
  
  hoakley on September 12, 2023 at 8:40 am
  
  You can do that already with Strongbox.
  Howard
  
  LikeLike
  - 7
    
    Alan on September 12, 2023 at 8:57 am
    
    That’s good to know – didn’t see it mentioned on their website feature list. I guess their marketing budget isn’t as large as 1Password…
    
    LikeLiked by 1 person
8

Joss on September 12, 2023 at 8:35 am

I’m thinking about using the Bitwarden free version for personal use, and host my own vault on my unRAID server using Vaultwarden. Currently, I’m still on 1Password version 7, but I don’t want v8. Don’t want remote vault storage. Don’t want subscription models.

LikeLiked by 1 person
- 9
  
  hoakley on September 12, 2023 at 8:38 am
  
  You’ll find the free version of Bitwarden limited. You should take a look at Strongbox with a lifetime Pro purchase. It has excellent browser support and 2FA/TOTP.
  Howard
  
  LikeLike
  - 10
    
    Joss on September 12, 2023 at 8:44 am
    
    Self-hosting unlocks all Bitwarden pro features. (At least that’s what they say on the web.)
    
    LikeLiked by 1 person
    - 11
      
      hoakley on September 12, 2023 at 8:46 am
      
      I’d still look at Strongbox. Bitwarden’s interface is pretty grim by comparison.
      Howard
      
      LikeLike
    - 12
      
      Joss on September 12, 2023 at 9:04 am
      
      Yeah, that’s definitely a downside. Currently looking at options for self-hosting the Strongbox database: BitBridge, WebDAV? Doesn’t look too promising compared to Vaultwarden. But I have no problem with paying for the lifetime pro license, so Strongbox is not out of the question for me. (I’ve happily been paying for 1Password all those years, too… up to version 7.) By the way, do you know if the Strongbox lifetime license unlocks both the macOS *and* i[Pad]OS version? Or do we need to pay for two pro licenses?
      
      LikeLiked by 1 person
    - 13
      
      Joss on September 12, 2023 at 9:09 am
      
      According to the website, the Strongbox pro subscriptions are for both macOS & iOS, so I assume that it’s the same for the lifetime license. (That would be nice indeed.)
      
      LikeLiked by 1 person
14

SarahB on September 12, 2023 at 10:24 am

Thank you for the info. I still don’t know what the future holds for me. Still running 1pass 7 but seems it won’t get updates now since when I go to updates keeps pushing me to 1pass 8. I still feel I have some time but so hard to switch after using 1pass since version 2.

Being in control of my vault is the main requirement I must have. I always knew lastpass would fail ever since it came out due to how they hosted the vaults. I remember so many saying the audits were solid and it was most secure. I always look beyond audits though at the weak link, which is the people working at lastpass.

It’s how a lot of hacks happen now. They go after the employees or dev accounts. I don’t know if you read Brian Krebs webpage krebsonsecurity. His recent post talked about how people may already be cracking stolen vaults from lastpass now. Especially those accounts that had crypto investors. Makes sense due to the money involved.

I don’t think I would ever be such a target but having a leak of personal info can spell disaster for anyone so I don’t take this lightly. It’s bad enough when every day another company seems to get hacked and our personal info lost.

Even my bank keeps messing up and I keep contacting them to make them aware of things but the people there are so stupid and don’t listen or understand. Hard when a company has such people on the front lines. Banks frustrate me so much with their security.

LikeLiked by 1 person
- 15
  
  hoakley on September 12, 2023 at 11:10 am
  
  Thank you. The humans are always the weak point. In LastPass’s favour, brute-forcing one of their vaults is one of the most difficult of all the commercial products.
  That’s why self-hosting is the long-term winner, so long as you are careful. Sadly, that’s not how most of the vendors make their money.
  Howard.
  
  LikeLike
  - 16
    
    SarahB on September 12, 2023 at 11:57 am
    
    In Krebs article and interviews showed how early on lastpass didn’t force a max password length so some only used 8 digits. Lastpass upgraded that over the years to be stronger but never forced older accounts to update their passphrase or password. So I guess those are the ones they are going after. Or having luck with. It’s why my passphrase is more like a short book in length.
    
    I always paid 1pass and last time I paid for 1pass7 license it was almost $80 Canadian. So they still made money from me over the years. It’s why I don’t get why they keep being against self hosted vaults. But then I would still have to upgrade anyway. I don’t understand their thinking. I liked their product and always paid but they took away the main feature I used and paid for.
    
    Glad apple put out that update for my old iPhone SE 1st gen yesterday also. Phone is still like new and has a new battery. Glad apple did something different yesterday and updated older devices to fix that 0-day.
    
    LikeLiked by 1 person
    - 17
      
      hoakley on September 12, 2023 at 4:55 pm
      
      The reason why commercial Password Managers don’t encourage (or allow) self-hosting is money: what you rent from them isn’t software, but a vault hosting service, and that’s a lucrative business with lots of customers locked in.
      Howard.
      
      LikeLike
18

Udo Thiel on September 12, 2023 at 11:59 am

When it comes to password storage, I’d never trust 3rd party software unless it is open source. There is just too much at stake. But people use Chrome instead of Safari because of “reasons”, so there you go.

There are just too many uninformed people around. And their numbers are increasing. Similar to driving a car, I think there should be a mandatory course in using computers.

LikeLiked by 1 person
- 19
  
  hoakley on September 12, 2023 at 4:56 pm
  
  Thank you. One good reason for driving licences is that it’s all too easy to kill or maim other people with a car. While folk can do a lot of damage with their computer, by comparison that’s minor and unusual. It’s surely all about risk to others.
  Howard.
  
  LikeLike
  - 20
    
    Udo Thiel on September 12, 2023 at 5:05 pm
    
    Harming someone else through your infected private computer might be far fetched but not impossible. But driving a motorcycle without a helmet won’t harm someone else yet it is unlawful in most countries. The government has to take care of it’s citizens.
    
    I see updated look on this widget, looks much better!
    
    LikeLiked by 1 person
    - 21
      
      hoakley on September 12, 2023 at 6:45 pm
      
      As someone who started work as a doctor caring for head injury victims, I simply don’t see your comparison. Perhaps a visit to a neurosurgery unit might help demonstrate the world of difference. And in many countries, motorcyclists who refused to wear helmets voluntarily were putting huge costs on society and the state.
      Howard.
      
      LikeLiked by 1 person
22

Robin K on September 12, 2023 at 12:04 pm

Thank you, Bruce, for this excellent article.

I’ve been using pwSafe for some time. This is a free, open source program that runs on MacOS, iOS and iPadOS. And other operating systems. I understand that Bruce Schneider was one of the original developers. I am a big fan of his website and books.

Although I like pwSafe because it does what we need, I don’t see consistent ongoing maintenance to the program. So I’ve been looking for a replacement from a commercial developer which might be a better long term choice. I am definitely not a fan of cloud based password vaults. And that is why I ignored 1Password initially. I’ll definitely take a look at Strongbox.

LikeLiked by 1 person
- 23
  
  hoakley on September 12, 2023 at 4:57 pm
  
  Thank you.
  Howard.
  
  LikeLike
24

snowy on September 12, 2023 at 12:19 pm

Strongbox is great ( and open source). I started using the iOS version back in its early days and later the macOS version. The developer is response and honest about the development path. I would just be mindful when sharing on iCloud Drive with more than 2 people. I ran into file conflicts, which seem to be related to syncing a document (file based even though KeePass internally is a database).

This is the only reason for my family (and extended) ended up going to 1Password. The need for easier sharing and conflict resolution. The offline cli story for 1Password still leaves a lot to be desired (KeePassXC is great). Particularly, if you don’t have internet access with the cli.

I think for anyone who really wants truly robust offline support and basic sharing Strongbox is great.

LikeLiked by 1 person
- 25
  
  hoakley on September 12, 2023 at 4:59 pm
  
  Thank you. I’m not sure what conflicts you found, as iCloud Drive normally resolves changes in documents well, and has to for other apps like Freeform. Was this recent?
  Howard.
  
  LikeLike
  - 26
    
    snowy on September 12, 2023 at 5:56 pm
    
    It would be in the last year as that’s why I moved to 1Password. We had at least 2 occasions my wife and I were both updating an entry in our shared database. One of us would end up with appended keepass database file called ‘Family 2.kdbx’, but also I experienced the 2 referenced issue below as well. And KeePassXC (KeePass proper on Windows) are the only 2 clients I know that can merge keepass databases natively and safely.
    
    I would refer to these 2 Github issues:
    https://github.com/strongbox-password-safe/Strongbox/issues/637
    
    https://github.com/strongbox-password-safe/Strongbox/issues/549
    
    LikeLiked by 1 person
    - 27
      
      hoakley on September 12, 2023 at 6:46 pm
      
      Thank you – ah, a bug in Strongbox. I sympathise, as iCloud isn’t the easiest of APIs to use. Hopefully it will be fixed soon, if it hasn’t already.
      Howard.
      
      LikeLike
28

Brian on September 12, 2023 at 4:30 pm

Thank you for continuing to look at password options. Looking at Strongbox that’s open source, I couldn’t see any local Wi-Fi syncing between devices, like 1Password’s wi-fi WLAN server. If that’s not possible, maybe a local vault could be manually copied between devices without using their cloud options, but I couldn’t tell.

Did you look at Enpass this time? While not open source, it supports a local offline vault, lifetime license, is written in AppKit – not Electron, and looks almost identical to 1Password. It’s owned by Atlassian, and I don’t know if that’s good or bad.

LikeLiked by 1 person
- 29
  
  hoakley on September 12, 2023 at 5:02 pm
  
  Sorry, no, I haven’t looked at Enpass.
  Strongbox will share and sync by any means supported by macOS. I think I prefer that rather than some offering a WLAN server.
  Howard.
  
  LikeLike
30

Lynn on September 12, 2023 at 4:45 pm

Good information and informative thread reply. I too am a long-time user of 1 Password. Will not make the move to 1PW 8 though, for same reason stated by others here. I know i am going to have to make a move at some point. I find the secure notes, membership, credit cards and the additional categories convenient in 1PW 7. I don’t know how I would duplicate this data after a change….Anyone have any thoughts on this?

LikeLike
31

michael2715d77925 on September 12, 2023 at 5:57 pm

I need a password manager that runs on MacOS, Windows, Android, and Linux. 1Password and Bitwarden do that. Strongbox is MacOS/iOS only.

[It’s not soup yet]

LikeLiked by 1 person
- 32
  
  hoakley on September 12, 2023 at 6:47 pm
  
  Well, you’re technically correct, in that Strongbox doesn’t run on those systems. But it does use KeePass file format, which is readily accessible using any port of KeePass on those operating systems.
  Howard.
  
  LikeLike
33

Thran! on September 12, 2023 at 7:14 pm

Hi Howard,

Thanks for the article, very interesting, I started to use passkeys on 1Password 8 beta for Safari on Mac which seemed to be OK although I don’t think Apple is making the settings on Sonoma transparent enough. It looks like they are driving, gently, users to iCloud Password Manager. Anyhow I need to use the 1Password Beta for iOS to make this work and it turns out their beta is full and they don’t care to let a long time customer into it. So bottom line is passkeys are fairly useless for me, unless I dump 1Password.

LikeLiked by 1 person
- 34
  
  hoakley on September 12, 2023 at 9:55 pm
  
  Thank you.
  I don’t know what you mean by “iCloud Password Manager”. If you choose to share your passwords in iCloud, then one particular keychain primarily used to store Safari’s passwords will be shared. You also depend on your Mac’s login keychain, though, which can contain a wider range of secret items.
  1Password 8 is in the process of adding support for passkeys. The problem comes that, while you can export and import passwords, you have no means to transfer passkeys. So if you set up a passkey in 1Password, you will have to rely on 1Password to operate that passkey, and can’t export it to anything else.
  Howard.
  
  LikeLike
  - 35
    
    Thran! on September 13, 2023 at 5:41 am
    
    Sorry meant iCloud Keychain. The problem is using both iCloud Keychain be 1Password, enabling both (Keychain for passkeys and 1P for passwords) makes autocompleting passwords a terrible experience.
    
    LikeLiked by 1 person
    - 36
      
      hoakley on September 13, 2023 at 6:27 am
      
      I don’t think anyone would suggest trying to use both. Once 1Password 8 is updated to support passkeys, you will then have the choice. But whichever you choose, you will then be committed to once you start creating passkeys, as there’s no way (currently) to move passkeys between different password managers. That’s a very different situation from passwords, which can be freely exported and imported.
      Howard.
      
      LikeLiked by 1 person
37

cicerovicious on September 12, 2023 at 10:04 pm

OK – gotta admit, being a long time 1PW user (15+ years), I read this article and had a bit of pushback in mind but before posting a comment, I decided to first check out Strongbox and I’m glad I did. There are quite a few things I love about 1PW that appear to be covered in SB with a few new things in SB I didn’t think I’d like\want. And like many both here and elsewhere, I do have a bit of heartburn at Agile’s seeming arrogance about local vaults and Electron. I personally don’t use local vaults and don’t think Electron is necessarily a show-stopper but Agile’s treatment of dissent coupled with their long-term near dogmatic self-righteousness is beyond old.

I’m very happy Howard penned this piece for it got me off the duff to start looking for a better mousetrap. Well done Sir — Many thanks…

LikeLiked by 1 person
- 38
  
  hoakley on September 13, 2023 at 6:24 am
  
  Thank you.
  Howard.
  
  LikeLike
39

Danny on September 14, 2023 at 2:14 pm

Hello Howard,
already know Proton Pass ? https://proton.me/pass

LikeLiked by 1 person
- 40
  
  hoakley on September 14, 2023 at 2:17 pm
  
  Yes, thanks. It has no macOS client, and no Safari extension, AFAIK.
  Howard
  
  LikeLike
  - 41
    
    Danny on September 14, 2023 at 2:20 pm
    
    https://proton.me/blog/pass-roadmap-2023
    
    LikeLiked by 1 person
    - 42
      
      hoakley on September 14, 2023 at 2:23 pm
      
      I’ll be interested to see it when it’s finished.
      Howard
      
      LikeLike
43

sth on September 15, 2023 at 3:23 am

One of the best (and quite old but still maintained) is “Password Wallet” by Selznick software. It stores passwords, notes, etc. Allows tagging of these and is very easy to use. It allows synchronization of multiple different wallets across MacOS, iPadOS, and iOS. There is no centralized data server. It seems that the developer is not pushing a large commercial organization here but is responsive to suggestions and bug reports.
https://www.selznick.com

LikeLiked by 1 person
- 44
  
  hoakley on September 15, 2023 at 8:48 am
  
  Thank you.
  It’s not open source, and doesn’t use browser plugins for autofill, but uses its own mechanism which isn’t as transparent. I also note that it isn’t yet claimed to be compatible with Ventura; with Sonoma coming in less than a fortnight, that’s hardly encouraging.
  Howard.
  
  LikeLike
45

sth on September 15, 2023 at 4:18 pm

Howard, I didn’t think we were restricting this to open source? 1Password is certainly not. But I am curious as to the comment as the mechanism being “transparent”? Are you suggesting that only Apple sanctioned mechanisms for password management are acceptable? Apple itself is hardly transparent in a lot of ways. It does not use browser plug-ins which makes it more universal and I use it with Zoom, Cisco VPN and other apps than the browser.

The Mac Apple Store shows it compatible with MacOS 11.0 or later and that it is a universal app. (ie both x86 and arm64). Available in 6 languages. Not sure if that is the iOS app running in catalyst and different than direct download app which is fully macOS developed app.

I am not affiliated with Selznick software in any way other than a satisfied user for more than a decade. This is a side business from his bio-computing consulting and is one of those small independent developers who should be supported. Personally the app is compatible with Ventura and I use it daily on MacBook Air M1, iMac x86, Mac Studio, iPhone 6s, etc. Support has been excellent and I have confidence that if there is an incompatibility with Sonoma it will be fixed shortly. But I was trying not to put my personal experience as part of this, I think it is worthwhile indie software with no advertising budget that should be included in a review of password managers. Not a big deal to me but just additional information to be considered along with the mainstream default apps.

-Scott

LikeLiked by 1 person
- 46
  
  hoakley on September 15, 2023 at 4:21 pm
  
  I’m sorry, I’m not reviewing password managers, am I? I’m delighted that you’re happy using it.
  Howard
  
  LikeLike
  - 47
    
    sth on September 15, 2023 at 4:25 pm
    
    Sorry, I thought that was what this post was about. My bad.
    
    LikeLiked by 1 person
    - 48
      
      hoakley on September 15, 2023 at 4:34 pm
      
      It’s no problem. There are dozens if not hundreds of password managers available. The Mac App store is overflowing with them. Strongbox has several qualities that I believe make it stand out for those who don’t want to be trapped into paying a significant amount of money every year for someone else to safeguard (maybe!) their vault. KeePass is open source and high reputable – many choose it for its quality alone. Strongbox is a thoroughly usable and professional implementation of KeePass that comes with a good range of browser plugins, supports all Apple’s platforms and through its compatibility with KeePass many others, and can be purchased rather than paid as rent.
      As others have pointed out, there are other worthy password managers that may be just as good – Enpass, for example – but I haven’t here set myself the impossible task of trying to assess them all. For me, one good solution is enough. Although I should add that I don’t intend using any of them, as I’m quite happy with what macOS provides, and don’t want to have to mess around trying to move passkeys in the future!
      Howard.
      
      LikeLike
49

Michele Galvagno on November 11, 2023 at 1:50 pm

Are you now using Strongbox regularly or have you gone back to the default Apple keychain for passwords?

LikeLiked by 1 person
- 50
  
  hoakley on November 11, 2023 at 2:26 pm
  
  I never used Strongbox instead of macOS. I reviewed it, testing it thoroughly, and haven’t used it since. I’m happy using macOS.
  Howard
  
  LikeLiked by 1 person
  - 51
    
    artiste212 on November 25, 2023 at 4:31 am
    
    Howard, if you use macOS password management through Keychain, then anyone who has your login password also has access to your Keychain and all your passwords. Even more concerning, if you also have an iPhone and someone sees you typing in your password, they will also have access to all your passwords.
    
    For this reason, I keep my most important IDs and financial institution passwords in Bitwarden, which I run as a standalone app to avoid the huge memory leak in the Safari extension.
    
    Do you know of a good way to use passwords log in to your Mac and to unlock the login keychain?
    
    LikeLiked by 1 person
    - 52
      
      hoakley on November 25, 2023 at 9:35 am
      
      Yes, and I’ve known this for over 30 years now. I’m shocked that you’ve only just realised it. But it’s worse: my password also lets them into FileVault, where they could access all my files too. That’s why even my wife doesn’t know my password. So how would anyone get to know my login password, then? If they could get to know that, then what’s stopping them from knowing your Bitwarden password too?
      “the huge memory leak in the Safari extension” So you have to open the Bitwarden app and use that to paste passwords into Safari?
      And my passwords (all the important ones) aren’t stored in the login keychain, but in iCloud Keychain, so they can’t be removed from my Mac.
      I only enter my password into my iPhone once a day, when I start it up in the morning. Thereafter I use Face ID, which is rather harder to fake, like all biometrics.
      Howard.
      
      LikeLiked by 1 person
53

artiste212 on November 25, 2023 at 7:23 pm

Hi Howard, of course I assumed you knew many things I don’t about this topic (and quite a few others, I’m sure). I was concerned enough about Keychain to never havde placed anything more important than my ordinary websites in it. I use FaceID for logins to my iPhone with an 8 character alphanumeric password when needed.

All my more important passwords remain in the another password manager, currently Bitwarden. Yes, I manually copy and paste those passwords from the desktop Bitwarden app into Safari. Not using the Safari extension meansthere is no memory leak from Bitwarden.

Although I have only a desktop Mac Mini, and I’m not worried about others stealing my login password at home, I’ve read about the recent relatively large number of iPhone password thefts using very ingenious social engineering. One way uses mirrors placed on public transit and restaurants aimed at seats. Another uses two person teams doing a “sting” operations in croweded stores and restaurants. The two criminals pretend to be unrelated to one another. One “accidentally” interrupts FaceID logins by pretending to be impaired or clumsy, then apologizes and leaves. The second criminal then observes the iPhone login password, which must be manually typed in. With the password, they have access to everything in the keychain, which is shared with the Mac. My concern is mostly that.

How could I place my more important logins in the iCloud keychain as opposed to the login keychain? Also, is there any workable way to use a different password for that keychain, or is it always tied to the login password?

Thanks.

LikeLiked by 1 person
- 54
  
  hoakley on November 25, 2023 at 7:48 pm
  
  When using the macOS Password Manager, all passwords you set up using Safari and most other apps are now stored not in the login keychain (which is sort of deprecated), but in iCloud Keychain. If that isn’t shared via iCloud, then it’s saved separately as Local Items on your Mac, and has a different level of security from the login keychain. Of course the macOS Password Manager works with autofill in Safari and many other places. The iCloud Keychain is primarily linked to your Apple ID and its password, although you aren’t normally prompted for those once you have already logged into your Mac or device.
  If someone were to interrupt my completing Face ID on my iPhone (not that I do that in crowded places, anyway), then I’d knee them in the groin first, then lock the phone and start again. That’s simpler, quicker, and more secure, and by the time they’d recovered from their injury I’d probably have finished doing what I needed to on my phone.
  We’re far too kind to crooks. Don’t let them get you in the first place, and ensure they remember that lesson. Just as you may not be expecting their sting, they’re not expecting your response.
  Howard.
  
  LikeLike
55

artiste212 on December 13, 2023 at 12:01 am

Howard, the Wall Street Journal just had an article on Apple’s plan to address this issue. Apple is aware of and attempting to mitigate the widespread issues people have from having iPhone passwords stolen (giving criminals access to much of what is on their Macs, as well).

This is a gift link to the article: https://www.wsj.com/tech/personal-tech/apple-iphone-ios-update-stolen-device-protection-698d760e?st=pk7zj7pxtaouwsy&reflink=desktopwebshare_permalink

I believe their method will help most of those who know their iPhones are stolen. Those who are impaired (either by their own habit or being drugged by the criminals) will not likely benefit from this matter. I personally am not worried about this scenario, but I’m sure others will continue to pay the price for social activities.

Best regards.

LikeLiked by 1 person
- 56
  
  hoakley on December 13, 2023 at 11:52 am
  
  Thank you. A very useful link. Whether this change will fix the problem or cause more remains to be seen in beta-testing, of course. Even then, the fundamental weakness is as ever the human, and I’m pleased to see that article did at least draw attention to that. You’d also be amazed at the number of people who share their passcodes and their Apple IDs with others.
  Howard.
  
  LikeLiked by 1 person
  - 57
    
    artiste212 on December 13, 2023 at 3:00 pm
    
    I am amazed by how many do this, as well as by many other human behaviors. As a believer in Darwin, however, I’ve got to believe there’s a survival value for our species to having some people engage in dangerous or thoughtless behaviors. (As well as a greater survival value for having some people never engaging in those behaviors!)
    
    LikeLiked by 1 person
    - 58
      
      hoakley on December 13, 2023 at 5:46 pm
      
      Thank you.
      I do sometimes wonder how some manage to survive at all – more by luck than by cunning!
      Howard.
      
      LikeLike