With the advent of macOS Sequoia and iOS 18, Apple upgraded its method of saving user passwords from the arcane Keychain Access to a fledgling full-fledged password manager. Because Apple likes to name its products so they’re impossible to search online, the app is called Passwords.
I am a huge proponent of password managers, with my current favorite being 1Password. Steve and I converted his parents to use 1Password. While his father does require a wee bit of assistance now and then when a bank or other service changes things, overall they’re both dedicated users and believers in 1Password. Steve’s dad did a testimonial about 1Password 9 years ago for the show and he’s even more enthusiastic today. They both have wicked-long, complex master passwords (created with the wonderful tool by Bart Busschots: XKPasswd.)
I remember ages ago talking to Melissa Davis (aka @TheMacMommy) about convincing people to use password managers and our various strategies. Melissa helps a lot of elderly people set up 1Password, and I remember being shocked when she told me that she lets them use a short, easy-to-type, and easy-to-remember password. We got into a debate about it and she (patiently) explained to me that it was that, or they wouldn’t use a password manager at all. Ever since that discussion, I’ve stuck to my opinion that she should just try harder to convince them to use a good master password.
When Apple introduced the Password app, I began to ring the alarm bell on podcasts far and wide (including a recent episode of the Clockwise Podcast) about how I think it’s dangerous.
My problem with Apple Passwords is that I think it will give a false sense of security. I don’t think people realize that all of their passwords are protected only by the strength of the passcode they have on their phone or the password they have on their Mac. Unlike users of independent password managers, there is no master password for the app.
You may say, “But Allison, you can have a long, complex password on your phone and Mac!” Sure…but how many people do? My Mac’s password is on the complex side but it’s not terribly long, and the password on my phone isn’t very complex or long since I have to type it so often.
I know Apple started enforcing a 6-digit passcode on iPhones when you do a password reset. That’s way better, but it’s possible to maintain the 4-digit passcode if you never ask to set up a new passcode.
That’s why I’ve been sounding the alarm. I’m not wrong, but I have come around to thinking that Melissa wasn’t wrong, and it folds into the new Passwords app narrative. Here’s why I have changed my mind.
I have a friend who is brilliant but doesn’t really use tech particularly well. She and her husband are such low-tech users that just a few years ago I was visiting her and tried to look something up on my Mac and discovered that her husband had “turned the Internet off.” When I asked him why, he said, “We always do when we aren’t using it.” You get my drift of what I’m dealing with here now, right?
Every year, my friend invites me over to help her print out address labels for her Christmas cards. A hundred years ago I created a tutorial for her on how to do this directly from Apple Contacts and posted it on podfeet.com. The tutorial is so old that the interface on OSX was still Aqua and Contacts was called Address Book. Surprisingly, the steps haven’t changed substantially since then so I’ve left it up for reference.
My friend is getting pretty good at the process by now (we’ve been doing it for around 10 years), but she still likes my handholding through the steps. Her husband teases her that by now she should be able to do it on her own, but she explains that it’s the one time a year we get together to catch up. Every year when I help her put a little baby reindeer covered in Christmas lights on her labels and she squeals with delight, I know why we do this together. As a tip she gives me a bottle of wine and a bag of chocolates for Steve. Win-win all around, right?
Starting probably five years ago I started lecturing her about how she should be using a password manager. I used the classic scare tactic of explaining that someone could steal all her money and remove access to her precious photos. I tried using the carrot too by explaining how much easier life is with a password manager and not having to remember your passwords. I gave her the phone number of my good friend Pat Dengler who is a Certified Apple Consultant and assured her that Pat would make the transition to 1Password as easy as it can be. I’m a good friend, but it’s not worth any amount of wine and chocolate for me to help her do it myself, so she’d have to pay Pat for her services.
Every year when I go back to do the labels with her, I find that she still hadn’t taken my advice. Every year she’d promise she’d do it, but never did. The only good news is that she has started to use long, complex passwords. The bad news is that she saves the passwords in plain text in Contacts. Look up the name of her bank in her Contacts and you would find her password.
Let’s fast forward to this year’s Christmas Card labels playdate. When we were done making the labels, I asked her yet again about getting a password manager. She said, “I knew you were going to ask me again, so I downloaded LastPass…”. Sigh. I explained to her that LastPass wasn’t to be trusted any longer and that she should download 1Password instead.
And then I had a thought. If after this long she hadn’t embraced the idea of 1Password, maybe I was never going to succeed. With the new Passwords app on iOS 18, I wondered if that would be a more frictionless path. Her phone was still on iOS 17, so I had her start the update to iOS 18. We had very recently replaced her failed MacBook Air with a new 15” M2 MacBook Air, so it was already on Sequoia.
While the iPhone was being updated, I had her open the Passwords app on the Mac. When we opened it, we discovered that she had already been letting Safari save passwords, so there were around 30 of them already in Passwords. We looked at the list and chose one of them to test out. I had her navigate to the website as she normally does and showed her how to use Passwords to auto-fill her username and password. The squeal of delight wasn’t quite as good as the one for the tiny Christmas reindeer, but it was pretty close.
She pulled up contacts, found the same entry in her phone, and showed me the password in the plain text field. She looked at me and said, “I should delete it from Contacts, shouldn’t I?” I beamed with happiness.
Then she asked if she could do another one. She tested 3 or 4 of them while I was there and she dutifully erased the passwords for each one from Contacts. Even better, she said, “This is fun!” and told me she’d do the rest of them that very night.
I also showed her how to let the Passwords app create passwords for her and she liked that very much. Once her iPhone was up to date on iOS 18, we opened Passwords on the phone and she was able to confirm she could use it from there as well.
I told her that she had one more task. She simply had to change her passcode on her phone from the current four-digit one to six digits. Surprisingly, she immediately agreed. I’m sure glad she did because I found out the passcode she had been using was her birthday. She suggested several six-digit codes, all of which were as easily guessable as her birthday. Eventually, she settled on one that was obscure but memorable to her.
Bottom Line
The bottom line is that I think Melissa was right. It’s better that with a shorter less complex password they at least use a password manager (with different passwords for every account). The danger of an online attack is probably higher than the danger of someone breaking into their password manager.
Apple did a good thing making the Passwords app easily accessible and understandable by the less technical people. While I’m still nervous about the passcode/password on peoples’ iPhones and iPads and Macs, the bigger threat to the security of their accounts is password reuse. I think this step to a dedicated app will get more people to raise their password security and that’s a very good thing.
The Checklist #399
Ken Ray (aka MacOS Ken) asked me to come on the security podcast he hosts called The Checklist to talk about this very topic. If you’d like to hear that discussion go to www.securemac.com/… or look for The Checklist in your podcatcher of choice.
One More Thing
One more thing. In 2022 and again in 2023, Security.org conducted a survey of Americans about passwords. There’s a lot of great info in their Password Manager Annual Report, and I want to highlight one very surprising finding.
While 41% of respondents in 2022 and 2023 said they memorize their passwords, the next highest strategy was the use of password managers. But get this: in 2023, more than 34% of respondents said they use a password manager, which was up from 22% in 2022. More than a third of Americans who responded to this survey (which must be self-selecting to some extent) said they use a password manager. I found that shockingly high.
But it wasn’t all good news. They asked the people who used password managers whether they ever reuse their password manager’s master password as a login on other sites. 28% of them said “Yes.”
Bottom Bottom Line
So my final thought is that it’s ok to encourage the technology-resistant people in your life to use Apple’s Password app, but don’t let them use the same passcode on their phone or password on their Mac anywhere else. And for the love of all things good in this world, at least encourage them to have a six-digit passcode instead of four on their phone.
Good one, Allison. In my 14 years as a certified Apple Certified Support Professional I have worked with a lot of ‘older folks’. Many of them cannot grasp 1Password. So many of them paste their passwords on the bottom of their keyboards. Or in a notebook in the top right-hand drawer of their desk. Or in a file folder written on yellow stickies and various bits of paper. Anyway, I started my consulting and coaching business because too many people were sucking up my time asking for help. And many didn’t heed my advice. Once I started charging $100/hour people paid attention to what I was suggesting to them. Or they didn’t bother asking because they didn’t want to pay the fee. Allison, get your Apple certification and start charging for your services. Make sure your friends know what your rate and they won’t bother you so much looking for free handouts — and ignoring your advice. I have a friend who does my taxes, but I pay him what he’s worth. And I pay my friend who is a dentist for his services. Why should your computer expertise be any different?
Dave
Thanks, David. I’m actually happy helping my friends as long as they don’t suck up to much time with stupid stuff. In general, they listen to me. Having a pocket Certified Consultant I can push in front of them when they ask too much works for me!
Heck, I help people on the podcast every day – strangers who become friends.