Posts

Apple’s iCloud Keychain Password Management Is All Many People Need

Apple’s iCloud Keychain Password Management Is All Many People Need

We constantly recommend using a password manager like 1Password, BitWarden, or Dashlane. But many people resist committing to yet another app or paying for yet another service. Isn’t Apple’s built-in iCloud Keychain password management good enough?

The answer now is yes, thanks to two recent changes:

  • In iOS 17.3, Apple added Stolen Device Protection, which leverages biometric authentication—Face ID or Touch ID—to protect users against thieves who would surreptitiously learn someone’s passcode, steal their iPhone, and then take over their digital lives. One of the worst aspects of that attack was that the iPhone passcode was sufficient to access the user’s stored passwords, so the thief could get into everything.
  • Until mid-2023, Apple’s built-in password management worked only in Safari, which was problematic for users who rely on other browsers. Then Apple updated its iCloud Passwords extension for Google Chrome to work not just in Windows, but also in Mac browsers based on Google Chrome running in macOS 14 Sonoma. There’s also now an iCloud Passwords add-on for Firefox.

If you aren’t yet using a password manager, try iCloud Keychain.

Passwords Basics

Apple integrated iCloud Keychain into macOS, iOS, and iPadOS at a low level, so you mostly interact with your passwords in Safari. But first, make sure to enable iCloud Keychain so your passwords sync between your devices. On the Mac, you do that in System Settings > Your Name > iCloud > Passwords & Keychain. On an iPhone or iPad, it’s in Settings > Your Name > iCloud > Passwords and Keychain.

If you’re using a browser other than Safari, install the iCloud Passwords extension or add-on and activate it by clicking it in the toolbar and entering the verification code when prompted.

When it comes to website accounts, there are two main actions: creating a login and logging in to a site:

  • Create a new login: When you need to create an account on a new website, after you enter whatever it wants for email or username, Safari creates a strong password for you. Unfortunately, the iCloud Passwords extension or add-on on the Mac can’t generate passwords—you can either create a strong password manually or switch to Safari temporarily to let it create one. When you submit your credentials, you’ll be prompted to save them.
  • Autofill an existing login: The next time you want to log in to a site for which you’ve saved credentials, Safari or your other browser on the Mac displays a pop-up with logins matching the domain of the site you’re on. On the iPhone or iPad, you might get an alert at the bottom of the screen or have to pick a choice in the QuickType bar above the keyboard.

For basic usage, that’s it! However, iCloud Keychain can make mistakes. The site shown above asks for both an email address and a username and wants the email address for logging in, but iCloud Keychain remembered the username instead. Happily, Apple makes it easy to fix such unusual missteps. On the Mac, open System Settings > Passwords, or on the iPhone or iPad, open Settings > Passwords. Here’s where you find and edit your saved logins.

Open the desired login by double-clicking it on the Mac or tapping it on the iPhone or iPad, then click or tap Edit and make any desired changes.

iCloud Keychain provides additional features and options:

  • A search field at the top of the Passwords window or screen helps you find logins if scanning the full list is frustrating.
  • You can use commands in the + menu to create new passwords and shared groups. On the Mac, commands in the ••• menu let you import and export passwords; the iPhone and iPad use that menu to bulk-select passwords for deletion and show generated passwords.
  • Shared groups let you share a subset of passwords with family or colleagues. Choosing New Shared Group triggers an assistant that walks you through naming the group, adding people from Contacts, and choosing which passwords to share. You can move passwords between groups at any time.
  • The Security Recommendations screen displays logins exposed in known breaches and points out logins with weak passwords. Check those and update them as necessary.
  • In Password Options, you can turn off autofill, but why would you? Another option automatically deletes verification codes you receive in Messages after it inserts them with autofill.
  • On websites that support two-factor authentication, you can set up a login to autofill the verification code. During setup on the site, you’ll get a QR code you can scan with an iPhone or iPad if you’re using a Mac; if you’re using an iPhone or iPad, touch and hold the QR code and choose Add Verification Code in Passwords. Once you finish configuring the login, you’ll have to enter the six-digit verification code on the site to link it with the login.

Overall, iCloud Keychain provides the password management features that most people need, and it’s a massive security improvement over keeping a document of your passwords on your desktop.

(Featured image by iStock.com/loooby)


Social Media: Apple’s iCloud Keychain password manager keeps improving, and we now recommend it, especially for those not already using a third-party password manager. Here’s how to use iCloud Keychain to store and enter secure passwords.

The Importance of Staying Updated

Does it feel like your Apple devices are always asking you to install operating system updates? You’re not wrong—from September 2022 to January 2024, we saw the following releases in Apple’s previous set of operating systems:

  • macOS 13 Ventura: 20 releases
  • iOS 16: 25 releases
  • iPadOS 16: 20 releases
  • watchOS 9: 15 releases
  • tvOS 16: 12 releases

Apple issued many of those at the same time, but since you might not use all your devices every day, it can seem as though you spend all your time installing updates. As annoying as updating can be, we encourage you to do so soon after you’re notified for three reasons.

Reason One: Fewer Bugs

First, as has always been the case, updates fix bugs. You may not have experienced all the bugs that Apple fixes, but when one blocks something you want to do, the fix comes as a huge relief.

For instance, in a set of releases in January 2024, Apple inadvertently introduced a bug that caused text in many apps, including Mail, Notes, and Safari, to appear to be duplicated and overlap. It was only cosmetic, and switching to another window or resizing the window would make it look right again. But the bug was hugely disconcerting, so Apple fixed it two weeks later in macOS 14.3.1 Sonoma, iOS 17.3.1, iPadOS 17.3.1, and Safari 17.3.1 (which brought the fix to macOS 13 Ventura and macOS 12 Monterey).

Reason Two: Better Security

Second, many of the bugs Apple fixes won’t impact your experience of using your device, but they make it possible for attackers to steal information, install malware, spy on your communications, or even take over your entire device. Nearly all of Apple’s operating system updates contain security fixes to address newly discovered vulnerabilities, and some releases only have security fixes. Apple continues to release security updates for the last two versions of macOS and older versions of iOS and iPadOS as appropriate.

It’s easy to think that you won’t be impacted by security vulnerabilities, but remember that as soon as Apple releases an update outlining what it has fixed, attackers know what vulnerabilities exist in unpatched systems. Apple has to react swiftly to some reported vulnerabilities because blocking them can literally be a matter of life or death when it comes to, for instance, iPhone-using dissidents, activists, or journalists working in opposition to repressive governments that employ spyware against their enemies. (All spyware relies on previously unidentified vulnerabilities.)

However, some security vulnerabilities are more likely to impact regular users. For instance, in macOS 14.2.1, Apple fixed a bug in Screen Sharing. If you were sharing your full screen with someone else and had multiple Spaces, Screen Sharing could show the other person random windows in other Spaces, which could range from embarrassing (adult pictures) to seriously problematic (passwords or financial details).

Reason Three: New Features

Third, on the positive side, many operating system releases introduce welcome new features. When Apple unveils its next set of operating systems at the Worldwide Developer Conference in June, some of the promised features won’t appear with the initial releases. New features that shipped in later releases of macOS 14 Sonoma, iOS 17, iPadOS 17, and watchOS 10 include:

  • watchOS’s double-tap gesture for tapping the default button in many apps
  • AirDrop transfers continuing over the Internet when you move out of AirDrop range
  • Adding NameDrop to share contact info when you bring two devices near each other
  • Additional options to control when the iPhone screen shuts off in StandBy
  • The option to choose a specific album for the Lock Screen’s Photo Shuffle wallpaper
  • HomeKey support for Matter locks
  • Expanded Favorites in the Music app
  • A new automatic Favorite Songs playlist in the Music app
  • The addition of Apple’s Journal app
  • A Translate option for the Action button in the iPhone 15 Pro models
  • 10-day precipitation forecasts in the Weather app
  • Sharing of eligible passes in the Wallet app via NameDrop-like proximity
  • A catch-up arrow in Messages that lets you jump to the first unread message
  • Multiple timers in the Clock app on the Mac
  • Stolen Device Protection for the iPhone
  • Collaborative playlists in Apple Music
  • Support for streaming content to TVs in select hotel rooms using AirPlay

Just Update It

Updates provide both a carrot (user-facing bug fixes and new features) and a stick (security fixes). That’s why we recommend updating soon after Apple pushes out a new release and why devices under management usually receive updates quickly. Even if a security breach is unlikely, the liability of allowing devices to remain unpatched is too high for most organizations. Installing updates is an easy way to reduce worry about things like compromised accounts and ransomware.

There are three types of operating system releases:

  • Minor bug fix and security updates: Install these as soon as convenient, usually within a few days. Examples of these include macOS 14.3 to 14.3.1.
  • Interim feature updates: Because these include bug fixes and security updates alongside the new features, you’ll also want to install these within a few days. An example is iOS 17.2.1 to iOS 17.3.
  • Major version upgrades: Because Apple always releases security updates for the two versions of macOS before the current one, you can wait a month or three before installing a major upgrade, such as from macOS 13 to macOS 14. However, once you’ve verified that your apps and workflow are compatible with the new version, we recommend upgrading because skipping a major version of macOS often results in a more difficult upgrade experience.

In each of these cases, if you’re worried about how an update might impact your workflow, check online forums for discussions of each update and feel free to ask us what we recommend for your particular situation.

(Featured image by iStock.com/Fokusiert)


Social Media: We know it seems like your Apple devices are constantly asking you to install an update. Other than for major upgrades, we recommend updating shortly after updates appear so you can take advantage of bug fixes, security updates, and new features.

After “Mother of All Breaches,” Update Passwords on Compromised Sites

January’s big security news was the Mother of All Breaches, the release of a massive database containing 26 billion records built from previous breaches across numerous websites, including Adobe, Dropbox, LinkedIn, and Twitter. It’s unclear how much of the leaked data is new, but it’s a good reminder to update your passwords for accounts on compromised sites, especially those you reused on another site. Cybernews has a leak checker that reports which breached sites include your data. More generally, password managers often have a feature that checks your passwords against the Have I Been Pwned database of breaches and helps you change compromised passwords—1Password’s is called Watchtower, shown below. You can also search Have I Been Pwned directly. Don’t panic if your email address appears in numerous breaches because some of the theoretically compromised accounts may be defunct sites, trivial sites you used once 10 years ago, or duplicate password manager entries for a site whose password you already updated.

(Featured image by iStock.com/Prae_Studio)


Social Media: Worried about the “Mother of All Breaches” that has been making the rounds in security news? We share a leak checker that can tell you if your email address was involved and recommend that you update any compromised passwords.

Use iOS 17.3’s Stolen Device Protection to Reduce Harm from iPhone Passcode Thefts

Last year, a series of articles by Wall Street Journal reporters Joanna Stern and Nicole Nguyen highlighted a troubling form of crime targeting iPhone users. A thief would discover the victim’s iPhone passcode, swipe the iPhone, and run. With just the passcode, the thief could quickly change the victim’s Apple ID password, lock them out of their iCloud account, and use apps and data on the iPhone to steal money, buy things, and wreak digital havoc.

In essence, Apple allowed the passcode, which could be determined by shoulder surfing, surreptitious filming, or social engineering, to be too powerful, and criminals took advantage of the vulnerability. It’s best to use Face ID or Touch ID, especially in public, but some people continue to rely solely on the passcode.

Apple has now addressed the problem for iPhone users with the new Stolen Device Protection feature in iOS 17.3. It protects critical security and financial actions by requiring biometric authentication—Face ID or Touch ID—when you’re not in a familiar location like home or work. The most critical actions also trigger an hour-long security delay before a second biometric authentication. We recommend everyone who uses Face ID and Touch ID turn on Stolen Device Protection. The feature is not available for the iPad or Mac, but neither is as likely to be used in places like the crowded bars where many iPhones have been snatched.

How Stolen Device Protection Works

The location aspect of Stolen Device Protection is key. When you’re in a “significant location,” a place your iPhone has determined you frequent, you can do everything related to security and financial details just as you have been able to in the past, including using the passcode as an alternative or fallback.

However, when you’re in an unfamiliar location, as you would likely be if you were out in public where someone might steal your iPhone, Stolen Device Protection requires biometric authentication to:

  • Use passwords or passkeys saved in Keychain
  • Use payment methods saved in Safari (autofill)
  • Turn off Lost Mode
  • Erase all content and settings
  • Apply for a new Apple Card
  • View an Apple Card virtual card number
  • Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)
  • Use your iPhone to set up a new device (for example, Quick Start)

Some actions have even more serious consequences, so for them, Stolen Device Protection requires biometric authentication, an hour security delay—shown with a countdown timer—and then a second biometric authentication. The delay reduces the chances of an attacker forcing you to authenticate with the threat of violence. You’ll need to go through the double authentication plus delay when you want to:

  • Change your Apple ID password (Apple notes this may prevent the location of your devices from appearing on iCloud.com for a while)
  • Sign out of your Apple ID
  • Update Apple ID account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)
  • Add or remove Face ID or Touch ID
  • Change your iPhone passcode
  • Reset All Settings
  • Turn off Find My
  • Turn off Stolen Device Protection

There are a few caveats to keep in mind:

  • The iPhone passcode still works for purchases made with Apple Pay, so a thief could steal your passcode and iPhone and buy things.
  • Although Apple says it’s required, you can turn off Significant Locations to require the extra biometric authentication and security delay everywhere. That would eliminate the worry about a thief using Significant Locations to go to your most recent familiar spot in an attempt to sidestep the extra authentication.
  • If you plan to sell, give away, or trade in your iPhone, make sure to turn off Stolen Device Protection first. Once it’s out of your physical control, no one else will be able to reset it.

Turn On Stolen Device Protection

Before you get started, note that Apple says you must be using two-factor authentication for your Apple ID (everyone should be anyway), have a passcode set up for your iPhone (ditto), turn on Face ID or Touch ID, enable Find My, and turn on Significant Locations (Settings > Privacy & Security > Location Services > System Services > Significant Locations), although this last one doesn’t actually seem to be required.

Then, go to Settings > Face ID/Touch ID & Passcode, enter your passcode, and tap Turn On Protection. (If it’s enabled, tap Turn Off Protection to remove its additional safeguards.)

Once Stolen Device Protection is on and you’re in an unfamiliar location, the actions listed above will require either biometric authentication or two biometric authentications separated by the hour-long security delay.

There is one group of people who should not turn on Stolen Device Protection: those for whom Face ID or Touch ID don’t work. Most people have no trouble with Apple’s biometric technologies, but some people have worn off their fingerprints or have other physical features that confuse Touch ID or, less commonly, Face ID.

If that’s you, stick with our general recommendation for discouraging possible iPhone thefts: Never enter your iPhone passcode in public where it could be observed.

(Featured image by iStock.com/AntonioGuillem)


Social Media: In iOS 17.3, Apple has introduced Stolen Device Protection to discourage iPhone thefts enabled by a revealed passcode. It requires additional biometric authentication, and we recommend that everyone who uses Face ID or Touch ID enable it.

Forget Your Just-Changed Passcode? iOS 17’s Passcode Reset Has Your Back

The hardest time to remember your iPhone or iPad passcode is right after you’ve changed it. Generally speaking, there’s no reason to change your passcode, but if you inadvertently or intentionally shared it with someone with whom you wouldn’t trust your bank account information, changing it to something new is a good idea. We could also imagine a child who knows your passcode changing it on you as a prank. For whatever reason, if you can’t enter your new passcode, a new iOS 17 feature called Passcode Reset lets you use your old one for 72 hours. Once you’ve tried the wrong passcode five times, tap Forgot Passcode , enter your old passcode , and create a new one . If you’re certain you know the new one, you can expire the old one sooner in Settings > Face ID/Touch ID & Passcode.

(Featured image by iStock.com/NazariyKarkhut)


Social Media: If you change your passcode and can’t remember it (or it was changed for you by a prankster), iOS 17 lets you use your old passcode for 72 hours. It’s a helpful backstop for the results of a memory lapse or mischievous child.

Faster Copying of Two-Factor Authentication Codes from Messages

One welcome feature of Safari is its automatic detection and auto-filling of SMS-based two-factor authentication codes you receive in Messages. It allows you to complete your login quickly, without having to retrieve the code from Messages. But what if you use a different Web browser, like Google Chrome, Firefox, Brave, or Arc? Apple doesn’t allow other developers access to those codes in Messages, but Messages itself recognizes the verification code, marking it with an underline. Rather than transcribing the code manually like an animal, you can Control-click the underlined numbers and choose Copy Code. Then, switch to your Web browser and press Command-V to paste it. Not all websites accept pasted codes, but most will, even if they present a custom interface.

(Featured image by iStock.com/Galeanu Mihai)


Social Media: Need to enter SMS-initiated two-factor authentication codes manually in Web browsers other than Safari? Try this hidden trick for quickly copying and pasting them instead of retyping all those numbers.

Stay Alert! Voice Phishing Used in Recent Ransomware Attacks

All it took for MGM Resorts International to be compromised with ransomware was a quick phone call, which some now call “voice phishing” or “vishing.” An attacker using LinkedIn information to pose as an employee asked MGM’s help desk for a password change, after which they were able to install ransomware. MGM is now up to $52 million in lost revenues and counting. Two takeaways. First, if you call support for a manual password reset, expect to be asked for a lot of verification, such as a video call where you show your driver’s license. Second, if you receive a call at work from an unknown person asking you to do anything involving money or account credentials, hang up, verify their identity and authorization, and proceed accordingly only if they check out.

(Images by iStock.com/1550539 and HT Ganzo)


Social Media: Phishing isn’t limited to email and texts anymore—“voice phishing” or “vishing” was used recently in a major ransomware attack on MGM Resorts. The rise in such attacks means that requests over the phone will need much more verification.

Beware Executive Imposter Scams Aimed at New Employees

We’re hearing about new hires who receive an email or text from someone claiming to be the CEO of their new company, asking the employee to carry out some small task like sharing personal information, purchasing a gift card for a client, or wiring funds to another business. The new employee, eager to make a good impression and lacking the context of what’s reasonable, is tempted to do as asked. (The scammers seemingly gather the necessary information by scraping LinkedIn for job changes and corporate titles, then cross-referencing with email addresses and phone numbers stolen in data breaches.) To reduce the chances of such a scam succeeding, train new employees during onboarding not to trust unsolicited messages from unfamiliar addresses or numbers, be wary of unusual requests, and check with a trusted source within the company before replying in any way.

(Featured image by iStock.com/Ton Photograph)


Social Media: We’re seeing an uptick in scam emails and texts to new hires purporting to be from corporate executives. The best defense is awareness, so we recommend adding security training to your onboarding process.

Pay Attention to Unsolicited Facebook Password Reset Messages

We’ve seen an uptick in attacks on Facebook accounts that generate email messages like the one below. It’s saying someone is attempting to reset your Facebook password in order to access your account. If you didn’t ask to reset your Facebook password within the past 5 minutes, do not enter the provided code! In fact, do nothing with a message like this, since you can’t easily tell if it’s a legitimate message from Facebook or a phishing attack. As long as your email account hasn’t been compromised, you have nothing to worry about, but consider any such messages as encouragement to have strong, unique passwords for your email account and any social media services. Also, we highly recommend turning on two-factor authentication for these accounts. Of course, if you get a second message saying that your password was reset, immediately secure your account.

(Featured image by iStock.com/Nicholas77)


Social Media: If you receive unexpected password reset email messages from Facebook, don’t worry—but don’t click anything! Use them as encouragement to ensure your email and social media passwords are strong, unique, and protected with two-factor authentication.

Apple Starts Releasing Rapid Security Responses for the iPhone, iPad, and Mac

By now, you’ve probably seen a new form of update for iOS, iPadOS, and macOS: the Rapid Security Response. Early in May, Apple released the first instances of these updates, which the company had promised for iOS 16, iPadOS 16, and macOS 13 Ventura when those operating systems were first announced. Let’s answer some of the questions we’ve been hearing.

What are Rapid Security Responses?

Rapid Security Responses are security updates that Apple wants to distribute as quickly and broadly as possible. Users often delay installing standard operating system updates because they’re huge downloads, interrupt work for a long time while installing, and occasionally cause new problems.

To address these concerns, Rapid Security Responses are much smaller, install far more quickly (sometimes without a restart), and can easily be removed if they cause problems.

What security vulnerabilities do Rapid Security Responses address?

Apple released no security notes for its first set of Rapid Security Responses, and we don’t anticipate that changing for future releases. The point of a Rapid Security Response is to block a serious vulnerability that’s likely being exploited in the wild, and Apple doesn’t describe such fixes until it has patched vulnerable operating systems, including older versions, tvOS, and watchOS, none of which can take advantage of Rapid Security Responses. If this last set of updates is any indication, Apple will identify the Rapid Security Response fixes in security notes for the next full operating system update, which will also include the same fixes.

How do I install a Rapid Security Response?

Rapid Security Responses use the same software update mechanism as Apple’s other operating system updates. You can and generally should let Rapid Security Responses install automatically. That’s the default, but check to make sure.

  • iOS/iPadOS: Go to Settings > General > Software Update > Automatic Updates, and look at “Security Responses & System Files.”
  • macOS: Go to System Settings > General > Software Update, and click the ⓘ next to Automatic Updates. Then look at “Install Security Responses and system files.”

On recent iPhones and Macs, the installation time was quick, with the device being ready to use again within 2–4 minutes, including a restart. Older devices took longer, and future Rapid Security Responses may take more or less time.

How can I revert if a Rapid Security Response causes a problem?

Apple makes this easy in both iOS/iPadOS and macOS, with the amount of time being roughly similar to how long the Rapid Security Response took to install:

  • iOS/iPadOS: Go to Settings > General > About > iOS/iPadOS Version, tap Remove Security Response, and confirm the action.
  • macOS: Go to System Settings > General > About, click the ⓘ next to the macOS version, click Remove & Restart, and confirm the action.

How can I tell if I’m running a Rapid Security Response?

With this first Rapid Security Response, iOS and iPadOS both posted a notification informing the user of the update; macOS did not.

More generally, devices updated with a Rapid Security Response will have a letter after their version number, such as 16.4.1 (a), and the letter will disappear with the next full update, such as iOS 16.5. To determine what version your devices are running:

  • iOS/iPadOS: Go to Settings > General > About, and look at the iOS/iPadOS Version line.
  • macOS: Choose About This Mac from the Apple menu, and look at the macOS line.

Given what we know now, we recommend that everyone install Rapid Security Responses as soon as they’re available. If you notice a problem afterward, you can remove it. The only caveat is that if your employer manages your device, they may prefer to delay the Rapid Security Response installation until they’re comfortable with the changes.

(Featured image by iStock.com/champpixs)


Social Media: In an effort to protect users from security vulnerabilities that are being actively exploited, Apple has introduced Rapid Security Responses, which are security updates that are quick to download, quick to install, and easily removed if necessary.