I think you have to ask the same questions regarding 1Password. It is not exempt from the same vulnerabilities.
1 Like
The difference is that if you lose access to your Apple ID and your passwords are in Apple passwords, you lose easy access to all your non-Apple accounts, too. If an attacker gets into your Apple account, they get into all your passwords, too. And if you’re also using Apple Passwords as your 2FA authenticator, your last firewall is gone.
It’s a bit like diversifying your investments: it’s better not to have all your eggs in one basket.
EDIT: I’ll add that 1PW and Bitwarden both get third-party audits to check for vulnerabilities. Afaik the same can’t be said for Apple Passwords.
1 Like
I’m sorry, I must be missing something here. How is it not “putting all your eggs in one basket” in regard to password availability if all of your passwords are in 1P and it has a “security vulnerability” or your account gets compromised? 3rd party audits are not a guarantee, and we don’t know what steps Apple takes.
And why doesn’t this same “all eggs in one basket” logic apply to everything else one might have in the Apple ecosystem: icloud, mail, contacts, Pages, calendar, Notes, contacts, etc.? It would seem to be logically consistent that one who is concerned about this in regard to passwords would also advocate using separate 3rd party apps for every function.
1 Like
I agree. I’m a 1PW user and while we can compare the features of Passwords and 1Password there is no way, IMO, to directly compare the security of the two products.
Just three weeks ago a patch was issued to correct a “logic issue” that could result in a user’s saved passwords being read aloud by VoiceOver. The Passwords app could be compromised by a vulnerability in the operating system of any Mac, iPhone, or iPad that we may be using. That’s been true since Apple released Keychain in 1999.
I see 1Password as a service that I chose several years ago, because it works better for me than what Apple provides. If it is more secure, that’s a bonus.
If you lose access to your Apple account and all your passwords are in APW, you’ve lost access to your passwords in addition to everything else. But if your password were in a separate password manager, you’d still have access to them.
Your Apple ID is one basket. 1PW or Bitwarden or Strongbox is another basket. A separate authenticator app is a third basket.
From a security standpoint, that’s not perfect, but it’s better.
Of course not. Nothing is. But it means we’re not just taking 1PW’s or Bitwarden’s word for it, as we are with Apple’s.
None of us do, unless we work for Apple, and in that department. And that’s my point.
For one thing, the stakes are lower than they are with passwords. But I do use third-party alternatives to most of the default apps you mention, mostly because I like them better, though I do like knowing that it would be easier to switch to another operating system if I needed or wanted to.
2 Likes
The one issue for me is if your apple account is somehow comprised. if your passwords are in there as well you are well and truly in trouble.
1 Like
I periodically print the passwords and lock them in a fireproof biometric home safe. This provides a fallback if needed. Not quite as secure as this, but good enough for my needs. 
4 Likes
It needs to work cross platform and without cloud sync.
I use 1password on my employer provided laptop , and cloud sync is not allowed. Since I only need https access for 1password, I use it on my Windows PC, my work laptop, my business partners Windows PC, pretty much anywhere.
1 Like
If you store all your passwords in a third-party password manager like 1P and lose access, you’ve lost access to “everything else” when you mostly use third-party apps. So, from a practical standpoint, I don’t see much difference; the risk is pretty much the same in your scenario.
In either case, the wise course is to make backups of all your passwords in a secure location, whether you use Apple Passwords or 1P.
I agree that, in broad theoretical terms, it is “better” from a security standpoint to have apps in different systems, but realistically and practically, it doesn’t make much difference. When was the last time you had no access to your Apple account or a 3rd party account?
Also, remember that most Apple users will not use any 3rd party password managers or apps; they will use what is in the Apple ecosystem. So, for most users, this whole discussion is irrelevant and academic. Only us “Mac power users” get into these involved “how many angels can dance on the head of a pin” types of discussions.
It comes down to personal preference and special needs. If you need some of the features available in 1P but not in Apple Passwords, it makes sense to use 1P. Or, if you just prefer the look and experience of 1P instead of Apple Passwords (and don’t mind paying extra for it), then it makes sense to use 1P.
I’m not persuaded by the “all the eggs in one basket” theory. It doesn’t seem like it’s enough of a threat to make me feel I need to use all third-party apps (including a password manager) to avoid the Apple ecosystem doomsday scenario. In any case, regular password backups make the whole issue null and void regarding password access.
1 Like
So if 1Password is running on a compromised OS, your data is never at risk? The protection of a 3rd party application running on MacOs vs keychain is an apples to oranges comparison (hardware encryption, etc).
False. Keychain data is local to the device and iCloud sync operates independently of it. You would have to lose access to your account AND your system for this to happen.
Passwords is integrated into OS, and based on Keychain, which has been around for over 20 years. Are you implying that this trillion dollar organization with software used by governments worldwide, with devices that are certified across a number of international frameworks doesn’t receive as much scrutiny as 1Password? Bug Bounty Programs, Common Criteria, a number of ISO certifications, certified encryption modules, etc.
Possibly, especially if the app is unlocked.
Sorry, I don’t understand. AFAIK hardware encryption does not offer any protection when the drive is decrypted.
You’re thinking about disk encryption. I’m talking about access to the Secure Enclave, which in this case keychain leverages.
1 Like
Got it.
And that concludes my participation in discussions about 1Password. Six years is enough for me.
2 Likes
I started making the switch and then came across an issue. I want to share passwords with my wife and kids. Apple Passwords makes this very easy by setting up shared groups. However, my work laptop is blocked from seeing those shared passwords, I can see all of my personal passwords, just not the shared ones. I’ll file some feedback with Apple about this, it would be nice if shared passwords were copied into the shared groups instead of moved. Right now a password can only be in personal or shared, not both. I can duplicate them and add them to both but then I’d have two copies to deal with.
Making that switch isn’t worth it. I have tried it. Passwords.app does not have a password generator, nor does it have any keyboards shortcuts to navigate in-app or in the auto-fill popup, the import from a csv is very unreliable.
IMHO, Bitwarden w/ Vaultwarden server or Strongbox / KeepassXC are much better options.
1 Like
I left 1PW years ago. I was a registered user from V1-V7. Left shortly after V7 came out. Various reasons. I switched to BitWarden, which I still use, but the latest edition of Apple Passwords is doing most of the heavy lifting for me. the only thing keeping me in Bitwarden is the secure notes and serial number stuff. I will leave it for Passwords if Apple adds a notes feature.
Ok, I’m giving Apple Passwords a trial run. So far it’s working well, with a few minor annoyances. Supercharge solves the issue of a shortcut to open Passwords in the menu bar. Are there any workarounds for below?
- Verification codes only autofill with Safari, right? Is there a workaround for Arc, without having to copy and paste from Passwords app?
- How are you all managing secure notes, software licenses, credit cards, documents, etc?
- Looks like there’s a basic password generator, but what do you use if you want more control over this?
1 Like
I’m not sure why Supercharge is needed. The Passwords settings allow you to add the icon to the menu bar:
I primarily use Safari, mostly because I like the autofill-and-delete feature that ties into Mail and Messages, so I won’t be any help on the Arc front.
I moved my credit card and banking information into locked notes. I added my credit cards to Safari’s autofill, which seems to do a good job when I’m buying something online, but it’s quicker for me to get at the details via a note if I have to manually type something in.
I ended up putting my software licenses in a spreadsheet because I used some calculations and sorting.
I’ve been satisfied with the password-generation capabilities, but if I want a little more control sometime, I’m probably going to use something like Wolfram|Alpha (e.g., https://www.wolframalpha.com/input?i=40-character+password+with+special+characters) as a starting pont and then customize as needed.
1 Like
Supercharge lets you record a custom shortcut to open Passwords in the menu bar so that you can quickly search your passwords. Default Passwords only lets you display the icon in the menu bar, not set a custom shortcut to activate it.
Thanks for sharing your setup @Helios! That helps and I’ll keep going with the trial run.
1 Like
I was thinking about the concern that some have raised about using Apple Passwords means “putting all your eggs in one basket,” and that it would be better from a security standpoint to separate passwords into a separate application.
Why doesn’t that same logic apply to the uses people make of the 1Password App itself? People store not only their passwords and passkeys in that one app, but also store their bank and credit card information, software license codes, passports, insurance info, medical info, etc. Isn’t that putting “all of your sensitive information eggs in one basket” of 1Password? If you lose access to your 1Password account, you lose access to all of your sensitive information.
This weekend, I learned that a third-party app is specifically designed to complement Apple Passwords and provide safe storage of the types of information people store in 1Password.
The Access: Passwords Companion app is now available on the App Store. It uses the same graphical look as Apple Passwords, and includes categories for Credit Cards, Passports, Driver Licenses, Insurance, Bank Accounts, documents, and Secure Notes. It’s free to try out with up to five entries.
I would think that those concerned about eggs in baskets would consider this app as a way to reduce their perceived exposure. Also, this would be a great app for those unwilling to leave 1Password because it offers the ability to store this kind of information. Now there is another similar option.
Access subscriptions are $3.99 a month or $9.99 a year, and a lifetime purchase is $24.95. Apple Passwords is free and included in the Apple OS. 1Password charges $35.88 a year for a personal license and $59.88 for a family license.
Compared to the pricing for 1Passwords, using Apple Passwords and Access is a steal, while providing many of the same benefits included in 1Passwords. It costs $49.89 a year more to use the 1Password family plan (which is free in Apple Passwords), and $25.89 more per year for the personal plan. Even more significant savings could be obtained by purchasing a lifetime license for $24.99.
3 Likes