Apple To Launch 'Passwords' App, Intensifying Competition With 1Password, LastPass

Apple will introduce a new app called Passwords next week, aiming to simplify website and software logins for users, according to Bloomberg. The app -- offered as part of iOS 18, iPadOS 18, and macOS 15 -- will be unveiled at Apple's Worldwide Developers Conference on June 10. Powered by iCloud Keychain, Passwords will generate and manage passwords, allowing imports from rival services, and support Vision Pro headset and Windows computers.

Re:Security

[DarkOx]

The chances someone attacks and compromises my PC - extremely remote.. Its not even on when I am away from it!

The odds someone password sprays some popular web application - all day every day

the odds someone decides to target 'me' and uses resources like "have I been pwnd" to see what breaches my e-mail address have been exposed in and backs into what online services I might use and does a targeted password guessing attack - certainly non-zero..

Frankly strong complex passwords that are unique per site - are a really solid and effectively control. Doubly so when coupled with even very weak MFA like OTP via SMS. MFA bypasses do happen; phones get ripped from your hands while in use by thugs on the street and kept unlocked until they can ripp you off other ways using that access.

The MOST secure thing you can probably do is use a password manager with a LOCAL datastore on your PC, that you keep 'somewhat' secure in your home, and further protected with a strong master password used for key derivation for use with good encryption. Yes this means can't login to stuff when you can't access your home PC.

Re:

[Baron_Yam]

The MFA-bypass I see most often is a 365 access token getting intercepted when someone is using free WiFi. Microsoft is working on changing their communications to prevent this method of compromise, but I don't know when that will be deployed or if it will be done for all versions of Office currently in use.

Re:

[fph il quozientatore]

What? 365 access tokens are exchanged on the network unencrypted? Seriously? Has Microsoft fallen that low?

Re:

[Ksevio]

Of course not. They use SSL like pretty much all traffic these days

Re:

[rabun_bike]

I adhere to the "no cloud" policy with regards to storage of my passwords. As a security and software engineer with a specialization in cryptography I could not find a modern password program that (a) had no built in ability to connect to cloud systems (b) was a self contained native executable (c) runs on Linux, Mac, and Windows natively (d) and most importantly encrypted passwords / secrets protected by a hardware security token not tied to the target machine such as a TPM module. So I spent 2 years dur

Re:

[FictionPimp]

I use apple's hide my email feature combined with a password manager for access today.

Every site has a unique email address and unique password and MFA if supported. It's seamless and easy to use. Sure you could compromise the device and gain access to my password manager, but then you need a MFA bypass. Plus the password manager is locked so you need that password. I'm comfortable with that. Even if you use the OSX built in password manager you have to prompt your fingerprint to auto-fill. It's good enough

Re:

[DarkOx]

yep I have a separate system I use exclusively for work (it belongs to my employer but I 'administer it') I do use Apple's keychain there, but I do not sync it to icloud.

Re:

[strikethree]

The chances someone attacks and compromises my PC - extremely remote.. Its not even on when I am away from it!

I could swear you said this ironically... and then I read the rest of your words. WTF dude? Seriously? Your PC is being attacked every time you do anything on the Internet. Yes, "you" are not important enough to attack, but your computer is and in fact, is being tested constantly. Better keep up on your patches if you are going to have such naive views about your safety.

Re:

[schneidafunk]

I recall reading somewhere that MFA is the easiest most effective security to implement, preventing something like 90% of common attacks. Take this all with a grain of salt, as I am not bothering with finding citations :)

Regardless, I believe the password & captcha model are in for a big overhaul soon. AI already can break most captcha systems, I ran a test with claude to detect the chars in a captcha screenshot. This did not work in chatGPT citing "safety concerns". And quantum computing, when i

Re:

[UnknowingFool]

I recall reading somewhere that MFA is the easiest most effective security to implement, preventing something like 90% of common attacks. Take this all with a grain of salt, as I am not bothering with finding citations :)

Effective but I do not know about "easy" though. For a consumer getting an authentication app is not difficult nor the setup for each site. For the backend systems, I do not know. Now the difficulty is worth the increased security.

Re:

[schneidafunk]

AWS cognito is a breeze, basically plug & play for user registration with the option of MFA and social media SSO. Check out this image from AWS:
https://docs.aws.amazon.com/im... [amazon.com]

Re:Security

[UnknowingFool]

Do not use a password manager. Do not join every Internet site you visit using the same password. Do use MFA.

You do realize you set up conflicting conditions? How do you remember all the passwords you have created again? Oh right use MFA that not every site has. That is like advocating every one not drive their own car; use the subway in your town that does not exist.

Re:

[UnknowingFool]

Bahahaha. Your solution is to use an archaic system that no IT department would ever approve. Instead of keeping passwords somewhat secure in a program; keep them completely insecure. Sure.

Re:

[UnknowingFool]

Do you admit that instead of advocating for a system that is somewhat secure but not enough for you; you advocate for doing something completely insecure? I take it you never worked in a high security environment. Writing down passwords at a minimum will get you fired. If it is government related, that might come with criminal charges. That is what you are advocating because you do not seem to have thought out your plan.

Re:

[Anonymous Coward]

Correct! I use pen and paper and I have my web cam looking at the paper so I can find it in Microsoft Recall if I lose my paper so everything is safe. I use Roman Numbers to encode digit so joke's on them!

Re:

[UnknowingFool]

All your passwords are "I II III IV"?

Re: Security

[beelsebob]

Wait, you think that pen and paper is more secure than an encrypted database stored locally on your computer?

Re:

[UnknowingFool]

Yes he does. Next thing he will tell you is to make passwords as short as possible. Also only use numbers. That is why all my passwords are "1234"

Re:

[iAmWaySmarterThanYou]

I use 123. The same as my luggage so I don't forget.

Re:

[UnknowingFool]

I see you have not upgraded your luggage to the latest version. Guess your luggage is not l33t.

Re:

[iAmWaySmarterThanYou]

I find it hard to remember my code on 4 or the even more difficult 5 digit luggage.

Everyone knows 123. Who can remember 1234 or 12345... c'mon!

Re:

[RKThoadan]

Everything always depends on the threat model. A sticky note on your monitor with an appropriately complex passwords is incredibly resilient against remote attacks. An encrypted database stored locally is also very strong, but theoretically could be copied off and eventually brute forced.

Re:

[UnknowingFool]

As someone pointed out, this system loses advantages if it has to be used away from a fixed location. Carrying all your password in paper form is not ideal if the computer is mobile. Like a smart phone or traveling with a laptop.

Re:

[iAmWaySmarterThanYou]

Lol, when I was a college kid working IT for random department, I had to help one of the admins who was having trouble logging into the school's mainframe or whatever the fuck it was. It required "tn3270" (some name like that) to login.

So, I'm there for 30 seconds and she says she's going to lunch, the department master passwords are on a piece of paper taped to her desk under her keyboard and she walks out. *boggle* It wasn't a post it note on her monitor, right?

Ok, so it turns out she just can't type.

Re:

[Tony Isaac]

And you're supposed to carry this paper with you everywhere you go?

Re:

[Kerry Boehm]

I hope this is sarcasm

Re:

[UnknowingFool]

From my experience with this poster is that they post ideals but when pressed when practical problems, they often have no answers or clue as they do not seem to have any real experience in whatever situation about which they have strong opinions. In this case, it seems he or she has never worked in a corporate IT environment where writing down passwords is a fireable offense. Or in a government environment where that is a prosecutable offense.

Re:

[penguinoid]

Was I not supposed to be using the password P@ssword1 for every dumbass site that wants a login for no reason?

Re:

[peril]

Uh - I think you mean - use MFA where you can - the password manager is not directly accessible without (typically) a MFA login itself, and then it protects individual credentials so there are no credentials shared with any online account.

The problem that password managers help / solve is password portability between platforms, so that for instances - you have access to the same vault on windows, mac, linux, android, ios.

Not to argue the point of MFA - that's 100% accurate, but rotating your password, havin

Re:

[ctilsie242]

If I were able to concoct a new password for every site which is unique... which can be hard, (as I can't just use a HMAC with a sitename because some sites have different password rules, so one master PW being used to hash the host name isn't going to cut it,) maybe not using a PW manager is good. However, it is about addressing the weakest links. Credential stuffing and brute force PW guessing is a major attack vector. Many sites don't have lockouts, and if they do, the attackers just use another IP ra

Re:

[Bill, Shooter of Bul]

Uhm. No. Every account is only as safe as:

The complexity of the password used.
The presence of a second factor for the login
The security of the site the password is used.
The security of your browser/ application used to access their system.
The complexity of the password on the password manager.
The presence and security of the second factor of the password manager
The security design and implementation of the password manager.

Re:

[iAmWaySmarterThanYou]

Don't forget the network in between, the transport layer and the security of the PC/device and OS it runs.

A keylogger can ruin your whole day.

Re: Security

[beelsebob]

The choice is to use a password manager, which in the case of Appleâ(TM)s verifies something I have, and (something I am or something I know); or to use a shit password that I can remember for each web page. It verifies this every time I try to access a password, not only at login.

Alternatively I can use a shit password that I can remember for each web page.

In both cases I can combine this with the web pageâ(TM)s 2 factor auth.

It would be utter idiocy to *not* use a password manager to generate v

Re:

[ceoyoyo]

The weak link is usually the unhashed password database of that website you're using. That remains true whether you stick your password in a password manager or a sticky note on your monitor. The password manager means you can give each one of those websites a different password.

Windows /linux

[ZERO1ZERO]

I use keychain all the time. But its annoying when im on a windows pc and i dont have access to my passwords Can some solution be made here

Re:

[schneidafunk]

There's always a trade-off between security & convenience.

Re:Windows /linux

[brickhouse98]

Sure. Just use a cross platform solution like Bitwarden.

Re:

[Xenolith0]

Bitwarden is one of the very few "SaaS" things I pay for. At $10/yr the benefits I get are amazing.

I get encrypted cloud sync across my Linux desktop, browser extensions for firefox and chrome, laptop, andriod tablet and iphone.

And, the big thing that initially made me switch to BW, I can setup "emergency access" so that if I get run over by a train, my family can "request access" to my vault, and, if I don't cancel the request within 3 days, they get full access. EVERYTHING is in my BW account. Credit card

Re:

[iAmWaySmarterThanYou]

You only have to be held hostage for 3 days?

Re:

[mkosmo]

Bitwarden is the answer to most of these problems... cross-platform/cross-everything, FOSS, audited, cheap/free.

Re:

[cmseagle]

There's an iCloud client for Windows that'll give you access to your passwords.

Re:

[dynamo]

Write a small program in your head to generate your passwords.

Re:

[mkosmo]

Your head will never be as random or secure as an actual RNG doing its thing on your behalf. And it's entirely possible to reasonably secure passwords in a password manager.

Not really new

[joh]

All the functionality is already there, they're just breaking it out into an app of its own.

Re:

[bill_mcgonigle]

Sounds like with Safari losing its artificial monopoly they want to have an option for users to not wander away with Chrome or Bitwarden, etc.

It's weird that with 2FA and passkeys and FIDO on the rise that in 2024 they name it Passwords.

That seems like a 2007 name.

Re:

[UnknowingFool]

What do you mean? Apple's password system Keychain [wikipedia.org], has existed as part of the OS since 1999. Safari leverages it. The main UI however has been using the Settings UI. This app appears to be a new interface for the subsystem.

Re: Not really new

[beelsebob]

This has nothing to do with Safari. Keychain has been a thing since before Safari existed, and has allowed 3rd party apps to prompt the user for passwords since way back then. I think itâ(TM)s even existed since before OS X!

Passwords already exists

[Anonymous Cward]

The only difference is a minor UI change so that it can appear as an independent app instead of within Safari on macOS, or Settings in iOS/iPadOS. This is not an innovation, it is a small common sense step to make accessing TOTP tokens easier when apps and websites like PayPal bugger up their UI design in a manner which stops the usual biometrics-driven autofill prompt from working. If Apple do things right this time, it will also let folks export their passwords in bulk on iOS for once.

Re:

[cob666]

All the functionality is already there, they're just breaking it out into an app of its own.

Based on what I've read, yes, Apple will be using iCloud Keychain to store passwords. There is already a really nice app that also uses iCloud but not their Keychain called Minimalist:
Minimalist Password Manger [minimalistpassword.com]

Minimalist seems a bit more flexible that what Keychain currently offers so let's see how Apple actually bolts a front end onto their Keychain. Curious to see if this is another example of Apple providing the bare minimum requirements and expecting users to just adapt their usage to another crip

Re:

[ceoyoyo]

They're addressing a pretty obvious oversight. Macs have a Keychain app so you can actually see your passwords, add notes, generate passwords, all the usual stuff. On iOS it's currently just a list of everything they shoved in Settings pretty clearly as an afterthought.

I really want more...

[aaarrrgggh]

With the iCloud lockout attacks that have been happening lately this seems like a bad idea. But then we are stuck with the reality that something is needed-- I manually entered a 21-character password for a critical account over 20 times a day to try to be more secure... but then you add risk for other types of attacks.

The weakness of Apple's system is that with the phone and passcode a thief is golden. How do you really make it secure AND usable?!

This is not really a password app competitor

[alispguru]

It is just Mac/IOS app wrappers around the password storage that iCloud already has.

As such, it's Apple-only.

Other password storers can start worrying when Apple releases Android/Windows apps to access those passwords.

That should not happen for a LONG time - Apple has a bad track record on cross-platform service apps (iTunes for Windows, anyone?), and I would be afraid of using something like that on really critical stuff like my passwords. I say this as an Apple user since 1993 (Quadra 605).

Re:

[UnknowingFool]

That should not happen for a LONG time - Apple has a bad track record on cross-platform service apps (iTunes for Windows, anyone?), and I would be afraid of using something like that on really critical stuff like my passwords?

And what do you use for your passwords? Pen and paper?

Re:

[UnknowingFool]

1) Er what? Lockpicking tools have existed for centuries so I would not place that much stock in locks made for average consumer. They do not keep out professionals. They keep out neighbors. 2) Are you advocating using a completely insecure system of pen and paper to secure passwords? Just checking. 3) No company I know would allow for passwords to be on pen and paper. Some companies will fire you for that.

Re:

[Chris Mattern]

Personally, I'm fond of Password Gorilla, which is a handy cross-platform password app that doesn't depend on any external service, only your own computer.

Re:

[Voyager529]

And what do you use for your passwords? Pen and paper?

I've been using Team Password Manager [teampasswordmanager.com] for a while now at work, though we used Teampass [teampass.net] before it. Vaultwarden [github.com] + Bitwarden has been a fantastic move for my personal password management.

There's also Passbolt, Buttercup, KeePass and a few forks thereof.

Moving on from the free / open source options, there's Keeper and Steganos and mSecure, which do local storage. If you're open for cloudy options, LastPass still exists (Lord knows why), Dashlane and 1Password are still very popular, and ProtonMail now offers a

Re:

[alispguru]

On Macs, iCloud for passwords in Safari and iOS/macOS apps.

I also use mSecure with the password save file in Dropbox, just to have things in more than one place - don't want a single point of failure (like my Apple ID, say...) to lock me out of the web.

Re:

[cmseagle]

As such, it's Apple-only.

Other password storers can start worrying when Apple releases Android/Windows apps to access those passwords.

There's already an iCloud client for Windows that gives you access to your keychain passwords.

Re:

[alispguru]

Shows how little I follow Windows these days. It definitely exists, and reviews are mixed.

A true cross-platform password app these days has to support Mac/iOS, Windows, and Android at a minimum, with web access for the rest of the universe.

Re:

[reanjr]

It's right in the summary:

"Passwords will ... support ... Windows computers"

Paywall

[Zak3056]

Paywall free link here. [archive.is]

Bitwarden

[devlp0]

I'm very happy with Bitwarden thanks, and it's free!

Sounds promising.

[SvnLyrBrto]

I've been looking for a replacement for 1Password ever since they decided to stop being an honest company selling an honest product at an honest price and embraced the Zynga model of nickel-and-diming people to death with recurring payments. And then they doubled down on turning into a shit company making a shit product by aping Evernote and abandoning a very good native app in favor of a half-assed web app in an Electron wrapper. But, as awful and contemptible as both moves were; the alternatives have al

Re:

[Cyberax]

I've been looking for a replacement for 1Password

BitWarden.

KeyChain Access.app = Passwords.app

[Savage-Rabbit]

So Apple is replacing 'KeyChain Access.app' which is a front end to a system that already does all of this with a new one called 'Passwords.app' that will be the new front end to a system that already does all of this?? Big f****ng deal.

Re:

[UnknowingFool]

I would surmise that Keychain being part of Settings has limitations on the UI whereas Passwords will have a different UI. Also KeyChain access is in Settings -> Passwords.

Re:

[FictionPimp]

It's funny as hell that people are losing their shit that apple is releasing a new UI for an existing feature to improve the user experience.

Needs a bit of AI

[gnasher719]

Why would a password manager need AI? Because of all the bloody idiots who don't accept auto-generated passwords by default. They have stupid restrictions. "6 to 12 characters" or "8 to 15 characters" - Safari passwords have 20. "One uppercase, one lowercase, one digit, one special character" - Safari likes 18 letters, separated by two hyphens. That's about 128 bits entropy. But no, it must be 12 characters and one must be special.

So a bit of AI would analyse the screen, read the rules of the website, an

Re:

[iAmWaySmarterThanYou]

Try P@assword123!

It fits most password requirements.

Yes but...

[jaygull]

will it work on windows? If not, I don't want to switch from 1password.

Could Work if Priorities are Right

[eepok]

Security professionals and hobbyists will always put security above all. They'll run their own home servers, put them behind hardware firewalls and use a VPN to access that server to pull out a password they need. It's fun for them.

Everyone else in the world prioritizes security like as written below and every business attempting to improve the digital security of the general public would do well to share their priorities or they'll simply be niche utilities for professionals and hobbyists:

1. CONVENIENT - T

Is it called SureLock?

[Lycestra]

I mean, obviously itâ(TM)s in that realm of software takeover. Bundling means people might use it for convenience over quality. If they kill off plugins, Iâ(TM)m another step closer to Linux and keeping my current solution.