Confused about iCloud/Apple ID passwords and Keychain Access

[steveLONDON]

I recently had an issue with pop up password requests asking for my iCloud password for Messages. I entered what I thought was my 'AppleID' password, which I have been using for years to log into the Apple Store and iTunes Store, thinking this is what I was being asked for, but it was rejected.

I then started to panic that the pop up was maybe a phishing scam or some kind of malware that was trying to trick me, so in the end I went to this page

https://appleid.apple.com/

And went through the resetting password procedure.

Then I went to Keychain Access utility to check that it had stored my password for future reference. I searched 'iCloud' and clicked on the top search result in Keychain Access and asked to 'Show password' and the password it shows is some ridiculously long chain of letters that would be impossible to remember and isn't my chosen password.

Same goes for Apple ID Authentication (doesn't show my chosen password, shows a huge character string instead).

Clearly I'm missing something here. Can someone explain simply what is the relationship between Apple ID and the iCloud login. And where to do go in Keychain Access utility to check or retrieve my password/s?

And what exactly is the huge character string that I'm seeing in Keychain Access as the 'password' for these Apple/icloud related items?

Very confused.

 

[M. Gustave]

I'm not sure where you're viewing these passwords, but they are encrypted on Apple's side, even they can't access them.

Was the popup when using the new iMessage store in iOS 10?

 

[steveLONDON]

I'm seeing them in Keychain Access - the utility that allows you to view your stored passwords.

 

[M. Gustave]

Oh, I see it's a Mac application. Don't own a pc or Mac, sorry.

 

[DaneDeMuth]

This thread is old, and most likely loooong dead, but I find myself trying to find a password on my keychain at the moment and saw your post. Those loooong character passwords ( I believe, going to figure it out later cause it'll drive me nuts) are like an internal token of the 'password' for whatever you clicked the reveal password box for... Im not sure why it displays that since even if you type that into your computer, it will not work. Good luck sir, if you ever read this that is lol.

 

[Rigby]

This thread is old, and most likely loooong dead, but I find myself trying to find a password on my keychain at the moment and saw your post. Those loooong character passwords ( I believe, going to figure it out later cause it'll drive me nuts) are like an internal token of the 'password' for whatever you clicked the reveal password box for... Im not sure why it displays that since even if you type that into your computer, it will not work.

That's exactly what they are. It's a good practice to store authentication tokens rather than passwords for services that need to "remember" a login. There are several reasons for this:

- Performance: There is no need to run a key derivation function (which are intentionally designed to be computationally demanding to make passwords more resistant against cracking) to verify tokens.
- Tokens can be limited in scope; for example, they can have an expiration date, allow only some limited operations, or they work only in conjunction with specific device IDs. They also work only for one specific service which leads to the next benefit:
- Password security: Storing tokens instead of passwords is safer because many people reuse passwords for multiple services; if a token (as opposed to a password) is compromised, this affects only one service.