Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Runs For Fun

macrumors 65816
Nov 6, 2017
1,107
2,367
Agreed - a common factor seems to be both users logging on to the same device in quick succession as part of setting it up, so I do wonder if the local keychain is being set up by the first user when they sign in to help set up the device and then when the long-term user signs on the local keychain with the other user's password now in is the default keychain so is then merged with the second user's keychain when they sign in.
This seems to be highly likely. People are probably forgetting they signed into their Apple ID on the device at some point even if it was temporarily.
 

BigMcGuire

Contributor
Jan 10, 2012
9,012
11,733
the Alpha Quadrant
I accept your point but that shouldn't lead to cross-contamination when two seperate appleid's are used.
It shouldn't, but as a rule of thumb, before I let someone else (3rd party or family) use a device I've used, I've reset it completely. I never just sign out and let them sign in. I imagine not everyone does that.
 
  • Like
Reactions: Quackers

Runs For Fun

macrumors 65816
Nov 6, 2017
1,107
2,367
I just never let someone else use my device. Far simpler that way.
This is the way. Phones are very personal with how much personal and sensitive information they hold. The thought of letting someone else use my phone makes me very uncomfortable.
 

JonaM

macrumors regular
Sep 26, 2017
101
112
I accept your point but that shouldn't lead to cross-contamination when two seperate appleid's are used.
If you are using the same local user account then that behaviour is not necessarily incorrect, just needs to be made really clear.
 

JonaM

macrumors regular
Sep 26, 2017
101
112
I've done a bit of playing around on my Mac and if you do create a new account and then log in to an appleid and accept the default option of sync keychain then your icloud keychain is used to sync down to the local keychain.
If you then log out of iCloud on that machine, but choose to keep a local copy of the icloud keychain your passwords remain in that local account on the Mac.
If you then log in to another appleid in that local account you would then have a local keychain containing the first appleid's passwords, but now iCloud logged in to the second appleid, so you can now merge the keychains and end up with appleid 2 having access to their passwords and a copy of appleid 1's passwords.

There are messages about deleting or keeping data, but I can certainly see how you could unknowingly leave a copy of your keychain on a machine whilst helping set it up for someone
 

Quackers

macrumors 68000
Sep 18, 2013
1,938
705
Manchester, UK
If you are using the same local user account then that behaviour is not necessarily incorrect, just needs to be made really clear.
We're not using the same local user account.
I've done a bit of playing around on my Mac and if you do create a new account and then log in to an appleid and accept the default option of sync keychain then your icloud keychain is used to sync down to the local keychain.
If you then log out of iCloud on that machine, but choose to keep a local copy of the icloud keychain your passwords remain in that local account on the Mac.
If you then log in to another appleid in that local account you would then have a local keychain containing the first appleid's passwords, but now iCloud logged in to the second appleid, so you can now merge the keychains and end up with appleid 2 having access to their passwords and a copy of appleid 1's passwords.

There are messages about deleting or keeping data, but I can certainly see how you could unknowingly leave a copy of your keychain on a machine whilst helping set it up for someone
I suspect this is what I've done though how I've selected to leave the local data I've no idea. Obviously I know how I did it but not why :) I should have known better.
It's the only thing that can have happened, I think.
Having said that how on earth do I unravel it? If I delete her passwords from my devices won't that delete them from her devices? And vice versa. Maybe not because they are from her appleid?
And all this on 3 devices each :eek:
I haven't tested that yet.

Thanks for your experimentation :)
 

JonaM

macrumors regular
Sep 26, 2017
101
112
We're not using the same local user account.

I suspect this is what I've done though how I've selected to leave the local data I've no idea. Obviously I know how I did it but not why :) I should have known better.
It's the only thing that can have happened, I think.
Having said that how on earth do I unravel it? If I delete her passwords from my devices won't that delete them from her devices? And vice versa. Maybe not because they are from her appleid?
And all this on 3 devices each :eek:
I haven't tested that yet.

Thanks for your experimentation :)
In terms of unravelling it you should be safe to delete her passwords from your keychain as she should be using her own keychain ( just one that got your passwords copied in to it at some point). You can try deleting ( or creating) one on your appleid/device and checking that it doesn't update on her appleid/device just be absolutely confident you're not sharing the same icloud keychain before you clear the lot!
 
  • Like
Reactions: Quackers

Quackers

macrumors 68000
Sep 18, 2013
1,938
705
Manchester, UK
In terms of unravelling it you should be safe to delete her passwords from your keychain as she should be using her own keychain ( just one that got your passwords copied in to it at some point). You can try deleting ( or creating) one on your appleid/device and checking that it doesn't update on her appleid/device just be absolutely confident you're not sharing the same icloud keychain before you clear the lot!
Thanks. I'll test with one or two deletions first and see if they affect her.
I see no reason why we'd be using the same keychain but how do I make sure? My brain's gone foggy :)
 
  • Like
Reactions: 960design

960design

macrumors 68040
Apr 17, 2012
3,499
1,373
Destin, FL
Thanks. I'll test with one or two deletions first and see if they affect her.
I see no reason why we'd be using the same keychain but how do I make sure? My brain's gone foggy :)
Let me know how it goes.
I'm traveling and cannot duplicate the merged keychain in the office right now ( until Jan 4ish 2022! ).
Following this thread with great interest.
 
  • Like
Reactions: Quackers

collin_

macrumors 6502a
Nov 19, 2018
548
851
I’m pretty sure that this entirely hinges on what you mean by “log into my gmail.” There is an entire spectrum of ways you can do that on an iPhone. Off the top of my head, the most invasive and comprehensive way (assuming each person has their own iCloud account like you said) would be adding the account to Accounts and syncing everything (including Notes, Contacts and whatnot). The least invasive way I can think of would be logging into Gmail in a private Safari tab and then closing it afterwards.

Basically, there are some ways of logging into Gmail (or, more precisely, your Google account) that will deeply imbed your entire Google account into the iOS device. I don’t fully understand it, but can tell when it’s happened because you’ll be automatically logged in (or at least able to choose an already-present Google account) when downloading a new Google-owned app. Do not log in to your Google Account on any Google-owned app such as Gmail, Google Drive, Google Maps, Google Calendar, Google Smart Lock, etc. (on a shared device… if you care about your privacy). I have found that doing so always causes this to happen.

I’m like 80% sure that signing into Gmail via gmail(.)com on a Safari private tab would not add your entire Google account to the device like that. You may have to sign in each time, but it wouldn’t be that inconvenient if you’re using a password manager (especially one with FaceID unlock enabled). There might be more convenient ways to pull it off, too. Other browsers such as Firefox may let you log in to Gmail in non-private windows without adding your Google account to the device.

Btw, idk what you’re currently doing OP but to anyone reading this I highly recommend just using Apple’s Mail App instead of the Gmail App if you have a Gmail or Google Workspace account. iOS 15 added excellent new mail privacy features, whereas the Gmail app is bound to be a privacy nightmare. I have 2 separate paid Google Workspace accounts that use custom domains, and then regular Gmail accounts on top of that, and I’ve been using solely the Apple Mail app on my iPhone for years with no issues. Maybe I’m missing something but I just don’t see any reason to use Gmail instead of Mail.

The only problem I have with the Mail app is that, even in iOS 15, it still does not give you any sort of indication that an email address is spoofed if you receive a spoofed email. Gmail (at least on the web) will detect spoofing (which is incredibly easy) and give you some sort of yellow warning like “Be careful with this message.”
 
Last edited:
  • Like
Reactions: BigMcGuire

Muscovite

macrumors member
Original poster
Apr 19, 2020
54
36
So, in the end -

1. Apple never called back. Just never did.
2. I went into “Passwords” on my wife’s phone and had to delete all of MY logins one by one, then did the same on my son’s.
Hasn’t happened ever since, must say.

PS I didn’t use Google’s password sync whatever, was a Safari user exclusively. And, again, when I was looking at the saved login/passwords on her phone, it was everything, Google logins and everything else. So it’s not Google.
 
Last edited:

JonaM

macrumors regular
Sep 26, 2017
101
112
How did you fix, please?
Is it just deleting each password (of others) one by one from each person's any one device?
Yes - delete the passwords from a device logged in to account that you don’t want them on. That will delete them from that keychain.
You should then obviously change the passwords affected to keep the details secure going forward
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.