Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Isn't iCloud keychain not very secure?

D

davelanger

macrumors 6502a
Original poster
Mar 25, 2009
832
2
Isn't iCloud keychain not very secure? I had someone trying to log into my apple ID the other day, luckily I had the two factor login turned on so I changed my password but I noticed under keychain they tell you what all your passwords are. So if someone is able to hack into your applie ID, they would have all your UN and PWs for everything. Why does apple show all those passwords instead of just saying like UN D**@emailaddress and then something like PW T***** to keep all of that secure incase someone hacks into your apple ID or even your iphone itsself if the phone is lost or stolen?

I deleted all of my accounts on keychain and turned it off. Is there any reason its a good idea for it to be this way espeically over icloud?
 
What are you suggesting in this particular situation? Obviously, it's not good if you're hacked, but the entire point of iCloud Keychain is to make your passwords available across devices. It wouldn't make sense for Apple not to show that info to a logged-in user.
 
  • Like
Reactions: NBKindaGirl, max2, DblHelix and 3 others
jk73 said:
What are you suggesting in this particular situation? Obviously, it's not good if you're hacked, but the entire point of iCloud Keychain is to make your passwords available across devices. It wouldn't make sense for Apple not to show that info to a logged-in user.
Click to expand...
Oh I understand its to make all your logins work across devices and it could still log you into all those sites, but without showing what your PW is. so even if you are hacked and they get into your account they wont know what your passwords are just by looking at one page and they would have to go into each website one by one to get into them.

Is that how all those 3rd party keychains work too? Once you are in the program the show you all the UN and PWs?

I think I just got a little paranoid when I saw that someone was trying to access my apple ID. I did notice some old data breaches were being sold around the internet a few weeks ago, my guess is that is where it came from. I have changed my apple ID many times since a lot of those oringal breaches, but I must have used one of my old PWs again and that is how they were able to attempt to get it.

I was just a little taken aback how if they got into my icloud that all of my stored UN and PW would have been at risk and not just my itunes and apps.

To answer your question is there a way to password lock (that is not your apple ID PW) the keychain? If not that would be an idea before showing all the UN and PWs.
 
davelanger said:
but I must have used one of my old PWs again
Click to expand...
If you use an unique password for your Apple ID, and have 2-factor turned on, it's extremely unlikely you're gonna be hacked.

If you don't like the the iCloud Keychain model, you should check out 1Password which is the most popular 3rd party password manager amongst Mac users. It's a subscription if you're up to it, but their entire business model is centered around security, so I doubt they'll get hacked.
 
  • Like
Reactions: Runs For Fun, max2, DblHelix and 5 others
johannnn said:
If you use an unique password for your Apple ID, and have 2-factor turned on, it's extremely unlikely you're gonna be hacked.

If you don't like the the iCloud Keychain model, you should check out 1Password which is the most popular 3rd party password manager amongst Mac users. It's a subscription if you're up to it, but their entire business model is centered around security, so I doubt they'll get hacked.
Click to expand...

yeah the two factor is what saved me. Once it popped up I hit decline then started to change my PW and it popped up again this time from another location. Then finally got my Pw changed and it stopped. I then spent the next few hours changing all my PWs on every site just to be safe.

I was looking at the 1pw app you are speaking of, and it looked really good. So thanks for the recommendation.
 
Doesn‘t iCloud Keychain require an user-defined encryption code? Whenever I sign into a new device and turn on iCloud Keychain, it asks me for a 4-6 digit code I set when I turned on iCloud Keychain for the first time.

So even if someone got into your account, said person would still need to know your code for Keychain to enable it.
 
  • Like
Reactions: svenmany
davelanger said:
yeah the two factor is what saved me. Once it popped up I hit decline then started to change my PW and it popped up again this time from another location. Then finally got my Pw changed and it stopped. I then spent the next few hours changing all my PWs on every site just to be safe.

I was looking at the 1pw app you are speaking of, and it looked really good. So thanks for the recommendation.
Click to expand...
1Password is great and I use it myself, but it still shows you your passwords in full if you ask it to. You can also copy passwords to the clipboard (for programs that aren't integrated with it) where they then exist in plain text (you can configure it to clear the clipboard after a pre-set period of time)
 
cupcakes2000 said:
Why the big generalisation? You just hate Apple and feel we should all ‘get on board’? Or do you have something constructive to offer?
Click to expand...
Apple has yet to demonstrate competence in services, going back years.

Apple Music, that will randomly replace tracks with other tracks, often DRM'd.
iCloud Drive, that will randomly lose files rather than sync them when they change. Further is impossible to back up.
iCloud Photo Library, that will eat the CPU of the local computer.
iCloud Sync, that will randomly duplicate Contacts and Calendar entries, or will fail to sync delta changes from device to device.
Notes that will take info in, but you are unable to get it back out in the same form.
iCloud Keychain, that you can't back up.

No, I like my data, it won't be in any Apple services I can reasonably avoid.
 
posguy99 said:
Apple has yet to demonstrate competence in services, going back years.

Apple Music, that will randomly replace tracks with other tracks, often DRM'd.
iCloud Drive, that will randomly lose files rather than sync them when they change. Further is impossible to back up.
iCloud Photo Library, that will eat the CPU of the local computer.
iCloud Sync, that will randomly duplicate Contacts and Calendar entries, or will fail to sync delta changes from device to device.
Notes that will take info in, but you are unable to get it back out in the same form.
iCloud Keychain, that you can't back up.

No, I like my data, it won't be in any Apple services I can reasonably avoid.
Click to expand...
Thanks for sharing your experiences. I’m sorry these things don’t work well for you. I’ve had nearly the exact opposite experience. Love and use all the things you described.
 
  • Like
Reactions: KennethS
posguy99 said:
Apple has yet to demonstrate competence in services, going back years.

Apple Music, that will randomly replace tracks with other tracks, often DRM'd.
iCloud Drive, that will randomly lose files rather than sync them when they change. Further is impossible to back up.
iCloud Photo Library, that will eat the CPU of the local computer.
iCloud Sync, that will randomly duplicate Contacts and Calendar entries, or will fail to sync delta changes from device to device.
Notes that will take info in, but you are unable to get it back out in the same form.
iCloud Keychain, that you can't back up.

No, I like my data, it won't be in any Apple services I can reasonably avoid.
Click to expand...
Bummer you have had all of these bugs. I haven’t had any of them.
 
  • Like
Reactions: KennethS
davelanger said:
Isn't iCloud keychain not very secure? I had someone trying to log into my apple ID the other day, luckily I had the two factor login turned on so I changed my password but I noticed under keychain they tell you what all your passwords are. So if someone is able to hack into your applie ID, they would have all your UN and PWs for everything. Why does apple show all those passwords instead of just saying like UN D**@emailaddress and then something like PW T***** to keep all of that secure incase someone hacks into your apple ID or even your iphone itsself if the phone is lost or stolen?

I deleted all of my accounts on keychain and turned it off. Is there any reason its a good idea for it to be this way espeically over icloud?
Click to expand...
ICloud is very secure with 2FA turned on. Even if someone was trying to guess your password, they wouldn’t have been able to gain access. You are being paranoid.
 
  • Like
Reactions: iapplelove and ckoerner
Phil A. said:
1Password is great and I use it myself, but it still shows you your passwords in full if you ask it to. You can also copy passwords to the clipboard (for programs that aren't integrated with it) where they then exist in plain text (you can configure it to clear the clipboard after a pre-set period of time)
Click to expand...
I guess I'm confused why someone wouldn't want that. To me that's an important feature, not a bug.
posguy99 said:
Apple has yet to demonstrate competence in services, going back years.

Apple Music, that will randomly replace tracks with other tracks, often DRM'd.
iCloud Drive, that will randomly lose files rather than sync them when they change. Further is impossible to back up.
iCloud Photo Library, that will eat the CPU of the local computer.
iCloud Sync, that will randomly duplicate Contacts and Calendar entries, or will fail to sync delta changes from device to device.
Notes that will take info in, but you are unable to get it back out in the same form.
iCloud Keychain, that you can't back up.

No, I like my data, it won't be in any Apple services I can reasonably avoid.
Click to expand...
I have all of those services, some of them for many years, and have never experienced any of those issues. It's good that there are lots of options out there, so everyone can find one that meets their needs.

techno-Zen said:
Huh?? Why?

iCloud keychain is more secure than third party solutions and it just works
Click to expand...
My issue with iCloud keychain, and the reason I prefer 1password, is that iCloud Keychain does not have a very robust app/interface for interacting with your passwords (which gets to my point about full-text access being a feature and not a bug of 1password). Yes there is keychain access on the Mac and settings / passwords on iOS, but both of those are incredibly rudimentary compared to the user interface 1password gives you.
 
  • Like
Reactions: chabig
ckoerner said:
Thanks for sharing your experiences. I’m sorry these things don’t work well for you. I’ve had nearly the exact opposite experience. Love and use all the things you described.
Click to expand...
You have a way to back up iCloud Drive? Do tell. Would love to hear about it. Many other people would as well, I'm sure.
 
TimFL1 said:
Doesn‘t iCloud Keychain require an user-defined encryption code? Whenever I sign into a new device and turn on iCloud Keychain, it asks me for a 4-6 digit code I set when I turned on iCloud Keychain for the first time.

So even if someone got into your account, said person would still need to know your code for Keychain to enable it.
Click to expand...

Thanks for this post. This rang a bell and I started to panic since I don't remember what code I might have set. I looked for references on how to reset the code and all instructions I found didn't match what I saw on my phone or mac. Then I read in this support article...

If you're not using two-factor authentication, you might be prompted to create an iCloud Security Code—six digits, complex alphanumerics, or randomly generated—to authorize additional devices and verify your identity. If you forgot your code, you might be able to reset it.
Click to expand...

I do use two-factor authentication. Perhaps the security code is obsolete in such cases.
 
posguy99 said:
You have a way to back up iCloud Drive? Do tell. Would love to hear about it. Many other people would as well, I'm sure.
Click to expand...
It’s extremely simple to copy a folder full of files, rudimentary computer usage in fact. You can do this manually or you can find an app that will do this automatically to a schedule. Or you can use time machine. What’s the issue here?
 
  • Like
Reactions: Jason2000
cupcakes2000 said:
It’s extremely simple to copy a folder full of files, rudimentary computer usage in fact. You can do this manually or you can find an app that will do this automatically to a schedule. Or you can use time machine. What’s the issue here?
Click to expand...

I generally agree, but have some concerns. I've had files from iCloud not show up on my local drive until I did something like store another file in the same folder. Also, doesn't "Optimize MacStorage" introduce a small risk if files are offloaded from the local disk?

Here's another scenario that would worry me. Imagine I added files to one of my computers at 1:00 AM. At 1:15 AM I have a clone scheduled in Carbon Copy on a different computer (the one responsible to back up iCloud). Carbon Copy will wake the backup computer and do the clone at 1:15 AM. I'm at a 50% confidence level that the new files will be downloaded in time for the clone. It might depend on the setting of Power Nap.

Basically, if you're counting on a particular computer's backup to back up all of iCloud, there is a risk that not all the content is on the computer. I feel the risk is non-trivial.
 
There is no risk. It'll get copied at the next scheduled backup. To make this work do not use "Optimized storage."
 
posguy99 said:
Apple has yet to demonstrate competence in services, going back years.

Apple Music, that will randomly replace tracks with other tracks, often DRM'd.
iCloud Drive, that will randomly lose files rather than sync them when they change. Further is impossible to back up.
iCloud Photo Library, that will eat the CPU of the local computer.
iCloud Sync, that will randomly duplicate Contacts and Calendar entries, or will fail to sync delta changes from device to device.
Notes that will take info in, but you are unable to get it back out in the same form.
iCloud Keychain, that you can't back up.

No, I like my data, it won't be in any Apple services I can reasonably avoid.
Click to expand...
you think that's bad? here, the dog ate my homework...
 
  • Like
Reactions: Phil A.
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back