Keychain has just made all my passwords open! How is iCloud keychain meant to work?

mpt-matthew

macrumors regular
Original poster
Aug 11, 2010
178
7
So, I decided to reset my Apple ID because of the recent, events.
I know Apple was supposedly not compromised, but I used that same password for a lot of things, and had someone gained access to my iCloud they could have remotely bricked all my iOS devices (nightmare!)

I was also going to reset my passwords for some other accounts, and use the auto-generated keychain passwords.
My main concern to doing this is if I lose access (or don't have access) to my computer, and need a password (e.g. to logon on another computer).

So I knew Keychain had gone onto iCloud, so I activated it on my computer and iPhone.
I presumed this would mean if I wanted to access a password on my iPhone I could go into safari password, enter my Apple ID (like entering username for iPhone), and view my passwords.

HOWEVER! Much to my surprise, no password is required.
All of my passwords, for every account are stored open for anyone with access to my phone to see!!!

I do appreciate my phone should have a lock. But I don't lock it on a day to day basis because it's a pain and I'm not too likely to lose it.

I wasn't warned at all about this. Wasn't advised to set a password!

Am I doing something wrong?? Or does this necessitate having a password (which after a day everyone will know)... or upgrade for fingerprint?!

Either way, something this sensitive should be kept under lock and key.
 

Xenc

macrumors 65816
May 8, 2010
1,023
160
London, England
I was under the impression that you are prompted for your Apple ID when trying to access Keychain. What steps are you taking to see your passwords?

Or does this necessitate having a password (which after a day everyone will know)... or upgrade for fingerprint?!
Why would everyone know your passcode after a day? You could always set a complex passcode.

Either way, something this sensitive should be kept under lock and key.
Like your iPhone!
 
Last edited:

KUguardgrl13

macrumors 68020
May 16, 2013
2,485
109
Kansas, USA
I was under the impression that you are prompted for your Apple ID when trying to access Keychain. What steps are you taking to see your passwords?
I think OP is talking about autofill in the Safari settings. I'm not sure that has anything to do with Keychain, actually.

Personally I don't use it on my phone outside of wifi passwords. Too many risks. I used to just have a shortlist of passwords memorized and used two-step verification when possible, but now I use 1Password. A pain in the butt when an app gets logged out of, but it's more secure.
 

Belmont31R

macrumors 6502
Nov 23, 2012
385
30
I see a list of the sites I have a password saved to but if you click on an individual site/username I'm promoted for the 4 digit Keychain pass code before the actual password is revealed.
 

mpt-matthew

macrumors regular
Original poster
Aug 11, 2010
178
7
Your iPhone passcode is required. Just like your Mac password is required on OS X.

Case closed.
My point is my keychain, or iPhone password are NOT required!
I thought they should be. But as i am at the moment, without a password or any security i can access this list!

My second point, is apple have said this list is separate from the keychain list. But since it was blank before i activated iCloud keychain, and now it isn't blank, i beg to differ. All the passwords in there are exactly the same as those on my computer keychain. A lot of them I have never accessed on my phone.

My third point regarding the phone password. Is if i access the phone many times a day, a complex password is difficult to enter each time. A number password is much more convenient.
However, it's not hard to watch someone enter a number password into their phone. I've seen it loads of times.
 

mpt-matthew

macrumors regular
Original poster
Aug 11, 2010
178
7
Convenient, secure, easy to use.

Pick two.

Ok, is it just me that thinks it wouldn't be an issue for the settings menu to ask for my iCloud password before disclosing my plain text passwords??

For example I can let someone use my computer (e.g. a friend), with knowledge that it they want to view my passwords in plain text (and take them away to use somewhere else), they are required to enter my password before viewing them on keychain.
 

joe-h2o

macrumors 6502a
Jun 24, 2012
998
443
Ok, is it just me that thinks it wouldn't be an issue for the settings menu to ask for my iCloud password before disclosing my plain text passwords??

For example I can let someone use my computer (e.g. a friend), with knowledge that it they want to view my passwords in plain text (and take them away to use somewhere else), they are required to enter my password before viewing them on keychain.
No, your issue is that you do not lock your phone because it is "inconvenient" and you are "unlikely to lose it" (your words), and that you want other people to be able to use it, but you also want to use iCloud keychain.

In other words, you're leaving your wallet out on your living room table with the PIN for your bank card written inside.

You're intentionally defeating the security that is in place then complaining that you want it to be somewhere else in the system.

Set a passcode. Make it long if you are worried about people watching you. Or just shield it from view if you enter it.
 

The Mad Hatter

macrumors 6502a
Oct 12, 2004
555
89
SoCal
I'm a firm believer in setting a passcode to access my phone, but it would be nice to be able to setup a second (like you can with restrictions) for password access on a 'vanilla' iOS install (my iPhone is JBn, and have my settings locked down with another passcode).
 

Xenc

macrumors 65816
May 8, 2010
1,023
160
London, England
My point is my keychain, or iPhone password are NOT required!
I thought they should be. But as i am at the moment, without a password or any security i can access this list!

My second point, is apple have said this list is separate from the keychain list. But since it was blank before i activated iCloud keychain, and now it isn't blank, i beg to differ. All the passwords in there are exactly the same as those on my computer keychain. A lot of them I have never accessed on my phone.

My third point regarding the phone password. Is if i access the phone many times a day, a complex password is difficult to enter each time. A number password is much more convenient.
However, it's not hard to watch someone enter a number password into their phone. I've seen it loads of times.
It should be prompting you for either your Apple ID or your iCloud Keychain passcode. Perhaps try resetting the Keychain?

You're seeing passwords from your Mac and other devices as iCloud is designed to share data between them all.

In regards to friends peeking over your shoulder when typing in your passcode, you could try covering the screen with your other hand or tilting the phone away. Fingerprint unlock on the 5S does make everything much simpler, though!

I'm a firm believer in setting a passcode to access my phone, but it would be nice to be able to setup a second (like you can with restrictions) for password access on a 'vanilla' iOS install (my iPhone is JBn, and have my settings locked down with another passcode).
There's a separate password for iCloud Keychain, which sort of covers what you describe.
 
Last edited:

C DM

macrumors Sandy Bridge
Oct 17, 2011
47,771
16,171
No, your issue is that you do not lock your phone because it is "inconvenient" and you are "unlikely to lose it" (your words), and that you want other people to be able to use it, but you also want to use iCloud keychain.

In other words, you're leaving your wallet out on your living room table with the PIN for your bank card written inside.

You're intentionally defeating the security that is in place then complaining that you want it to be somewhere else in the system.

Set a passcode. Make it long if you are worried about people watching you. Or just shield it from view if you enter it.
Seems like the flaw there is that the PIN is written inside. A solution of not leaving the wallet is certainly one, but a solution of not writing a PIN that would be visible/understandable by someone else is another. In the case of Keychain, it shouldn't be just available without anything, whether or not the phone is unlocked.

As far as analogies go, just because you let someone inside your house, doesn't mean that they should automatically should have access to a safe that you have, right? The solution of simply not ever letting anyone inside your house because of that makes a rather silly argument over having a safe that is closed and can only be opened by you.
 

spencers

macrumors 68020
Sep 20, 2004
2,366
178
I've noticed this recently as well. My phone doesn't have a passcode, etc.

I can simply go to Settings -> Safari -> Auto-Fill, and I can see any passwords I've saved in plain view.

There really needs to be some sort of mask on this setting!
 

whsbuss

macrumors 68040
May 4, 2010
3,541
595
SE Penna.
I've noticed this recently as well. My phone doesn't have a passcode, etc.

I can simply go to Settings -> Safari -> Auto-Fill, and I can see any passwords I've saved in plain view.

There really needs to be some sort of mask on this setting!
Really? When I setup my keychain on both my Mac and iPhone it required me to set a passcode. I'm not sure how you got around this?
 

orangebluedevil

macrumors 6502
Jun 28, 2010
322
17
My point is my keychain, or iPhone password are NOT required!
I thought they should be. But as i am at the moment, without a password or any security i can access this list!

My second point, is apple have said this list is separate from the keychain list. But since it was blank before i activated iCloud keychain, and now it isn't blank, i beg to differ. All the passwords in there are exactly the same as those on my computer keychain. A lot of them I have never accessed on my phone.

My third point regarding the phone password. Is if i access the phone many times a day, a complex password is difficult to enter each time. A number password is much more convenient.
However, it's not hard to watch someone enter a number password into their phone. I've seen it loads of times.

I understood your point. My point is you are wrong. When you click in the Settings to get to the area to see your passwords, you must enter your keycode/password before you can view the passwords in plain text.

----------

Really? When I setup my keychain on both my Mac and iPhone it required me to set a passcode. I'm not sure how you got around this?
This. He/She does not seem to understand this point.
 

aristobrat

macrumors G5
Oct 14, 2005
12,248
1,319
When you click in the Settings to get to the area to see your passwords, you must enter your keycode/password before you can view the passwords in plain text.
^^^^ is how it works on my iPhone too.

Tapping on:
Settings,
Safari,
Passwords & AutoFill,
Saved Passwords

... brings me to a screen titled Passwords, which lists all of the websites I have saved passwords for.

Every time I press to view a password, it requires me to enter my passcode. Every time. If I type in my passcode to view a password, then go back a screen and try to look at another password, I have to enter my passcode again, even though I just did less than 5 seconds ago.
 

KUguardgrl13

macrumors 68020
May 16, 2013
2,485
109
Kansas, USA
^^^^ is how it works on my iPhone too.

Tapping on:
Settings,
Safari,
Passwords & AutoFill,
Saved Passwords

... brings me to a screen titled Passwords, which lists all of the websites I have saved passwords for.

Every time I press to view a password, it requires me to enter my passcode. Every time. If I type in my passcode to view a password, then go back a screen and try to look at another password, I have to enter my passcode again, even though I just did less than 5 seconds ago.
I will vouch that if you don't have a passcode set and you use autofill in Safari, it has your passwords in plain text for anyone to see. I'd post a screenshot, but 1. that's stupid, and 2. I deleted them as soon as I saw them since I no longer use that feature.

It should be like when you make purchases in the App Store or like any admin level changes on a Mac. Keychain Access on my MBP prompts me for my password when I want too view a password. If I don't want to have a passcode on my iPhone, my passwords shouldn't have that one level of security protecting them.

So I can understand OP's frustration, but the only thing to do currently is either have a passcode, not have a passcode and allow easy access to your passwords, or not use autofill.